Windows XP SP2 Has a Dangerous Hole

[Khun_Kong]

From this article and this article in PC Magazine, there's new trouble afoot already, especially for the Automatic Windows Update feature users.

 

************************************************

 

"Read the full article for more about details about how this hole may enable hackers to steal data, infect computers and turn them into zombies."

 

*************************************************

 

Security Watch Special: Windows XP SP2 Security Center Spoofing Threat

 

Top Threat: Windows Security Center Spoof

 

Windows XP Service Pack 2 promises to raise the security bar for the sometimes beleaguered operating system. Unfortunately, one of the new features could be spoofed so that it reports misleading information about system security, or worse, lets a malicious program watch for an opportunity to do damage without being detected. The feature is the Windows Security Center (WSC), which displays the status ( (Figure 1) )of the key elements of your defenses: Firewall, Updates, and Antivirus. If your firewall has been disabled, or your antivirus is out of date, that news will display here. The information is stored in an internal database managed by the Windows Management Instrumentation (WMI) subsystem built into Windows.

 

Figure 1 SP2 Security Center

 

Based on an anonymous tip, we looked into the WMI and the Windows Security Center's use of it, and found that it may not only be a security hole, but a crater in the wrong hands. Due to the nature of WMI, the WSC could potentially allow attackers to spoof the state of security on a user's system while accessing data, infecting the system, or turning the PC into a zombie for spam or other purposes.

 

According to Microsoft, WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), an industry standard for accessing management information on a system. For Windows XP Service Pack 2, Microsoft added new fields or records to keep track of the Firewall and Antivirus information in the WMI database. Unfortunately, the WMI database is designed to be accessible via the WBEM API (application program interface) and is available to any program that wants to access the WMI. These programs can be desktop applications written in desktop- or web-based scripting or ActiveX modules.

 

This open door to the security status of a system can be exploited several ways. First, a malicious site could download a file (possibly with the drag and drop exploit discussed in our Windows updates and vulnerabilities section), which could run and access the WMI, monitoring the status of the firewall and antivirus protection.

 

Some existing malicious programs attack the antivirus or firewall directly, using techniques specific to the security product. These attacks are almost invariably blocked when security is turned on. The malicious program could wait until the security products are temporarily disabled before acting. However, to do that currently, they would have to monitor the products directly, which again would trigger alarms. But, a program just casually checking WMI may be ignored by security programs. When WMI reports that protection is off, the malicious program could permanently disable the security protection and remain undetected. Because the WMI database is not set to be a read-only file, the attacking program could simply change the disabled product's status to "up-to-date" and "enabled" to avoid suspicion. The WMI database and subsystem cares less what the actual state of the product is, only that it was told things are okay.

 

Beyond that, it is also possible to use WBEM API functions to add a firewall or antivirus listing that didn't previously exist. In our example, we used a reasonably simple script to add in fake antivirus and firewall product listings in the Windows Security Center. In both cases, we told WMI that they were up to date and enabled. ( Figure 2 ).

Figure 2. Faked Security Center entries

 

The WMI and WBEM interface has been well documented both on the Microsoft Developer's Network, and other places on the web. We were able to find some references to the namespace and objects that the Windows Security Center uses on the web, though no references to it being exploited, yet.

 

However, it's almost like Microsoft has given attackers the path, door and keys, Windows itself contains a test utility, WBEMTEST.EXE, that allows you to view, add and edit the values in the WMI. In addition, files associated with the utility provide the namespace, classes, and data types associated with the Windows Security Center, all in plain text. The danger in this utility is not that it can edit the WMI, but it lets a malicious developer learn the data and fields needed to do the spoof.

 

 

 

IT Managers Can Stall SP2 Windows Update

 

 

While we are not aware of any malware exploiting this, we think it will only be a matter of time. The one mitigating factor that we found is that to change the WMI, and spoof the Security Center, the script has to be running in Administrator mode. If executed in Windows XP's Limited Mode, it will give an error, and not allow changes. Unfortunately, most home users who will be at risk, run in the default administrator mode.

 

When we contacted Microsoft for comment, a spokesperson said that the company was not aware of this issue, but would investigate.

 

Microsoft Responds

 

We spoke with representatives from Microsoft about the Windows Security Center, and the ease with which it can be read or spoofed. They disagreed that the ability to change what the user sees in the Windows Security Center (WSC) is a hole, or a crater. Here's what they said.

 

"In SP2, we added functionality to reduce the likelihood of unknown/devious applications running on a user's system, including turning Windows Firewall on by default, data execution prevention, attachment execution services to name a few. To spoof the Windows Security Center WMI would require system-level access to a PC. If the user downloads and runs an application that would allow for spoofing of Windows Security Center, they have already opened the door for the hacker to do what they want. In addition, if malware is already on the system, it does not need to monitor WSC to determine a vulnerable point of attack, it can simply shut down any firewall or AV service then attack ? no WSC is necessary."

 

"Windows Security Center, found in the Windows XP Control panel, provides customers the ability and makes it easier to check the status of these essential security functionalities such as firewalls, automatic updates and antivirus. Windows Security Center will inform users whether key security capabilities are turned on and up to date and will notify users if it appears that updates need to be made or if additional action steps may need to be taken to help them get more secure."

 

Microsoft also pointed out that most malicious attackers would go for the most direct route, such as directly shutting down the firewall or antivirus, rather than lying in wait, watching for the user to do it. We agree that most attackers might use most direct method, but it would depend on the attacker's motive. The hacker may want to be more subtle, getting in under the defenses, undetected until the right time to attack. WMI gives them all the information they need.

 

Microsoft brings up the point that the user must be in Administrator mode, and the program running on the local machine to get to the WMI. For the enterprise, users may run at more protected levels. But Windows XP home edition installs in Administrator mode, and most end users never change it. So, having administrator mode as the default is a security risk.

 

For running locally, that's not too difficult. As much as we tell end users not to execute unfamiliar e-mail attachments, they still do. Then there are the attacks using exploits to download code, though many are patched or detected in SP2. And of course there's the time tested way?downloading a game demo or utility.

 

We suggested to Microsoft that it would be more secure if the WMI only allow interaction with pre-approved applications. Using some of the built-in mechanisms such as Object signing would keep the rogue programs from accessing potentially usable security data. Microsoft replied that the design decision was made to make it as open as possible for any Antivirus or Firewall vendor to access.

 

We see the WMI and WSC as an indirect security risk, or hole, or whatever you want to call it. Maybe we're giving hackers and malware writers too much credit. WMI allows a program to get the security status of a user's system, as well as spoof it to give the user a false sense of security. Maybe it is too subtle. However, it is another tool in the hacker's toolbox. To have easy public access to the security status of a user's machine is like sending a password in plain text to a web site. It may not be used, but then again it might.

 

The Bottom Line:

 

Do we think that end users should upgrade? Yes, Windows XP Service Pack 2 is a must do, especially for end users. However, we would recommend users not take the WSC as gospel, If you use an antivirus, or 3rd party firewall, look at their status panels as a sanity check. Keep your Antivirus, windows, firewall updates current, and most of all, be very careful of what you run on your system.

 

************************************************

 

Micro$oft: the fun never ends!