Slashdot Mirror


File and Printer Sharing Insecure in XP SP2

ProKras writes "German magazine PC-Welt has discovered a major security flaw in Windows XP SP2 when installing over SP1. The article says that 'with a certain configuration, your file and printer sharing data are visible worldwide, despite an activated Firewall.' The magazine claims they were 'able to discover private documents on easily accessible computers on the Internet' and that the configuration is fairly common."

13 of 368 comments (clear)

  1. Slashdot and SP2 by Anonymous Coward · · Score: 4, Interesting

    It seems that Slashdot is desperate to publish any story that is negative about SP2, despite coming from a dubious source with little to no detail on this "flaw". I have to say that it really seems to me that MS got it right this time.

    Security over features and security over performance... isn't this exactly what we have been asking for? I mean, do you really care that the guy down the hall is running Powerpoint 9% slower?

    Cause all I care about is that he is not hammering my webserver with the latest virus.

    1. Re:Slashdot and SP2 by Izago909 · · Score: 5, Interesting
      Dubious or not, the solution is something that most people should do by default:
      This error can be corrected by choosing "User defined List" and entering the IP addresses that are supposed to have access - the IP addresses of your LAN. A whole range of an IP area can be entered as "192.168.x.0/255.255.255.0", if the respective addresses start with 192.168.x.
      So we should not allow file and printer sharing beyod our local network. Who would a thought? They also recommend using a router with a firewall or a secondary software firewall. It's been a while since I used zone alarm, but the last version I tried didn't notify the user if a windows process tried to access the network. That's why I switched to Sygate. You'd be suprised what parts of windows want to transmitt data (like the file inexing serive) even though you aren't running them.
    2. Re:Slashdot and SP2 by Aadain2001 · · Score: 4, Interesting

      I think /. is very quick to post bad news about SP2 because MS is out singing to the heavens about how much more "secure" it is and how they are taking security "seriously" now. Bugs like this are just evidence that MS is yet again trying to tack on security after-the-fact instead of doing what is necessary: start over and have security in mind from the ground up in designing, developing, and testing of their OS and applications. MS is still a breeding ground for viruses, backdoors, worms, etc, all because MS will not admit that their products are pieces of crap who's only positive traits are being easy to use (if you are already used to using MS products that is) and pretty to look at (if all you have ever seen is MS products). From a admistrative point of view, their stuff is buggy, bloated, and a POS at the source code level. The firewall in SP2 should be simple, clean, and not affected by ANY other program or hook instead of Windows. But MS couldn't even get that right, instead doing their usual "tie-it-into-eveything-else-we-loose-market-share- to-a-competitor" routine, giving the user a false sense of security. That is why /. railes against MS and SP2. We don't like being lied to by the marketing department.

      --
      Space for rent, inquire within
  2. Re:I'm shocked! by Curtman · · Score: 5, Interesting

    I thought this was already common knowledge. Grab a copy of any P2P software and spend a few minutes port scanning clients you see in it. I spent an afternoon printing warnings on people's printers, with instructions on how to disable file & print sharing. Its quite an amazing thing to witness. About half of them are wide open, and don't require any password to mount the C drive or print documents. smbclient is a really fun utility. :)

  3. People are stupid. by RoundTop-VJAS · · Score: 4, Interesting

    both here and in the world.

    The reason that this was done likely is because SP2 enables the firewall by default. so you don't want people calling asking why their file shares and printer shares don't work.

    In addition to that, if it is a local network like that, they have a router in the first place, they are safe.

    In addition to that... remember in windows XP unless you CREATE a share it is not going to be there (even though the file and printer sharing may be turned on).

    In addition to THAT... winXP by default has guest turned off, so you would have to be an authenticated user to get access.

    someone is trying to be sensationalist and not thinking about things.

    --
    RoundTop

  4. Windows by Anonymous Coward · · Score: 4, Interesting

    The fix is broken on computers that have already been compromised. Which is probably a fair number of them. This bothers me.

    Think about it, for a moment. The firewall is blocking internally-generated connections. Which is fair enough. (Though silently dropping would likely have been safer.) However, to lock the machine up, the TCP stack has got to be taking the error as cause to retransmit the packet.

    Why am I so certain that this is what's happening? Because Windows has had some degree of preemption for a while. It's not great, but it works. Sort-of. Lock-ups should be next to impossible on a totally pre-emptive OS, as the locked-up program would simply be interrupted. It'd slow the machine down, slightly, but it wouldn't be fatal.

    What we're getting here, though, looks like something fouling up big-time in a non-blockable part of Windows. Odds are pretty good that it's the network code. My suspicion is that the TCP stack and firewall are in an unbreakable infinite loop, with the error generated by the firewall causing the TCP code to resend the packet, ad infinitum.

    A lot of people have argued that Microsoft isn't to blame for other people's crappy code. Which is fair enough. But they are very much to blame for their own crappy code. If you're going to have non-blockable code (a VERY bad idea!) then you've got to be damn sure that there are no scenarios in which that code will put itself into a spin-dry cycle.

    It seems as though Microsoft merely added firewall code, with absolutely no thought as to the possible impact it could have on the rest of Windows.

    Further, if my suspicion is correct (and I'm pretty confident it is), then it should be possible to crash any Windows box remotely. Simply generate a packet that Windows cannot reply to. By forcing the TCP stack and the firewall to fight it out, you'd paralyze the machine.

    The correct way to handle this kind of situation is to recognise when a connection is administratively prohibited or impossible, and to not keep retrying. You'd then escape out of the non-blockable code, and pre-emption would allow you to continue as normal.

    If you want slightly "smarter" behaviour, then if a process repeatedly keeps retrying a connection or activity that is prohibited, every time it gets woken back up, it should drop in priority, be slept a reasonably long time (in the hope the problem can be cleared by then) or get kicked off the system. ("Three strikes and you're out." logic.)

    It should absolutely not be possible for any user process, no matter how badly written, to create a situation in which an uninterruptable infinite loop can develop. Either there needs to be some mechanism to interrupt any loop that might be infinite, OR there needs to be a mechanism for recognising when a loop is running unacceptably long.

    It's no use Microsoft whining that customers should clean their computers first. That would be like McAffee arguing that you should clean your computer of viruses before running their software. And how are you supposed to do that, if you've no software installed for detecting and/or cleaning the damn things in the first place?

    The only way you can know (for certain) that there's nothing trying to access an unauthorised port is by blocking the ports and seeing what happens when you try to use the computer as normal. And the only way you can then do anything about it is if the computer can cope with that situation in a controlled manner.

    bw

  5. Re:This isn't a bug... by MBCook · · Score: 3, Interesting
    Something I've wondered about before.

    My printer has a JetDirect ethernet card in it. It's got it's own webserver and can handle the Internet Printing Protocall. You could print to it from across the globe if you knew the IP and it was outside a firewall (or you use a VPN or something).

    So what would happen if I just "set it free"? Would anyone notice? Would people start printing spam out of it? Would they try to print Goats.ex stuff?

    Anyone ever done this (either on purpose or accidentily)? Anything happen? Just curious. I mean I can understand the appeal of files, but does anyone care about "open" printers?

    --
    Comment forecast: Bits of genius surrounded by a sea of mediocrity.
  6. Guilty of P2P by Nom+du+Keyboard · · Score: 4, Interesting
    Clearly Microsoft is guilty of distributing P2P software now. In fact, by now they're probably the biggest P2P supplier out there.

    I just can't wait to see the **AA go up against M$ over this.

    Does this mean that they won't use Microsoft DRM anymore?

    --
    "It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
  7. Re:This isn't a bug... by dmaxwell · · Score: 3, Interesting

    It's concievable that the print server could get rooted. Most of them are powerful to run a telnet session or web server. Instead of firing random printjobs at you, the printer could be turned into a spambot or DDOS node.

  8. Re:I'm shocked! by LO0G · · Score: 4, Interesting

    My suspicion is that the "bug" is that while the XP SP2 firewall closes File&Print sharing on public IP addresses, there are several ISPs out there that give internet-connected computers private network (10.x.x.x) IP addresses.

    XP's firewall thinks that the machine is on a private network (and thus behind a hardware firewall), and so it allows access through the firewall. Unfortunately, in this case, the ISP screwed up and put the private IP on the internet without protection.

  9. Re:"insecure"? WTF? by NanoGator · · Score: 4, Interesting

    " Sure windows sucks - what about putting news about how much it sucks instead of all this senseless FUD?"

    It generates comments, and comments generate ad hits, and ad hits generate revenue. Somebody chimes in and says "That proves it, Microsoft utterly and completely dropped the ball, may they go down in flames!" Slashdot gets money. That's a gross oversimplification of how Slashdot generates revenue, but I have to admit, I'm seriously impressed on how they capitalized on anti-MS FUD.

    My point? Well, your beef really isn't with Slashdot. It's with the people commenting in stories like this. Lots of people are competing to get that +5 comment, and a lot of people with mod points out there (not all of them, maybe not even most) mod up the "this is proof that MS is OCP evil!" comments.

    I agree with you that the idea of not visiting is interesting. I'm rather sick of odd conclusions being drawn then lauded.

    --
    "Derp de derp."
  10. Re:"insecure"? WTF? by diegocgteleline.es · · Score: 3, Interesting

    So if this affects a small number of people why on earth the titular is named "File and Printer Sharing Insecure in XP SP2"?

  11. Re:Hardware routers by sparkz · · Score: 3, Interesting

    If BMX promote their bikes as "Trustworthy Cycling" with a "Safety Update", that's language which implies that a user doesn't need any 3rd-party stuff to make it secure. It certainly doesn't imply that the most common method of using the bike (on public roads) or PC (directly connected to the internet) is known to be likely to cause major problems, which is the case with MS Windows (so far).

    --
    Author, Shell Scripting : Expert Re