Slashdot Mirror
New Windows Attack Can Disable Firewall
BobB writes to tell us NetworkWorld is reporting that new code released on Sunday could allow a fully patched Windows XP PC's personal firewall to be disabled via a malicious data packet. The exploit depends on the use of Microsoft's Internet Connection Service. From the article: "The attacker could send a malicious data packet to another PC using ICS that would cause the service to terminate. Because this service is connected to the Windows firewall, this packet would also cause the firewall to stop working, said Tyler Reguly, a research engineer at nCircle Network Security Inc."
Does anyone actually leave windows firewall on anyways? Its one of the first things to go when I have to use windblows xp.
pure class
(yay RSS for first(ish by now) post goodness)
From TFA: Its not clear if it only affects the windows default firewall, or any 3rd party firewall installed on the system.
Sure, it requires that you be on the internal LAN already, and that you be running ICS, and who runs ICS anyway? But what kind of shit design is this that lets you take down the firewall if you piss off the IP-masquerading software? Did someone cut their fuzz-testing budget? What's their excuse for having this kind of vulnerability?
Laws do not persuade just because they threaten. --Seneca
If the graphics applications you use require windows, and all of the major firewall vendors are bloated (symantec), worthless (keiro) or both (macaffee) then what can you do?
Microsofts company's public relations agency said Monday in a statement.
;(
"Microsoft is not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time."
Well then everything is fine and dandy then
The article didn't sound right calling it Internet Connection Service so I did some poking around on the blog the article referenced: http://blog.ncircle.com/archives/2006/10/microsoft _ics_d.htm/
ICS == Internet Connection Sharing.
http://en.wikipedia.org/wiki/Fire_extinguisher ?!
:)
nothing new here, go on...
Maybe the bug slipped past because nobody uses ICS. Too cheap to buy a free after rebate router?
What those engineers were thinking? A data package, the thing a firewall is filtering to some point, can disable the firewall? Who thought it would be a nice feature to have that?
"We need a firewall of our own!""Why?"
"To keep our monopoly; those firewall and antivirus companies are making money that should be in our pockets."
"But antitrust..?"
"We say it's because we want to have a secure system, it should've been in the first place. Those companies have no case! >:D"
"But even we cannot access their systems anymore without logging our activity on our massive 'slave-farm'."
"We'll add a backdoor, so we can remotely disable it. Noone will ever find it >:)"
"Excellent..."
Bill: "We must delay Vista a few more weeks because Sam the janitor found that if he logged on exactly at 12am, the system would implode and cause a reinstall. Thank god for QC!"
Grunt: "Hey Bill, there is a bug in XP that can totally disable the firewall! How about making an SP3 for XP?"
Bill: "You obviously don't share my vision do you?"
Valkyrie is about to die! Wizard needs food -- badly!
I never used Windows Firewall on my PC - I used Zonealarm or Tiny Personal Firewall. Why? Because given how many security holes XP had - and probably still has - I wouldn't trust my security to it. And lo and behold, here we are.
happiness Another recEnt article put
So for this attack to work, according to the article...
1) The attacker has to be on the LAN already, or executing code from a PC on the LAN
2) The LAN has to be connected to the internet through a PC using ICS, and
3) There can be no external firewall device such as a router sitting between the LAN and the internet
While this is certainly a valid attack... so are a lot of other attacks once you're already in the LAN. This one just happens to nuke a software-based firewall from the inside. Big deal.
-David
How is this new? Any attack worth its salt disables the firewall first thing. Saying this is news is like telling people AIDs is linked to death.
If history repeats itself, why can't we study the future?
Whenever someone brags they have never gotten a virus, especially just after blithely disabling some security feature, it raises a big red flag. The question is: what is it that makes you think you've never had a virus/been compromised? You havent noticed anything? Perhaps McAffee or Norton didnt find anything so you assume you are clear? Sadly my friend, it is very possible your machine has been compromised by a virus or worm and you are simply unaware of it. The worst kinds of malware are not detected by virus scanners; in fact some are not even detectable in any way.
Why should you care if it doesnt appear to affect you? Well, it may actually effect you if its a keylogger tracking everything you type and collecting information about you for identity theft. Worse, for the rest of us anyway, your machine could have been co-opted by a bot-net that is used by criminals to extort money from web sites. What they do is secretly root thousands of unprotected computers operated by people who 'have never had a virus' and then use them to do a distributed denial of service attack against commercial websites, demanding money from them to stop.
In order to limit the power of these criminals, everyone must firewall and patch their machines. This may not even be enough though! What people really need to do is occasionally completely reformat after booting off a cd so any rootkit will be erased.
Real FPers use Refresh. You kids and your toys...
RTFA. It's new because it is a specific attack that's just been discovered. If you still don't think it's new, look up the word "specific" in a dictionary and see if you can figure it out. Hint: No one is claiming that it's a new kind of attack.
The hell it does. Are you sure you know what a firewall is?
Most attacks these days would completely ignore the firewall, and look for a way around it. Once inside, the only point to disabling the firewall would be to send spam, I guess, and the smarter ones would, again, attempt to go around it, so that a sneaky admin would still see their firewall supposedly working, and wouldn't see any suspicious rules to allow that particular app to connect.
In fact, I can't really think of any firewall-disabling attacks that make any sense. Even if we're talking about a big, corporate firewall, disabling it would be downright retarded -- the admin will be onto you in a heartbeat, and if it's any kind of decent firewall and you have the kind of access it takes to disable it, you almost certainly already have a tunnel as far in as you can go.
(Note: Almost. I can imagine some strange networks and situations where you'd be right, but you're still wrong, because we're talking about a single attack on a single Windows computer.)
Now, this attack is actually new and of a somewhat rare kind -- it disables the Windows firewall, which means it could potentially allow other attacks. It's amazing how stupid it is -- this attack should not work -- but it is not, by itself, a real danger.
I think you meant to say "AIDS". AIDS is not the plural of AID. AIDS stands for Auto-Immune Deficiency Syndrome. AIDS is singular.
Also, AIDS does not necessarily cause death. It just weakens your immune system ridiculously. Think of it like playing Halo without a shield, if such a thing was possible. People with AIDS have to be insanely cautious in order to simply stay alive, and to prevent spreading the virus to others, but it's entirely possible to live with AIDS.
So, basically, you're entirely wrong in every single thing you said. That's impressive! That's an accomplishment!
Don't thank God, thank a doctor!
When they advertise that XP installations come with a firewall, they in fact mean that XP installations come installed with a wall of fire. The EULA clearly states that, somewhere near the bottom next to the pictures of cats and the sudoku puzzles, because no-one ever reads that far...
Task Mangler
please step away from the keyboard until you have conquered your substance abuse problem
thanks
So much for my plans for shutting my firewall off remotely from work...
As it seems judging on the majority of the comments, the first thing an *experienced* user would do on an XP machine would be to deactivate the MS firewall and install a third party firewall.
But then again, which unexperienced user would set up a LAN with the - advanced I would say - specifications described in the article? So, no real need to patch there... I am suprised they ever found out about this thing. It is easy to forget that all these little Windows tools are for users that will do no more than the occasional browsing and multimedia playback.
For the record, I have iSafer always enabled .
Windows has a firewall?
....sorry, please continue :)
Please see here:
http://isc.sans.org/diary.php?storyid=1809
MS Cluster Service will not work without ICS running, it is used for internal NAT handling.
So the problem is much more widespread than small LANs using ICS.
... firewalls disable you.
What if the attack just gets a PC on the LAN to send the attack packet?
Come on people. Routers are cheap. It is better to use a hardware router instead of a Windows machine as a router. At home, I run a 300MHz Pentium II as a router. At the office, a router is used.
Everyone knows Windows is insecure. It only costs $30/$40 for a router. $29 for a D-Link DI-704P 4-Port Cable/DSL Router at outpost.com
Fight Spammers!
Fortunaltey for all V(irus)B(uilding)S(script) coders, Microsoft gave us all a very easy way to silently disable the firewall at any time...
a bled = FALSE
Set objFirewall = CreateObject("HNetCfg.FwMgr")
objFirewall.LocalPolicy.CurrentProfile.FirewallEn
Malicious code can damage your computer. New bugs can be found on a patched system. News at 11.
Use a proven firewall such as OpenBSD which can both act as a firewall and provide NAT dhcp etc for the LAN.
Unlike windows OenBSD has suffered "Only one remote hole in the default install, in more than 10 years!".
Oh and version 4.0 is due out tomorrow - see http://openbsd.org/40.html
Considering the number of security alerts concerning ZoneAlarm compared to the ones concerning Windows Firewall I would not be so proud...
But we are on slashdot so surely anything marked windows is worse!
Why does Windows get all the press? It's not fair! I want to see some coverage of stupid holes in Linux and the free BSDs!
Please correct me if I got my facts wrong.
Squeal, fanboy! Squeal!
Heh you replace it with one of those commercial backdoors do you? Umm whatsitcalled .. phone-home .. phone-alarm-something ...
0 _spyware_controversy
http://en.wikipedia.org/wiki/ZoneAlarm#Version_6.
Too late buddy, you already installed *windows*.
A person who uses ICS is even more guilty against mother Earth than SUV owners. ICS requires the gateway PC to run even if you use only the client PC and this means 250Watt or more excess electric consumption. An ICS user fills the air with CO2 emitted from coal powerplants that make electricity. If you dont buy a 20$ ADSL router that runs off 12 Volt wall adapter and runs your net sharing on 10Watts or less then you are a pollution terrorist, a cohort of fossil fuel barons.
I hope all ICS users get hacked to death and their mangled bodies displayed on spikes to educate the masses on the importance of conserving resources.
according to this sans article the DOS attacks comes from outside.
If i understand it is with a corrupted DNS reply packet.
or similar windows-only ISP. Or if you aren't ready to jump through the hoops of convincing them that the DSLAM head is broken and not that you're running Linux that is causing your connection to fail.
So I see dozens of comments about "Its no big deal, you have to be on the lan". Am I the only one that hasn't forgotten how common wireless networks are and how trivial it is to gain access to most of them?
The only change I can believe in is what I find in my couch cushions.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
Are you talking about viruses and worms that afflict computers or some kind mystic God? If they are not detectable in anyway, even you might be hosting malware and would not be aware of it. Right?
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Yeah because there are so many vulnerabilities in ZoneAlarm. </sarcasm>
I have a Linksys WRT54GL router (http://en.wikipedia.org/wiki/WRT54GL). It uplinks via 36-54mbit (depending on conditions) wireless connection, and acts as a router for a network of ~10 computers with quite heavy p2p traffic. It is stable and rarely slows down. Of course, I run a custom linux firmware on top of it (HyperWRT Thibor, original firmware sucks quite bad).
Oh, and it cost me ~70 USD.
--Coder
You have a few options:
1. Run Windows natively but unplug your CAT-5 cable or disable your networking devices under the device manager. Having no internet access under Windows fixes this and many other problems nicely.
2. Are you really sure that the graphics applications you use require Microsoft Windows? I think that you would be very surprised by how good the support is for most Adobe products, including Photoshop, using WINE.
3. Run Windows and your graphics applications in a virtual environment using VMWare. Unless your graphics applications require advanced, DirectX-based rendering or some such thing (unlikely), then this will work great too.
Hope that helps!
I feel for people who have no other options, but... software routers suck. That they are made by microsoft or anybody else. Hardware firewalls for the win. (which I guess in the end ARE just embedded softwares...still better at the end of the day)
Hey mods, mod parent up.
If you want your life to be different, live it differently.
So I tried using MS Virtual PC to run another copy of WinXP and run Azureus in that sandbox. Same problem.
I thought maybe I was being attacked via bad packets sent to Azureus but was told I was being way too paranoid.
I switched to a Linux virtual machine to run Azureus just in case.
"I don't know why I bothered to type this in."
Sure you could build your own firewall appliance and shove it in a DMZ on your home LAN. And you could implement hardware dongles for wireless. And you could sandbox everything and so on and so on and so on.
But is that reasonable? Do you really have content on your machines that's so valuable that it has to be preserved at all costs? Is it really worth the time, effort and money to do so? Did you remember to back it up? People should take reasonable precautions such as a good software firewall, a real time AV scanner, a few spyware tools, a good registry cleaner, etc. Run them once or twice a month unless you see obvious artifacts of some problem. Keep the OS patched on a more or less regular basis but avoid chucking everything on all the time ASAP. Let someone else debug it. That should keep you running.
More than that you should evaluate the rationale for it, just like building a business case at work. If protecting the machines takes as much effort at using the machines, you might have missed the mark.
I cant wait till a journalist finally gets something right..
/.'s captcha's are SO good that even I cant read them - round 2)
Its not "Internet Connection Service" its "Internet Connection Sharing" which hardly anyone has running anyway. They probably fudded it on purpose just to make their article sound more relevant.
(and
The MS firewall has never been secure. For a few reasons completely unrelated to the current bug.
1. It's configurable via the registry. I.e. write a few keys into the registry and your application has all rights to come and go as it pleases. And that's what malware usually does.
2. Its "warning" windows have a standard window handle and can thus be intercepted by programs and answered "correctly". Another standard tactic of malware.
3. It's attacked by every single halfway modern malware, since it's on every system by default. Every single piece of malware has to defeat it to be "complete". And every malware does. It's not really hard, usually it's enough to do 1. (by simply setting the keys accordingly) or 2. (by creating a thread that waits for the window to pop up and flick it away with the "ok, let it pass" message).
Relying on the Windows Firewall to keep malware out is like relying on a politician to resist bribery.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The fact that ZoneAlarm can do bi-directional firewall control is the reason why I don't use Windows' own incoming-block only firewall.
For this attack there has to be a number of factors in place, and most people here on /. seem to dismiss the likelihood of an attack because of these factors. But remember, the majority of the population aren't like people here.
1. Must be within the LAN
How many average joes run unsecured wireless? In my neighborhood that's lots of people.
2. ICS must be running
How many average joes have never even opened Services much less turned off unneccessary Windows services?
3. No other firewall is running.
How many average joes do not buy a third party firewall because one comes with Windows XP?
This attack can be mitigated easily for computer savvy people. Most people aren't that computer literate. Just my 2 cents.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Yeah, instead of closing exploitable network ports, let's throw another layer in front of them! That's sure to be foolproof!
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
You OpenBSDats just want to cut and run from Windows. We need to stay the course if we do not want the smoking router to become a mushroom CPU.
Stay with Windows, or the hackers win!
Obama likes poor people so much, he wants to make more of them.
And, laying blame properly.
When you buy a new computer, it comes with XP. On the hard disk. Without a manual. Really.
My nanny just bought an Acer laptop. It did come with a "quick start guide".
Nothing about security. Although XP does pop up a dialog asking you to install anti-something-ware software. And natters about using unencrypted wireless links.
So for you points 2 and 3, the vendors are to blame. For point 1? I believe that the warning that you are using an unsecured wireless connection is probably just fine.
Generally, I'll blaim the vendors. Not only are MANUALS not packed, but even CDs are omitted on shipping. How is the "average user" supposed to know? Intuition? I guess they are supposed to read the fine dialogs, and resolve these issues at that time. I guess the vendors take the easy road and throw in "Norton Antivirus" to get rid of the nagging.
Ratboy
Just another "Cubible(sic) Joe" 2 17 3061
I was a strong proponent of Kerio's free firewall. However, a fully patched Windows XP machine running Windows firewall works just as well. A "shield's up test" reveals no open ports using either system. However, Opening ports using Kerio has always been a pain in the ass. After having numerous issues with bittorrent and ssh using Kerio, I gave up. I now use a hardware firewall which is in my router and the built in WinXP firewall. Two firewalls are enough, IMHO.
Why aren't there any free/open-source/GNU easy to configure software firewalls for windows? Anyone know of any?
Since when did "interesting" mean "shills for my favourite product" ?
Je fume. Tu fumes. Nous fûmes!
I've always known ICS to mean Internet Connection Sharing, not Internet Connection Service. I could be wrong though.
If carrots got you drunk, rabbits would be fucked up. - Comedian Mitch Hedberg R.I.P. 03/30/68-2/24/05
This is something about XP that really bothers me, and I consider a design flaw. Several services run together under each svchost.exe process. (Tasklist /svc will show them.)
I have something wrong with my system now, where one of those svchost processes (after while) dies with an unhelpful messages, killing a bunch of other services with it (including ICS/Firewall). They won't restart for me, either. I'm still in the process of disabling services and trying to identify the single one that is causing grief, and bringing others down with it.
And now, according the article, this same behaviour is used as a security exploit. I wonder if my services have been dying from this same exploit being attempted from the outside on my machine.
Love many, trust a few, do harm to none.
If firewalls are a sign of weakness, why does Linux come with a firewall built-in?
I guess you never use dialup? Dialup users get screwed on this bug, yet again.
Oh You POS
I think that's cool, the stupid firewall that comes with XP causes more problems than I can count AND it always turns itself back on! Something to turn it off and keep it off would actually be a plus.
If closed the mind be, so then the mouth should follow.
Thank goodness Vista will lock out third-party firewall software, and prevent these kinds of problems.
Oh, wait...
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
Who the hell uses ICS anymore? I used ICS once when I was on dialup. I quickly wired another phone line to my second PC and learned to live without concurrent connections. Dialup is fast on its way out anyway.
"If your parents never had children, chances are you wonât either." -Dick Cavett
Sounds to me like part of trusting proprietary software to do a good job with security. Uninspectable, unmodifiable, unsharable software shouldn't be trusted to perform securely. You need software freedom.
Digital Citizen
I, for one, welcome our new Windows Firewall pwning overlords.
Seriously though, Windows Firewall is great for very general and basic protection, but it serves no match to free and more efficient [zonelabs.com] firewall software that is actually easier and more understandable to the user.
None of these software firewalls are of any use as they can be disabled by the next exploit. What is needed is a firewall running on standalone embedded hardware. Of course with the use of RPC over HTTP and SOAP, a firewall is of limited use in this day and age.
davecb5620@gmail.com
And in other (non)news, a man unlocked his security door, invited a stranger into his home, and then that stranger then mugged him.
Why does open source hate our freedom?
Nobody uses Internet Connection Sharing (ICS) in Windows. Nothing to see here, move a long.
I use Black Ice Defender.
In Windows, at least, there are class drivers for a variety of USB device classes.
Laws do not persuade just because they threaten. --Seneca
This article is so worthless that I got around 15 full replies and 250 abrev.
... because the Windows "firewall" isn't a firewall.
I don't think Windows firewall is less secure just because a registry hack can turn it off. In order to perform that hack, malware has to be on the computer. The purpose of the Firewall is to keep malware off the computer. As long as it (and Windows Defender and a decent Antivirus program) are running on the computer, the malware won't be there.
On the other hand, third party firewalls tend to cause all kinds of problems for inexperienced users. Since Windows Firewall is ubiquitous, applications know how to play well with it (the flip side of the "all malware attacks it" scenario). Plus, if anything bad happens, you get to bitch about Micro$oft, and you'll get lots of sympathy. Who feels sorry for ZoneAlarm users these days?
It's a bonehead security vulnerability from Micro$oft (Again!), but it only affects a trivial number of users, and hasn't been exploited, probably because of the trivial number of targets. I don't think it is worth going ballistic over.
I'm a lot more worked up over the upcoming EULA restrictions coming up in Windows Vista. Looks like they're going to restrict how many times it can be reinstalled, and potentially, what kinds of upgrades they're going to allow you to make to your computer without paying for a new Vista license.
Fundamentalism is a crime against humanity