Embed Size (px)
Citation preview
Security Flaws in Windows XP Service Pack 2
CSE 7339 9/14/04By:Saeed Abu Nimeh
Outline
Microsoft Introducing SP2 Collaboration with the industry What’s New in SP2 Heise Security Advisory Microsoft’s Response References
Microsoft Introducing SP2 Microsoft releases a SP every year for
Win XP. It was supposed to be released in the
first half of the year. Friday, August 6, 2004 SP2 was
released. Gates: “SP2 modifies less than 5
percent of the nearly 3-year-old operating system”.
Microsoft Introducing SP2
Gates: “SP2 2 is a significant step in delivering on our goal to help customers make their PCs better isolated and more resilient in the face of increasingly sophisticated attacks“.
“It is the result of sustained investments in innovation and extensive industry collaboration.“
Collaboration with the industry Windows Security Center:
Symantec: Antivirus, Firewall and Intrusion Prevention security solutions are compatible with SP2.
Data execution prevention: Intel: Improve security PC platform by Execute Disable
Bit and Microsoft's Data Execution Prevention AMD: Support for AMD Athlon 64-bit desktop and
mobile processors Preloaded PCs: Working with computer
manufacturers: Dell, HP and IBM to ship machines preloaded with SP2 beginning in September and October.
What’s New in SP2 SP2 reduces the most common
attack vectors four ways: Network protection Memory protection More secure browsing E-mail security and Safer message
handling Improved computer maintenance
Network Protection Windows Firewall (Internet Connection Firewall-
ICF): Is enabled by default. The firewall turns on very early in the system boot
cycle, and turns off very late in the shutdown cycle. Enhanced Group Policy settings to support IPv6.
Remote Procedure Call (RPC): Permissions to block services.
Distributed Component Object Model (DCOM): Restrictions to reduce the risk, only authenticated
administrators can remotely activate and launch COM components.
Disabling the Windows Messenger Service by default
Memory protection Execution Protection (NX)
Marks all memory locations in a process as non-executable unless the location explicitly contains executable code.
Only processors that support NX are the 64-bit AMD K8 and Intel Itanium.
Sandboxing: Stack: All binaries in the system recompiled with
buffer security checks “enabled” to allow the runtime libraries to catch stack buffer overruns,
Heap: "cookies" have been added to the heap to allow the runtime libraries to catch most heap buffer overruns
E-mail security
New Outlook Express to block images and external content in HTML email.
View email in plain text mode Attachment Execution Service (AES)
It looks at the file extension. It can look up the associated application
for a given MIME type and file extension
Secure browsing Add-on Management Tool
View and control the list of add-ons that can be loaded by IE.
Shows the presence of some add-ons that were previously not shown and could be very difficult to detect.
Add-on Crash Detection: Detect crashes in IE that are related to an add-on,
and gives the user the option to disable add-ons Attachment Execution Service (AES) Can not view ActiveX script in IE. Pop-up Manager: Block Pop-ups
Computer Maintenance Windows Update 5
Scan for, download, and install only the critical and security updates
Windows Installer 3 Enhanced inventory functions that
identify what patch components do and don't need to be downloaded,
Supports Microsoft's “delta compression” technology, which makes patches smaller
Heise Security Advisory August, 13, 2004 Heise Security posted
an advisory “Flaws in SP2 security features” by Jürgen Schmidt
There are two flaws: a cmd issue: The Windows command shell
cmd ignores zone information and starts executables without warnings.
The caching of ZoneIDs in Windows Explorer: Windows Explorer does not update zone information properly when files are overwritten.
The cmd Issue The command shell cmd.exe ignores the
ZoneID of files: cmd /c evil.exe cmd /c evil.gif
Execute the files without warning, regardless of its ZoneID
Email with an attachment Access.gif You can not access it, unless its opened
from cmd
Windows Explorer caching of ZoneIDs Windows Explorer caches the result of
ZoneID lookups. If a file is overwritten, Explorer does
not properly update this cached information to reflect the new ZoneID.
This allows spoofing of trusted or non-existant ZoneIDs by overwriting files with trusted or non-existent ZoneIDs.
Windows Explorer caching of ZoneIDs Copy notepad to a new file.
> copy c:\windows\notepad.exe test.exe Open test.exe in Explorer: no warning. evil.exe is a file saved from an e-mail
attachment and has ZoneID=3. Check with your editor by opening
"evil.exe:Zone.Identifier". It displays: ZoneID=3
Open evil.exe in Explorer: you will be warned.
Windows Explorer caching of ZoneIDs Overwrite the copy of notepad.exe:
> copy evil.exe test.exe test.exe:Zone.Identifier displays: ZoneID=3
Open test.exe in Explorer: no warning! test.exe is launched without warning despite
of its ZoneID=3. In the file properties, Explorer shows the
correct notice about its origin, but for opening the file the old ZoneID-status is used.
Doublecheck: Kill the Explorer task, restart it and launch test.exe: you will be warned.
Microsoft’s Response "We have investigated your report, as we do
with all reports, however in this case, we don't see these issues as being in conflict with the design goals of the new protections. We are always seeking improvements to our security protections and this discussion will certainly provide additional input into future security features and improvements, but at this time we do not see these as issues that we would develop patches or workarounds to address."
References Wired News, Microsoft Releases Service Pack 2, URL:
http://www.wired.com/news/infostructure/0,1377,64514,00.html
Microsoft Press, Microsoft Releases SP2 with Advanced Security Technologies to Computer Manufacturers, URL: http://www.microsoft.com/presspass/press/2004/aug04/08-06WinXPSP2LaunchPR.asp
Windows XP Service Pack 2 Overview, White Paper, February 2004
Windows XP Service Pack 2, URL: http://www.updatexp.com/windows-xp-service-pack-2.html
Steve Friedl, Analysis of Microsoft XP Service Pack 2, URL: http://www.unixwiz.net/techtips/xp-sp2.html
Heise Security Advisory, URL: http://www.heise.de/security/artikel/50051/0
