Larry Osterman's WebLog

Confessions of an Old Fogey
Blog - Title

XP SP2 Craters

XP SP2 Craters

  • Comments 32

So the newswires and forums are buzzing about this reported security flaw in XP SP2.   Essentially they are complaining that the security center in SP2 uses WMI to store its metadata and an administrator can modify the metadata to convince the user that they’re protected when they’re not.

In the original eWeek article, Microsoft’s response is quoted as:

In SP2, we added functionality to reduce the likelihood of unknown/devious applications running on a user's system, including turning Windows Firewall on by default, data execution prevention, attachment execution services to name a few. To spoof the Windows Security Center WMI would require system-level access to a PC. If the user downloads and runs an application that would allow for spoofing of Windows Security Center, they have already opened the door for the hacker to do what they want. In addition, if malware is already on the system, it does not need to monitor WSC to determine a vulnerable point of attack, it can simply shut down any firewall or AV service then attack – no WSC is necessary."

"Windows Security Center, found in the Windows XP Control panel, provides customers the ability and makes it easier to check the status of these essential security functionalities such as firewalls, automatic updates and antivirus. Windows Security Center will inform users whether key security capabilities are turned on and up to date and will notify users if it appears that updates need to be made or if additional action steps may need to be taken to help them get more secure."

In other words, if you’re running as an administrator, you can run an application that can mess up your computer.  Yup, but if you’re running as an admin and you’re running untrusted code then IMHO, spoofing the security center is the LEAST of your problems – the application that spoofed the security center could also have installed a rootkit on your machine, and at that point, the bad guys own your computer.

Mike Dimmick also has an excellent rebuttal to the original eWeek article.

 

  • Good Post Larry I do not get the point of the Supposed Security Flaw. I mean if someone gets into your computer at an admin level honestly security center is the least of your worries. My only complaint about security center is why didn't they put it under Administrative Tools. Took me forever to find it the other day when looking for it. Went to Admin Tools First, Then went to Computer Management (Not there either) Started looking around my start bar (Too Many Microsoft folders there anymore) Then as a last resort before building a quick application that opened a socket up just to get the firewall approval thing to pop up I decided to check control panel. And Yes I seriously thought about writing a quick app to force that to pop up.

    Do people really go to control panel for anything these days? I havent really been in there in years, with all the right clicking I can do on My Computer and Network Hood and having Administrative tools added to my start bar. I guess I havent been in there in a while wasn't expecting it there.
  • Yes, people use the Control Panel. Especially if they're not running a server OS.
  • Yes, running as admin is a Bad Thing. And yes, spoofing the security center is probably the least of somebody's problems at that point.

    The real problem with this "security flaw" is that people will trust whatever the security center tells them. So, somebody runs as admin (XP Home pretty well guarantees this), has their system compromised by something which spoofs the security center.

    Now, not only do the bad guys own your computer, but you have your only authoritative source telling you that everything is OK.

  • Perhaps the security center should have a warning for when you're logged in as a user who could spoof the data being shown? Specifically, in addition to automatic updates, the firewall and antivirus info, include a "bar" for the current user that's colored red when logged in as an Administrator, and green when logged in as a regular User (or lower). Specifically checking to see if the logged in user can modify the Security Center WMI data would probably be more reliable, but you get the idea.
  • Why do you poo-poo this? Doesn't *every* *single* user of XP home get created by default as an admin???

    You can imply that running as admin is something only a lamer would do, but the default behaviour of the OS practically begs the user to run as admin. Is that their fault? If you think it is, you have no business coding for a consumer OS. IMHO.
  • Hey larry;

    Any chance that you can do a post or otherwise recommend how to set up a system in such a way that the average developer can use it without logging in with Admin rights all the time?

    The choice of Administrator or Limited Access accounts from the Control Panel "easy" security settings screen is a little too coarse grained.
  • Simon,

    I've had good luck running as a User but adding Debugger rights. I had to modify my software to use HKEY_CURRENT_USER for the registry instead of HKEY_LOCAL_MACHINE, but I should have done that anyway.
  • Wmipy,
    The reason I poo-poo it is because the issue is that running as admin is the problem, NOT WMI.

    Think of it this way:

    You left your house and left the door wide open. Someone came into your house and changed the sheets on your bed. You didn't notice it because the bed was still made.

    Now then. Was there a vulnerability? Yes, someone was able to get into your house and change your sheets without letting you know about it. But the REAL problem wasn't that the sheets were changed. Instead it was that the front door was left wide open. Once they got through the front door, changing the sheets was the least of what they could have done.

    This "vulnerabilty" report is the same thing. They're reporting that if you're running as an admin, you can change someones sheets. It's true, but it's the least of what you could do.

    Once you're rooted, you don't own your computer, the bad guy owns your computer. Not only could they convince the security center that you're patched when you're not, they could also completely replace the security center with their own version and you'd never know it.

    THAT'S why I'm poo-pooing this "vulnerability".

    Also, as far as running as a non admin, there have been a number of good posts on weblogs.asp.net, and Mike Dimmick's post lists a couple of suggestions. I'm still trying to understand what works and doesn't work so I'm not ready to give advice yet :(



  • I like Microsoft technology and I am a happy Windows developer.

    When it comes to security, unfortunately Microsoft doesn't get it. Security is not just a technlogy problem, it is a perception problem. Be fair or not, Microsoft is held to a very high standard. Even if a home Windows user lands in a security problem by his own ignorant mistake, it's Microsoft's problem. Microsoft can either accept it or live in denial forever.

    This would be my advice to Microsoft :-)

    "Be Humble, You are that good"

    Good Luck!
  • GoodLuck: You're right, and you're wrong. The only thing that can possibly counter the perception problem is execution.

    Win2K3 and SP2 are the first steps towards executing on changing the perception problem. It'll be interesting to see if things change in the next six months or so.

    I don't think Microsoft's living in denial about the problem. On the other hand, if the press keeps on coming up with bogus vulnerabilities like this one, they don't do ANYONE a service.

    There ARE real vulnerabilities out there, we're human, and humans make mistakes. But XP SP2's all about either cutting those vulnerabilities them off at the knees or limiting the damage that they can do.

    Articles like this one trumpeting made-up vulnerabilities can actually hurt people by convincing them that they shouldn't upgrade because XP SP2's no better than XP SP1. And that's just flat-out not true.

  • Mam
  • On the one hand I agree with Larry -- if you log in as admin and run random software, you've got to take some responsibility for your problems, EXCEPT:

    Buy a PC from a store. Get home, turn it on, run through the welcome bit, create your user account, etc. Guess what? It's an admin account. (The user is given no indication that there are even any different types of account unless they create new users afterwards, and if they get that far they'll rapidly learn that sometimes stuff doesn't work properly unless you've got an admin account.)

    Now download some software. Without you knowing, it spoofs the security center, kills the firewall, and opens a hole. However, Microsoft have been saying that SP2 is extra secure, XP is saying you're protected, so how's the average Joe going to know anything's amiss?

    The Security Center is a good idea in theory, but if users come to rely on it and run as admin (which they will) it may end up doing more harm than good...

    [ I wish there was a preview button on this thing -- it's very hard to proofread large blocks of text in this little box, and I can't be bothered with copying and pasting. I'm a busy man! :) ]
  • Simon,

    > how to set up a system in such a way that the average developer can use
    > it without logging in with Admin rights all the time?

    http://www.pluralsight.com/keith/book/html/howto_runasnonadmin.html
  • Foolow-up of my previous comment here above:

    I admit the article doesn't quite answer Simon's question. Though it is interesting, it's not really an how-to :-(
  • I think its especially difficult not to run as an Administrator on XP home. You havn't got the local users and groups MMC snap-in so you can't create new security policies or add yourself to the powerusers group or anything, the only choices you get are in the Users control panel applet, and that only gives you Limited and Administrator. Most people would find limited far to restrictive, while they could probably live with poweruser or something in between.

    Even if people are aware how to use RunAs to launch specific programs from thier Limited account you still run into problems. If you install the program as administrator but run it as another user you run in to problems since the setup has installed default configurations in the Administrators user profile and not yours. Some programs have to be run at least once as an admin in each user profile you want to use them from. Changeing the status of an account is messy since you have to log out and in again.

    More advanced users might be able to use Regmon and Filemon to identify where their programs are breaking, but XP Home doesn't have the security properties page to lessen the restictions on specific files. The only option is to use cacls on the command line which is far from intuitive.

    Expecting Home users not to run as administrator when you have removed all the tools they might use to even make that a possibility, is a bit far fetched.
Page 1 of 3 (32 items) 123