2 Flaws in XP SP2 security measures

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
http://www.heise.de/security/artikel/50051

Microsoft's response:
"We have investigated your report, as we do with all reports, however in this case, we don't see these issues as being in conflict with the design goals of the new protections. We are always seeking improvements to our security protections and this discussion will certainly provide additional input into future security features and improvements, but at this time we do not see these as issues that we would develop patches or workarounds to address."

EDIT: Screwed up the link damnit. :|
 

drag

Elite Member
Jul 4, 2002
8,708
0
0
Not suprising. Although they realy are serious about security and all that, you know, "Trusted computing"

But in all honesty they are not realy very serious bugs.
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
I think they're kind of serious. This whole "zone" thing is something Microsoft is taking seriously, and how are we supposed to tell what's potentially dangerous if one of the basic parts of Microsoft's OS (the file extension) is lying to us?

Oh well, idiots will fall for it. Maybe they deserve it.
 

Psych

Senior member
Feb 3, 2004
324
0
0
Many of the security features that Microsft has is implemented through the GUI. For some reason, they don't place it at a low, authoritative level. The command line always seems to be able to circumvent these things.

As for the Windows Exlorer caching issue, I can't believe they did that. They should fix that problem, otherwise the whole concept of good zone security will fall apart.

I bet that the next big virus will exloit these issues just to give MS a message.
 

spyordie007

Diamond Member
May 28, 2001
6,229
0
0
*yawn*

The zoneid is really just there as an extra means to "save people from themselves"; in reality the only real way to protect the machine from code a user runs is to deny them privilages to do anything to the system (i.e. give them user only privilages).

A program can also be run to remove the zoneid just as easily.

Fact of the matter is the only true way to protect the computer from unsafe code is to not run it.
 

bsobel

Moderator Emeritus<br>Elite Member
Dec 9, 2001
13,346
0
0
Agreed, yawn. Did anyone really think that the new security prompting should occur at the cmd prompt level? If it's an issue in your environment, remove access to cmd.exe.

Bill
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Hmmm, I guess that's a way we differ. If something doesn't work correctly I consider it a bug worth addressing. cmd doesn't work right, it doesn't use the security features present in other parts of the OS.
 

dclive

Elite Member
Oct 23, 2003
5,626
2
81
Originally posted by: n0cmonkey
Hmmm, I guess that's a way we differ. If something doesn't work correctly I consider it a bug worth addressing. cmd doesn't work right, it doesn't use the security features present in other parts of the OS.

You double-click on an executable - should it run the executable?
You type in a command... should it execute that command?

If a user can figure out how to get to the command prompt, I think the other barriers should be turned off and userID privs should be relied upon. Can you imagine the hassle making those changes would do to existing scripts and batch files that millions of people use daily?

Did Heise even *think* about the implications there?

__
Therefore a virus author could create an e-mail worm like this:
Attached: access.gif
Hello,
attached you find the copy of your access data you
requested. For security reasons, the file is scrambled
and can only be viewed with cmd. To view it, save the
attached file, execute "cmd" from the start menu,
drag&amp;drop the file into the new window and hit
return. cmd will descramble the file for you.
If the user follows these instructions, the attached file is executed without any warning.
__

Erm...I would call the act of doing all that work to be plenty of warning. Geez.....

But if that's an issue, just turn off the cmd.exe privs, or remove the exe....lots of ways to address that.
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: dclive
Originally posted by: n0cmonkey
Hmmm, I guess that's a way we differ. If something doesn't work correctly I consider it a bug worth addressing. cmd doesn't work right, it doesn't use the security features present in other parts of the OS.

You double-click on an executable - should it run the executable?
You type in a command... should it execute that command?

If a user can figure out how to get to the command prompt, I think the other barriers should be turned off and userID privs should be relied upon. Can you imagine the hassle making those changes would do to existing scripts and batch files that millions of people use daily?

Did Heise even *think* about the implications there?

__
Therefore a virus author could create an e-mail worm like this:
Attached: access.gif
Hello,
attached you find the copy of your access data you
requested. For security reasons, the file is scrambled
and can only be viewed with cmd. To view it, save the
attached file, execute "cmd" from the start menu,
drag&amp;drop the file into the new window and hit
return. cmd will descramble the file for you.
If the user follows these instructions, the attached file is executed without any warning.
__

Erm...I would call the act of doing all that work to be plenty of warning. Geez.....

But if that's an issue, just turn off the cmd.exe privs, or remove the exe....lots of ways to address that.

If you write it yourself, the zone should be just fine. An extra warning won't hurt anyone, or a quick setting change.
 

dclive

Elite Member
Oct 23, 2003
5,626
2
81
Originally posted by: n0cmonkey
Originally posted by: dclive
Originally posted by: n0cmonkey
Hmmm, I guess that's a way we differ. If something doesn't work correctly I consider it a bug worth addressing. cmd doesn't work right, it doesn't use the security features present in other parts of the OS.

You double-click on an executable - should it run the executable?
You type in a command... should it execute that command?

If a user can figure out how to get to the command prompt, I think the other barriers should be turned off and userID privs should be relied upon. Can you imagine the hassle making those changes would do to existing scripts and batch files that millions of people use daily?

Did Heise even *think* about the implications there?

__
Therefore a virus author could create an e-mail worm like this:
Attached: access.gif
Hello,
attached you find the copy of your access data you
requested. For security reasons, the file is scrambled
and can only be viewed with cmd. To view it, save the
attached file, execute "cmd" from the start menu,
drag&amp;drop the file into the new window and hit
return. cmd will descramble the file for you.
If the user follows these instructions, the attached file is executed without any warning.
__

Erm...I would call the act of doing all that work to be plenty of warning. Geez.....

But if that's an issue, just turn off the cmd.exe privs, or remove the exe....lots of ways to address that.

If you write it yourself, the zone should be just fine. An extra warning won't hurt anyone, or a quick setting change.


Hmm...can you detail a little more what you mean?
 

spyordie007

Diamond Member
May 28, 2001
6,229
0
0
Therefore a virus author could create an e-mail worm like this:
Attached: access.gif
Hello,
attached you find the copy of your access data you
requested. For security reasons, the file is scrambled
and can only be viewed with cmd. To view it, save the
attached file, execute "cmd" from the start menu,
drag&amp;drop the file into the new window and hit
return. cmd will descramble the file for you.
If the user follows these instructions, the attached file is executed without any warning.
DEAR RECEIVER,

You have just received a Taliban virus. Since we are not so technologically advanced in Afghanistan, this is a MANUAL virus. Please delete all the files on you hard disk yourself and send this mail to everyone you know.

Thank you very much for helping me.

Chief Hacker
Taliban
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: dclive
Originally posted by: n0cmonkey
Originally posted by: dclive
Originally posted by: n0cmonkey
Hmmm, I guess that's a way we differ. If something doesn't work correctly I consider it a bug worth addressing. cmd doesn't work right, it doesn't use the security features present in other parts of the OS.

You double-click on an executable - should it run the executable?
You type in a command... should it execute that command?

If a user can figure out how to get to the command prompt, I think the other barriers should be turned off and userID privs should be relied upon. Can you imagine the hassle making those changes would do to existing scripts and batch files that millions of people use daily?

Did Heise even *think* about the implications there?

__
Therefore a virus author could create an e-mail worm like this:
Attached: access.gif
Hello,
attached you find the copy of your access data you
requested. For security reasons, the file is scrambled
and can only be viewed with cmd. To view it, save the
attached file, execute "cmd" from the start menu,
drag&amp;drop the file into the new window and hit
return. cmd will descramble the file for you.
If the user follows these instructions, the attached file is executed without any warning.
__

Erm...I would call the act of doing all that work to be plenty of warning. Geez.....

But if that's an issue, just turn off the cmd.exe privs, or remove the exe....lots of ways to address that.

If you write it yourself, the zone should be just fine. An extra warning won't hurt anyone, or a quick setting change.


Hmm...can you detail a little more what you mean?

If you write the batch script yourself, it should be coming from a "trusted zone," so it should break nothing.

Ok, so these aren't major breaks in the security, but I'm an idealist. Maybe I don't put enough faith in the lusers.
 

spyordie007

Diamond Member
May 28, 2001
6,229
0
0
Maybe I don't put enough faith in the users.
Neither do I; that is exactly why I rely on reduced privilages and dont much care about the GUI warning regarding what zone it came from. If they dont have privilages to compromise anything than it doesnt much matter what code they run or what zone it comes from.

The point of the nagging GUI is to help the end users at home have a little bit better idea where something is coming from. And fact is they launch pretty much everything as a child process of explorer.