Slashdot Mirror
XP2 Spotted In The Wild
LostCluster writes "WinXP SP2 has just been released to the public via Automatic Update, but eWeek and PC Magazine are together reporting that Windows XP SP2's 'Windows Security Center' is just about as insecure as it could possibly be. According to them, any program (including ActiveX controls) can access and edit the Windows Management Instrumentation database, and therefore spoof the security status of an insecure box to report that it is properly secured."
any program can access and edit the Windows Management Instrumentation database
That MF'ing Clippy.exe in MS Word better stop accessing my Instrumentation database or I'll punch that SOB into the middle of next week. Really any program can access and edit the Windows Management Instrumentation database; I knew solitrae and tetris and an altier motive.
My box says it's insecure! So therefor, I can't possibly have some spoofing ActiveX control thingie, can I?
if every user were root.
To build in a security overview system and leave it wide open so that its easy to fake the current status of things like your firewall and anti-virus.
So this is what the Internet Meltdown Predicted for Tomorrow article was referring to!
According to them, any program (including ActiveX controls) can access and edit the Windows Management Instrumentation database, and therefore spoof the security status of an insecure box to report that it is properly secured."
;)
That's ok. MS probably wants it to be easy to use so that everyone can use it.
Little Bricklets
If a boxen is 0wned then we can savely assume that the 0wner/w0rm has root access. And with root access it can do anything anyway.
This is like complaining that one can shut down your computer by removing the power plug.
Step 1: Go to http://www.mikx.de/scrollbar/
Step 2: Drag the scrollbar down a bit and let go
Step 3: Start -> Programs -> Startup
That's just spooky.
Karma: Segmentation fault (tried to dereference a null post)
To spoof the Windows Security Center WMI would require system-level access to a PC. If the user downloads and runs an application that would allow for spoofing of Windows Security Center, they have already opened the door for the hacker to do what they want. In addition, if malware is already on the system, it does not need to monitor WSC to determine a vulnerable point of attack, it can simply shut down any firewall or AV service then attack - no WSC is necessary."
Sadly just about everyone runs shit as Administrator (it is the default mode for XP Home installs) to make life easier and as MSFT has noted they are opening themselves up to the attacks... For those that will mention that Linux is so much better remember that these are the same people that wouldn't like to have to change to root (sudo, su, login, whatever) to install anything and would be opening themselves up to the same vulnerability level as if they had been running Windows.
Basically the problem was in design... They should not have had an open API controlling the "WSC" and thus malware would not be able to detect the presence of the programs' status from a single location. The real problem is that MSFT isn't admitting that it is a serious problem and needs to be changed on a different level... Saying that malware writers are going to use the direct route and disable the firewall/AV outright, while true, doesn't get them off the hook for creating this hole that is more difficult even for a more advanced user to notice.
Microsoft released SP2 in a staggered fashion. First to MSDN subscribers, OEM's, Enterprise customers, etc. Second, SP2 was unleashed to XP Home Edition via Windows Update. Today, they're finally allowing XP Pro users to get the patch. It was intended to allow corporate customers the ability to disable the update to their clients.
No, most user's don't need to be root most of the time. Yet:
While we are not aware of any malware exploiting this, we think it will only be a matter of time. The one mitigating factor that we found is that to change the WMI, and spoof the Security Center, the script has to be running in Administrator mode. If executed in Windows XP's Limited Mode, it will give an error, and not allow changes. Unfortunately, most home users who will be at risk, run in the default administrator mode.
How can we convince people not to run admin mode? It's easy at work, in UNIX land (most people don't get to know root pw.) But most Windows users I know don't even know the difference.
Every windows security problem I know of can be solved, or at least significanly mitigated, by users not running root.
everything in moderation
Cue Marlin Perkins (of the old Mutual of Omaha Wild Kingdom shows):
MP: "Today, we are going to find and capture the elusive XP2 Leopard. My associate, Jim, is armed with a toe-nail clipper and a badminton raquet. Jim, why don't you start marching down that trail over there? I'll be back at the truck with the cameraman and a bottle of scotch."
I noticed it was up last night to I installed it.
It's 94.50 mb which takes a while to download. Upon installation and restart the new windows security center pops up and trys to get you to turn on your firewall, automatic updates and antivirus software. By default if any of these are off, there's an obnoxious red shield in the system tray. Turning off alerts for these makes it go away.
Otherwise there doesn't seem to be any major changes.
So far nothing's borked.
Maybe MS could get NASA to send a few rovers in there to see what they can find out.
There is one subtle difference between linux and window admins: There is a lot of window software that is written to be run as administrator. Finding all the files to give permissions to causes quite a headache.
Linux, I feel, has a better system at the moment. However, as this is the developers fault, I see no reason why linux would be immune from this problem.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
To make Windows secure, that is. I know lately that Microsoft-bashing has gone from being the in thing to being "trolling", but it's true. Just because it's become less fashionable to say so doesn't change the fact. I don't understand how Windows users can continue to use these machines. I live in a relatively remote area of Japan, and yet somehow within 4 minutes after hooking up my brand-spanking new machine to the Internet, I started getting Code Red connection attempts and repeated assaults on various four-digit ports. I guess they don't respect geographic boundaries either. By the way, this all happened while I was downloading XP2/SP2. It's not going to help when we don't even have time to install it before getting our machines "owned".
I've always criticised Linux users for being sloppy and the like, but the operating system itself is at least rock solid. It rarely crashes, it has a decent windowing system, and I don't see advisories for it on Bugtraq every 8 hours. Windows is easy to install, but it's all too easy for someone else to compromise. Ease of use is nice, but I think I'll take peace of mind with GNOME on Fedora Core.
Right. I can only assume you're using Linux now, and I apologize if i'm wrong. So you probably never have to: upgrade your kernel, upgrade applications or do an fsck. If this is the reason why you abandoned windows, it's a silly one. As far as i know, only consoles (Nintendo, PS1/2 & Co.) don't require updates. Everything else does.
The next thing to be said is usually: "But most home users run as admins." (The article also mentions this.) Well, that's not a Windows problem; that's a user problem. Even if Windows forced users to run in "limited mode" (which would cause an outcry in itself - "eek, Microsoft is trying to take away control over our own computers from us"), it also doesn't help that most third-party software for Windows requires admin rights either to install or *gasp* to run. Of course, this is ancient news to everyone with a clue
Of course, even when running as admin, protecting yourself against malicious code is fairly trivial; simply use a firewall (SP2 incidentally includes one), don't run binaries from untrusted sources, surf the web and check your email using something other than IE/Outlook, use a virus scanner/shield, and keep your apps and OS updated. Again, no news to anyone with a clue.
Quality, performance, value; you get only two, and you don't always get to pick.
That's the network install, which includes every update since XP was released plus code to figure out what version of Windows you're actually running. If you download it from Windows Update it does all that before-hand and only sends you the stuff you need, which makes for a much smaller download.
Yes it does
What Microsoft is doing is analogous to me trying to turn my apartment into a bank:
Initially I just put up a sign that says "Bank" and leave the money lying on my sofa. Then when I get tired of people walking in and taking the money I lock my door. Then they kick in my door, so I get a thicker door. So now they climb in through a window, so I close and lock the windows. They break a window, I put up shutters. They cut through the floor, I lay down cement; ceiling, I add an alarm; they cut the electricity, I buy a generator. Maybe at some point I buy a safe, which works until they pick the safe up and roll it out of a hole cut into my wooden walls. This goes on for years, until eventually I get fed up and move out, and have a building built to purpose that's secure as a bank should be.
Where this analogy breaks down is at some point pretty early on customers would stop giving me their money until I got my act together, where they've shown no intention of doing the same to Microsoft.
The only way to make joe user NOT want to use an Administrator account is to make it anoying to use. IE: -Display a NAG window everytime the user launches an application. (Maybe only if the user spends more than 30 minutes in the account) Maybe even make it easy to do some admin tasks easily as a Limited user by prompting for the administrator pw when required like Linux distros do today.
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
We're out 'ere lookin for signs of the elusive XP2 that's been said to be lurkin' in the wild...
Crikey, I've just spotted a wild paypah-clip in it's natural 'abitat! Look at those big ole eyes an'.. oh!.. there he goes trying to ask me if he can 'elp me!! You see, this creature is what's known as a parasite, 'ee leeches off o' your Windows Management Instrumentation databases. It's 'ard to satisfy one o' these buggers, they'll never leave ya alone until they've done your work for ya.
</steve irwin>
If the animated dog says my machine is secure who am I to argue with it...
All the torrents you could want.