Security Flaws in Windows XP Service Pack 2

CSE 7339 9/14/04By:Saeed Abu Nimeh

Outline

Microsoft Introducing SP2 Collaboration with the industry What’s New in SP2 Heise Security Advisory Microsoft’s Response References

Microsoft Introducing SP2 Microsoft releases a SP every year for

Win XP. It was supposed to be released in the

first half of the year. Friday, August 6, 2004 SP2 was

released. Gates: “SP2 modifies less than 5

percent of the nearly 3-year-old operating system”.

Microsoft Introducing SP2

Gates: “SP2 2 is a significant step in delivering on our goal to help customers make their PCs better isolated and more resilient in the face of increasingly sophisticated attacks“.

“It is the result of sustained investments in innovation and extensive industry collaboration.“

Collaboration with the industry Windows Security Center:

Symantec: Antivirus, Firewall and Intrusion Prevention security solutions are compatible with SP2.

Data execution prevention: Intel: Improve security PC platform by Execute Disable

Bit and Microsoft's Data Execution Prevention AMD: Support for AMD Athlon 64-bit desktop and

mobile processors Preloaded PCs: Working with computer

manufacturers: Dell, HP and IBM to ship machines preloaded with SP2 beginning in September and October.

What’s New in SP2 SP2 reduces the most common

attack vectors four ways: Network protection Memory protection More secure browsing E-mail security and Safer message

handling Improved computer maintenance

Network Protection Windows Firewall (Internet Connection Firewall-

ICF): Is enabled by default. The firewall turns on very early in the system boot

cycle, and turns off very late in the shutdown cycle. Enhanced Group Policy settings to support IPv6.

Remote Procedure Call (RPC): Permissions to block services.

Distributed Component Object Model (DCOM): Restrictions to reduce the risk, only authenticated

administrators can remotely activate and launch COM components.

Disabling the Windows Messenger Service by default

Memory protection Execution Protection (NX)

Marks all memory locations in a process as non-executable unless the location explicitly contains executable code.

Only processors that support NX are the 64-bit AMD K8 and Intel Itanium.

Sandboxing: Stack: All binaries in the system recompiled with

buffer security checks “enabled” to allow the runtime libraries to catch stack buffer overruns,

Heap: "cookies" have been added to the heap to allow the runtime libraries to catch most heap buffer overruns

E-mail security

New Outlook Express to block images and external content in HTML email.

View email in plain text mode Attachment Execution Service (AES)

It looks at the file extension. It can look up the associated application

for a given MIME type and file extension

Secure browsing Add-on Management Tool

View and control the list of add-ons that can be loaded by IE.

Shows the presence of some add-ons that were previously not shown and could be very difficult to detect.

Add-on Crash Detection: Detect crashes in IE that are related to an add-on,

and gives the user the option to disable add-ons Attachment Execution Service (AES) Can not view ActiveX script in IE. Pop-up Manager: Block Pop-ups

Computer Maintenance Windows Update 5

Scan for, download, and install only the critical and security updates

Windows Installer 3 Enhanced inventory functions that

identify what patch components do and don't need to be downloaded,

Supports Microsoft's “delta compression” technology, which makes patches smaller

Heise Security Advisory August, 13, 2004 Heise Security posted

an advisory “Flaws in SP2 security features” by Jürgen Schmidt

There are two flaws: a cmd issue: The Windows command shell

cmd ignores zone information and starts executables without warnings.

The caching of ZoneIDs in Windows Explorer: Windows Explorer does not update zone information properly when files are overwritten.

The cmd Issue The command shell cmd.exe ignores the

ZoneID of files: cmd /c evil.exe cmd /c evil.gif

Execute the files without warning, regardless of its ZoneID

Email with an attachment Access.gif You can not access it, unless its opened

from cmd

Windows Explorer caching of ZoneIDs Windows Explorer caches the result of

ZoneID lookups. If a file is overwritten, Explorer does

not properly update this cached information to reflect the new ZoneID.

This allows spoofing of trusted or non-existant ZoneIDs by overwriting files with trusted or non-existent ZoneIDs.

Windows Explorer caching of ZoneIDs Copy notepad to a new file.

> copy c:\windows\notepad.exe test.exe Open test.exe in Explorer: no warning. evil.exe is a file saved from an e-mail

attachment and has ZoneID=3. Check with your editor by opening

"evil.exe:Zone.Identifier". It displays: ZoneID=3

Open evil.exe in Explorer: you will be warned.

Windows Explorer caching of ZoneIDs Overwrite the copy of notepad.exe:

> copy evil.exe test.exe test.exe:Zone.Identifier displays: ZoneID=3

Open test.exe in Explorer: no warning! test.exe is launched without warning despite

of its ZoneID=3. In the file properties, Explorer shows the

correct notice about its origin, but for opening the file the old ZoneID-status is used.

Doublecheck: Kill the Explorer task, restart it and launch test.exe: you will be warned.

Microsoft’s Response "We have investigated your report, as we do

with all reports, however in this case, we don't see these issues as being in conflict with the design goals of the new protections. We are always seeking improvements to our security protections and this discussion will certainly provide additional input into future security features and improvements, but at this time we do not see these as issues that we would develop patches or workarounds to address."

References Wired News, Microsoft Releases Service Pack 2, URL:

http://www.wired.com/news/infostructure/0,1377,64514,00.html

Microsoft Press, Microsoft Releases SP2 with Advanced Security Technologies to Computer Manufacturers, URL: http://www.microsoft.com/presspass/press/2004/aug04/08-06WinXPSP2LaunchPR.asp

Windows XP Service Pack 2 Overview, White Paper, February 2004

Windows XP Service Pack 2, URL: http://www.updatexp.com/windows-xp-service-pack-2.html

Steve Friedl, Analysis of Microsoft XP Service Pack 2, URL: http://www.unixwiz.net/techtips/xp-sp2.html

Heise Security Advisory, URL: http://www.heise.de/security/artikel/50051/0