File and Printer Sharing Insecure in XP SP2
ProKras writes "German magazine PC-Welt has discovered a major security flaw in Windows XP SP2 when installing over SP1. The article says that 'with a certain configuration, your file and printer sharing data are visible worldwide, despite an activated Firewall.' The magazine claims they were 'able to discover private documents on easily accessible computers on the Internet' and that the configuration is fairly common."
It seems that Slashdot is desperate to publish any story that is negative about SP2, despite coming from a dubious source with little to no detail on this "flaw". I have to say that it really seems to me that MS got it right this time.
Security over features and security over performance... isn't this exactly what we have been asking for? I mean, do you really care that the guy down the hall is running Powerpoint 9% slower?
Cause all I care about is that he is not hammering my webserver with the latest virus.
I thought this was already common knowledge. Grab a copy of any P2P software and spend a few minutes port scanning clients you see in it. I spent an afternoon printing warnings on people's printers, with instructions on how to disable file & print sharing. Its quite an amazing thing to witness. About half of them are wide open, and don't require any password to mount the C drive or print documents. smbclient is a really fun utility. :)
both here and in the world.
The reason that this was done likely is because SP2 enables the firewall by default. so you don't want people calling asking why their file shares and printer shares don't work.
In addition to that, if it is a local network like that, they have a router in the first place, they are safe.
In addition to that... remember in windows XP unless you CREATE a share it is not going to be there (even though the file and printer sharing may be turned on).
In addition to THAT... winXP by default has guest turned off, so you would have to be an authenticated user to get access.
someone is trying to be sensationalist and not thinking about things.
RoundTop
The fix is broken on computers that have already been compromised. Which is probably a fair number of them. This bothers me.
Think about it, for a moment. The firewall is blocking internally-generated connections. Which is fair enough. (Though silently dropping would likely have been safer.) However, to lock the machine up, the TCP stack has got to be taking the error as cause to retransmit the packet.
Why am I so certain that this is what's happening? Because Windows has had some degree of preemption for a while. It's not great, but it works. Sort-of. Lock-ups should be next to impossible on a totally pre-emptive OS, as the locked-up program would simply be interrupted. It'd slow the machine down, slightly, but it wouldn't be fatal.
What we're getting here, though, looks like something fouling up big-time in a non-blockable part of Windows. Odds are pretty good that it's the network code. My suspicion is that the TCP stack and firewall are in an unbreakable infinite loop, with the error generated by the firewall causing the TCP code to resend the packet, ad infinitum.
A lot of people have argued that Microsoft isn't to blame for other people's crappy code. Which is fair enough. But they are very much to blame for their own crappy code. If you're going to have non-blockable code (a VERY bad idea!) then you've got to be damn sure that there are no scenarios in which that code will put itself into a spin-dry cycle.
It seems as though Microsoft merely added firewall code, with absolutely no thought as to the possible impact it could have on the rest of Windows.
Further, if my suspicion is correct (and I'm pretty confident it is), then it should be possible to crash any Windows box remotely. Simply generate a packet that Windows cannot reply to. By forcing the TCP stack and the firewall to fight it out, you'd paralyze the machine.
The correct way to handle this kind of situation is to recognise when a connection is administratively prohibited or impossible, and to not keep retrying. You'd then escape out of the non-blockable code, and pre-emption would allow you to continue as normal.
If you want slightly "smarter" behaviour, then if a process repeatedly keeps retrying a connection or activity that is prohibited, every time it gets woken back up, it should drop in priority, be slept a reasonably long time (in the hope the problem can be cleared by then) or get kicked off the system. ("Three strikes and you're out." logic.)
It should absolutely not be possible for any user process, no matter how badly written, to create a situation in which an uninterruptable infinite loop can develop. Either there needs to be some mechanism to interrupt any loop that might be infinite, OR there needs to be a mechanism for recognising when a loop is running unacceptably long.
It's no use Microsoft whining that customers should clean their computers first. That would be like McAffee arguing that you should clean your computer of viruses before running their software. And how are you supposed to do that, if you've no software installed for detecting and/or cleaning the damn things in the first place?
The only way you can know (for certain) that there's nothing trying to access an unauthorised port is by blocking the ports and seeing what happens when you try to use the computer as normal. And the only way you can then do anything about it is if the computer can cope with that situation in a controlled manner.
bw
I just can't wait to see the **AA go up against M$ over this.
Does this mean that they won't use Microsoft DRM anymore?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
My suspicion is that the "bug" is that while the XP SP2 firewall closes File&Print sharing on public IP addresses, there are several ISPs out there that give internet-connected computers private network (10.x.x.x) IP addresses.
XP's firewall thinks that the machine is on a private network (and thus behind a hardware firewall), and so it allows access through the firewall. Unfortunately, in this case, the ISP screwed up and put the private IP on the internet without protection.
" Sure windows sucks - what about putting news about how much it sucks instead of all this senseless FUD?"
It generates comments, and comments generate ad hits, and ad hits generate revenue. Somebody chimes in and says "That proves it, Microsoft utterly and completely dropped the ball, may they go down in flames!" Slashdot gets money. That's a gross oversimplification of how Slashdot generates revenue, but I have to admit, I'm seriously impressed on how they capitalized on anti-MS FUD.
My point? Well, your beef really isn't with Slashdot. It's with the people commenting in stories like this. Lots of people are competing to get that +5 comment, and a lot of people with mod points out there (not all of them, maybe not even most) mod up the "this is proof that MS is OCP evil!" comments.
I agree with you that the idea of not visiting is interesting. I'm rather sick of odd conclusions being drawn then lauded.
"Derp de derp."