File and Printer Sharing Insecure in XP SP2

ProKras writes "German magazine PC-Welt has discovered a major security flaw in Windows XP SP2 when installing over SP1. The article says that 'with a certain configuration, your file and printer sharing data are visible worldwide, despite an activated Firewall.' The magazine claims they were 'able to discover private documents on easily accessible computers on the Internet' and that the configuration is fairly common."

Firewalls don't belong on the desktop anyway.

[LostCluster]

The Slashdot summary is a little mis-worded such that it'll cause some unneeded alarm.

If you configure File/Print sharing in the "wrong" way as the article talks about, it'll expose those services to the whole 'net even through the Windows Firewall. If there's firewall security installed anywhere else on the way to the Internet, such as at the edge router where firewalls really belong, Windows XP isn't so dumb as to pierce that level of security. Even a simple NAT is enough to be an effective blocker.

In other words... we're running into "That's not a bug, that's a feature!" terroritory. If you ask Windows to share your files and printers accross an IP-based networks, you should be sure that the network is separated by a real firewall from the rest of the Internet. Fail to do that, and you might as well expect this is going to happen.

Re:Firewalls don't belong on the desktop anyway.

[ProKras]

I believe that the point of the article is that it's fairly easy for Average Joe user to to inadvertently configure their machine to share with the world what they intend to share only over a LAN. The Windows firewall in SP2 provides a false sense of security to these users.

You're absolutely right that firewalls don't belong on the desktop.

Re:Firewalls don't belong on the desktop anyway.

[Nevo]

Are you kidding me?

You really think firewalls belong at the perimeter?

Here's a clue: there IS NO PERIMETER any more. The internal network is often as hostile as the internet. Laptops, PDAs, unauthorized WAPs on the corporate network... the list goes on.

Anyone who belives they can secure a network be securing the perimeter is deluding themselves.

A firewall at the desktop makes a lot of sense.

Re:News worthy?

[sgant]

I suppose there were a few people out there that were expecting it to be secure...what with MS spending over a year...(maybe longer?) in making SP2 while the world was screaming at it to fix it's security holes.

And THIS is they're response to that. This isn't funny, this isn't a "ha, told you so" kind of thing. This is something that pisses people off. People get fired for this kind of fuck up.

hmm...

[focitrixilous+P]

with a certain configuration, your file and printer sharing data are visible worldwide, despite an activated Firewall.

With a certain configuration, ssh is accessable from outside, even with a firewall. if the configuration includes passwordless root, well then, a slashdot summary "ssh allows remote root access despite firewall" would be a tad overzealous, right? Unless the certain configuration is ever the default, this is just users not understanding what they are doing and missetting things. Not a MS problem, it's giving users a choice. It's just a very bad choice to make, but no different than, say, root telnet over wireless internet or something.

Hardware routers

[Schemat1c]

Most of these security issues are solved by simply having an inexpensive netgear or linksys router and up to date virus software. They are cheap and easy enough to use that they should be considered standard equipment on any home PC connecting to the internet.

Re:Hardware routers

[Schemat1c]

I don't think that that is the point. What you're suggesting is fixing a Microsoft problem with a 3rd party solution. That is not good enough,...

I think the point is to protect your data and your pc. If you choose to use Windows you should expect to make the necessary precautions or get nailed.

It might make sense for bicycle manufacturers to include helmets and pads to protect you from injuries caused by using their product. Since this isn't the case one most purchase third party protections. It may not be fair, just the way things are.

Re:Slashdot and SP2

[nbert]

It seems that Slashdot is desperate to publish any story that is negative about SP2, despite coming from a dubious source with little to no detail on this "flaw". I have to say that it really seems to me that MS got it right this time.

Slashdot might be eager to publish bad news related to SP2, but calling PC-Welt a dubious source sounds ridiculous to me (can you tell me about a US computer mag, which actually features news?).
I don't think you ever heard of PC-Welt prior to this thread. You could as well state that nothing happened in Beslan, because you saw it on BBC (aka foreign media).
I don't want to say that PC-Welt is a great mag - I bought my last issue about 5 years ago and I no regrets not reading it anymore. But if /. cites some "dubious" news from an unknown website some take it more seriously than news from a mag with real journalists and computer experts. Isn't there something wrong about this behaviour?

Re:Slashdot and SP2

You think it's better to hide Security Holes than to warn people of them!?!

I, for one, welcome Slashdot's reporting of any security holes whether in Linux or MSWindows products. I can then research more and know what to be aware of before they get exploited.

Or are you some kind of h4x0r who wants people to remain ignorant of shared filesystems?

Re:I'm shocked!

I spent an afternoon printing warnings on people's printers

As well intentioned as you were, you shouldn't do such things. It's likely against your ISP's usage policy, generally considered unethical, and potentially against the law depending on where you live.

Re:I'm shocked!

[geeber]

I spent an afternoon printing warnings on people's printers

As well intentioned as you were, you shouldn't do such things. It's likely against your ISP's usage policy, generally considered unethical, and potentially against the law depending on where you live.

While I can understand why such behavior might piss off an ISP, I don't see why it would generally be considered unethical. It's not like he was installing software remotely on someone's computer, which seems very different to me.

Would it be unethical if he knocked on their door and told them in person of their vulnerabilities? How about if he slipped a flyer under their door while they weren't home? That seems to me to be the ethical equivilence of using their computer to print a warning.

Re:"insecure"? WTF?

[Veridium]

I don't care what PC Welt thinks and how much it sells - it's just one source.

You guys bashing slashdot for this, let me ask you, should slashdot not post links to stories until 8 different sources confirm it? That ought to make for a really boring site.

The thing I don't get, is why people get pissed about this? This site is largely a community discussion site driven by user submitted stories. Slashdot isn't out there engaging in investigative journalism or writing the stories themselves.

And when you say something like this:

As far as I can tell, I've installed SP2 and nothing like that happened so it's false to my eyes

I had unprotected sex and I never got a venereal disease, therefore, all those stories about VD are wrong. I mean that's basicaly the same as your argument. Did you read the article? Did you even read the blurb for the article on slashdot? Let me help you:
with a certain configuration, your file and printer sharing data are visible worldwide, despite an activated Firewall.

What does that say? It says WITH A CERTAIN CONFIGURATION. Obviously, you don't have that certain configuration.

Re:I'm shocked!

[Curtman]

So does bandwidth consumed by infected zombie computers relaying spam.

Re:I'm shocked!

[John+Hasler]

It may not be unethical, but it is a felony under US law.

Re:Shared

[ultranova]

These computing resources were being placed in the public domain.

So if I go out for the day and accidently leave my front door open, have I placed all my possessions in the public domain?

Since Windows file sharing is meant to share files - allow access to them - I don't really see how any document in a world-readable directory could be likened to the stuff in your house. You made the directory world-readable. You placed the document there. How could anyone make any other conclusion than that you meant the document to be readable by anyone. Same for printers - if you don't want people to print random garbage with them, why did you make them world-printable ?

Now, it's possible that your computer is buggy and shared the directory by itself, or that you're an idiot who plays around with his computers configuration without understanding what's he doing, but how is anyone else supposed to know that ?

As for your example, if keeping your front door open is commonly considered an invitation to come inside and take whatever you want, then yes, leaving your front door open is going to mean exactly that.

I've said it before, and it looks like I'm going to have to keep on saying it - just because you *can* do something doesn't mean that you *should* or that you're *allowed* to.

That, however, doesn't change the fact that you can hardly be blamed for using resources someone else has made available. Open port is an invitation. If the inviter wanted to limit his invitation to a certain group of people, he should have used a password. Otherwise, people have no way of knowing that this invitation didn't include them.