New Windows Attack Can Disable Firewall

BobB writes to tell us NetworkWorld is reporting that new code released on Sunday could allow a fully patched Windows XP PC's personal firewall to be disabled via a malicious data packet. The exploit depends on the use of Microsoft's Internet Connection Service. From the article: "The attacker could send a malicious data packet to another PC using ICS that would cause the service to terminate. Because this service is connected to the Windows firewall, this packet would also cause the firewall to stop working, said Tyler Reguly, a research engineer at nCircle Network Security Inc."

Not that big a deal, but still.

[Grendel Drago]

Sure, it requires that you be on the internal LAN already, and that you be running ICS, and who runs ICS anyway? But what kind of shit design is this that lets you take down the firewall if you piss off the IP-masquerading software? Did someone cut their fuzz-testing budget? What's their excuse for having this kind of vulnerability?

Re:

[RLiegh]

>Sure, it requires that you be on the internal LAN already, and that you be running ICS, and who runs ICS anyway?

Anyone using NAT under Linux, for one. Families connecting multiple computers onto a single network, for another. Not to mention people who share the same printer or who have a central file server set up to share mp3s or whatever.

Re:

[@madeus]

Anyone using NAT under Linux, for one. Families connecting multiple computers onto a single network, for another. Not to mention people who share the same printer or who have a central file server set up to share mp3s or whatever.

None of those things require Internet Connection Sharing, and I would argue it's not even the easiest or most common way to achive them. Virtually anyone with a consumer DSL offering can just plug their computers (or printers, or network storage devices) right into one of the RJ45

Re:

[Kangburra]

It was useful on Windows 98 when so many people were limited to using modems for internet access

...and once again the US assumes everyone else in the world has DSL and 4 port modems.

Hello, a lot of people still use 56K modems to connect to the net. The biggest ISP's in Australia supply a USB only DSL modem when you sign up. These people rely on ICS.

Is Telstra not one of the biggest?

[N Monkey]

The biggest ISP's in Australia supply a USB only DSL modem when you sign up.

My parents signed up with Telstra and were offered either a free USB or a (single port) ethernet modem. Naturally, I told them to choose the latter.

Re:

[Kangburra]

and had your parents not asked you what would they have got?

Re:

[N Monkey]

Given that
(a) My brother has a Mac (so USB drivers might not exist) and
(b) my parents had an "ancient" laptop (now deceased) at the time,
  they might still only have had the option of ethernet anyway. I must admit, I was pleasantly surprised that there was the choice.

Re:

[Kangburra]

What used to really annoy me, was people with USB and ethernet on their modem who had (kindly) been set-up using the USB port by a mate (who knows about computers!).

Re:

[Mike89]

Why did that annoy you?

Re:Is Telstra not one of the biggest?

[Linker3000]

Eliza? That you?

OT

[hummassa]

Eliza? That you?

Do you want to talk about Eliza?

Re:

[araemo]

It isn't even really GOOD for mass storage devices. W/ USB 2.0 it's not BAD anymore, but it certainly isn't good at high-throughput synchronous IO. It's not bad for flash drives, as they tend to be slower anyways.

Re:

[@madeus]

...and once again the US assumes everyone else in the world has DSL and 4 port modems.

I'm not from the US, and FYI all the other countries in the developed world do pretty much all have broadband, with 4 port DSL modems (from the likes of Negear, Zyxcel, etc.) being very much the norm.

Hello, a lot of people still use 56K modems to connect to the net.

Indeed, but those are not usually people with more than one computer - because people with more than one computer are the sort of people that will just get cab

Re:

[Kangburra]

unless they are in the sticks

Which is, of course, most of WA.

Re:

[Fred_A]

What's a WA ?

Re:

[Kangburra]

Western Australia.

Re:

[Fred_A]

Ah, right. Thanks.

Re:

[@madeus]

Which is, of course, most of WA.

Actually, the vast majority of people in WA (which, for it's size, has bugger all people in it to begin with) have access to broadband in the form of DSL or Cable.

Re:

[walt-sjc]

Personally, I dumped the Telco supplied POS DSL modem and got a Sangoma S518 PCI card. Best thing ever. Can do full rate QOS (since you eliminate the "Huge Buffer of Doom") and syncs at a higher rate than the crappy Westell modem. Not sure if they work in AU, but it's worth looking into.

Re:

[jacksonj04]

Do like we did and get an integrated box (Though it only works for DSL). Modem, 4-port router and WiFi hub all in one. Fewer cables for the win! It's true that all 4 ports on the router are used, mostly out to full switches...

Re:

[@madeus]

I can tell you for damn sure my modem only has 1 RJ45. The router has 4 out though. Shouldn't mix up hardware components like that.

I'm not mixing up hardware, but you are. Units like the Netgear DG834 (with comparible systems from Zyxel, Actiontec, etc) are all DSL modems with 4 Ethernet ports and in the US, Europe and Australia providers are shipping the same gear. They are typically switches not hubs though.

It's almost exclusively cable providers that provide systems with only one RJ45 port (and typicall

MS Cluster Service = ICS

[terminal.dk]

Please see here:
http://isc.sans.org/diary.php?storyid=1809 [sans.org]

MS Cluster Service will not work without ICS running, it is used for internal NAT handling.

So the problem is much more widespread than small LANs using ICS.

outside!

[leuk_he]

according to this sans article [sans.org] the DOS attacks comes from outside.

If i understand it is with a corrupted DNS reply packet.

Re:

[Lagged2Death]

...who runs ICS anyway?

0.1% of Windows desktops is still a lot of desktops.

What can you trust?

[RLiegh]

If the graphics applications you use require windows, and all of the major firewall vendors are bloated (symantec), worthless (keiro) or both (macaffee) then what can you do?

Re:What can you trust?

[oGMo]

A few things:

• Keep all your broken (Windows) boxes in a heavily-firewalled subnet (and make sure the firewall is something secure, i.e., not Windows)
• Don't put the broken box on the network at all
• Run your app in a VM
• Find a new app

Re:

[rainman_bc]

Don't put the broken box on the network at all

lol, that's what I keep telling the security guy in my office :) The only way to make sure your network is 100% secure is to pull all the patch cables... I think we might be able to push him over that tipping point now ^_^

Re:

[jonwil]

Having the machines behind a NAT router should stop a lot of attacks. And if that isnt enough, find a NAT router with a built in firewall (or add an extra firewall appliance such as a old PC with linux on it)

I have yet to see a windows based firewall that doesnt suck.

Re:

[kjart]

Having the machines behind a NAT router should stop a lot of attacks. And if that isnt enough, find a NAT router with a built in firewall (or add an extra firewall appliance such as a old PC with linux on it)

Seems like good advice - no matter what your OS is. Not much to pay for another (solid) layer of security, and the second option is a nice way to recycle old PCs.

Re:

[orpheus_okt]

worthless (keiro)

Uh... Is there something I missed in the last weeks/months? No, I'm not implying that I heard exactly the opposite, but it sounds like there are serious security holes in the old Kerio firewall although I was always convinved it's still one of the better free ones out there. And I really must have missed the news then...

Up to now, I was sticking to Kerio on Windows. Especially because of its rather powerful options to filter single applications, addresses, ports and plenty of other manually

Re:

[zerojoker]

I can't think of any reason why Kerio - or the new Sunbelt Kerio PF should be not effective.
I mean blocking applications from within is always a problem (for every Firewall) and it has been shown that there's always a method of sending data out (no matter which vendor), however I think Kerio is still quite effective on blocking incoming traffic

Re:

[thelost]

I've heard nothing bad about Kerio and as far as I'm concerned it's fine. Personally I recently switched to Outpost Firewall and am very impressed, plus it's got an active user community [outpostfirewall.com] which i always look for when deciding whether to take up a product.

Re:

[Alarash]

You use an IPS/IDS appliance that goes up to level 7.

Re:What can you trust?

[gbobeck]

You use an IPS/IDS appliance that goes up to level 7.

For extra effectiveness, make sure your level 7 IPS/IDS appliance is armed with nothing less than a +3 Sword of Packet Smiting.

Re:

[ConceptJunkie]

I block DOS attacks with Bigby's Interposing Hand.

Re:What can you trust?

[pedestrian crossing]

You use an IPS/IDS appliance that goes up to level 7.

Mine goes up to 11.

Re:

[Alarash]

Aah, you all know I meant layer 7 not level, stop making fun of me because I posted before my 3rd coffee.

Re:

[EvilIdler]

You can use Outpost (firewall+spyware protection)m or Norman (all that and good antivirus).

Re:

[rufusdufus]

This is the only truly safe thing you can do: repartition and format your drive and reinstall with the internet disconnected. You can also install firewalls et al other people on this thread are suggesting. Install and configure your main applications. Then, make a image* of the drive.
When you use your computer for important stuff, save your data to external drives.
Then every few days, restore the image. Once you've learned how to do it it will take about 5 minutes which is actually quite a bit faster th

Re:

[master_p]

I use ZoneAlarm by ZoneLabs...it is the best software firewall for Windows. The first thing I do when I do a fresh Windows install is to disable the Windows Firewall and install ZoneAlarm...

Re:

[ben there...]

Objectively, ZoneAlarm has done very well in Gibson Research Corp's [grc.com] tests. The Shield's Up online test available from that page has come back with all "cloaked" responses on all ports, meaning your computer doesn't even identify that it is there, in contrast to other firewalls that return a "blocked" message. GRC's latest test appears to be LeakTest, and ZoneAlarm has passed that test since its creation [grc.com]. Others have caught up, but ZoneAlarm is definitely, objectively, among the best personal firewalls.

Re:

[megaditto]

Well, how many home users have a second PC with 2 NICs, and know how to configure it as a NAT/firewall server?

For the absolute majority of home windows users, a software firewall is the only viable option. And if MS did their job, that would be the only solution they would need.

Re:

[Jessta]

You don't need a firewall. Just disabled the network services that you aren't using.

Re:

[walt-sjc]

Advice like that is why we have a major botnet problem.

Your choices

[BeeBeard]

You have a few options:

1. Run Windows natively but unplug your CAT-5 cable or disable your networking devices under the device manager. Having no internet access under Windows fixes this and many other problems nicely.

2. Are you really sure that the graphics applications you use require Microsoft Windows? I think that you would be very surprised by how good the support is for most Adobe products, including Photoshop, using WINE. [winehq.com]

3. Run Windows and your graphics applications in a virtual environment using V [vmware.com]

Re:

[couchslug]

Not rely on software firewalls?

I've run Freesco and later MonoWall firewalls on mostly-free hardware (Asus P255T2P4/128MB/P233 with super-glued passive heatsink) almost 24/7 since 1999. Neither have been difficult to set up, and Freesco is very noob-friendly. Freesco needs minimal resources and will even run on a 486.
Both have performed with boring, appliance-like reliability. I run from a Compact Flash card in an IDE adapter instead of a hard disk. Those parts are dirt cheap nowadays.

http://www.freesco.or [freesco.org]

Please explain me...

[Anonymous Coward]

What those engineers were thinking? A data package, the thing a firewall is filtering to some point, can disable the firewall? Who thought it would be a nice feature to have that?

"We need a firewall of our own!"
"Why?"
"To keep our monopoly; those firewall and antivirus companies are making money that should be in our pockets."
"But antitrust..?"
"We say it's because we want to have a secure system, it should've been in the first place. Those companies have no case! >:D"
"But even we cannot access their

Because, of course, Windows Firewall is awesome!

[Channard]

I never used Windows Firewall on my PC - I used Zonealarm or Tiny Personal Firewall. Why? Because given how many security holes XP had - and probably still has - I wouldn't trust my security to it. And lo and behold, here we are.

Re:

[MtViewGuy]

The fact that ZoneAlarm can do bi-directional firewall control is the reason why I don't use Windows' own incoming-block only firewall.

Re:

[ben there...]

Considering the number of security alerts concerning ZoneAlarm compared to the ones concerning Windows Firewall I would not be so proud...

Yeah because there are so [secunia.com] many [secunia.com] vulnerabilities [secunia.com] in ZoneAlarm. </sarcasm>

Not as bad as it sounds

[DavidD_CA]

So for this attack to work, according to the article...

1) The attacker has to be on the LAN already, or executing code from a PC on the LAN

2) The LAN has to be connected to the internet through a PC using ICS, and

3) There can be no external firewall device such as a router sitting between the LAN and the internet

While this is certainly a valid attack... so are a lot of other attacks once you're already in the LAN. This one just happens to nuke a software-based firewall from the inside. Big deal.

Re:

[bazorg]

so are a lot of other attacks once you're already in the LAN. This one just happens to nuke a software-based firewall from the inside. Big deal.Exactly what I thought.. when I'm already in the LAN I want to attack I use a sledgehammer not these computer thingies.

Re:

[gad_zuki!]

Not to mention, by default, windows firewall allows local segment traffic onto ports 135-139. So if the cracker wants to brute force the shares he doesnt even need to take down the firewall.

Internet Connection Service?

[Red_Deth]

The exploit depends on the use of Microsoft's Internet Connection Service.

Is ICS not Internet Connection Sharing?

Microsoft change the definitions to suit

[Centurix]

When they advertise that XP installations come with a firewall, they in fact mean that XP installations come installed with a wall of fire. The EULA clearly states that, somewhere near the bottom next to the pictures of cats and the sudoku puzzles, because no-one ever reads that far...

Wait, wait, wait

[kjart]

Windows has a firewall?

....sorry, please continue :)

If they use ICS, then they deserve it!

[www.sorehands.com]

Come on people. Routers are cheap. It is better to use a hardware router instead of a Windows machine as a router. At home, I run a 300MHz Pentium II as a router. At the office, a router is used.

Everyone knows Windows is insecure. It only costs $30/$40 for a router. $29 for a D-Link DI-704P 4-Port Cable/DSL Router at outpost.com

Why Does Windows Get All the Press?

[RAMMS+EIN]

Why does Windows get all the press? It's not fair! I want to see some coverage of stupid holes in Linux and the free BSDs!

Suddenly noone is using wireless?

[db32]

So I see dozens of comments about "Its no big deal, you have to be on the lan". Am I the only one that hasn't forgotten how common wireless networks are and how trivial it is to gain access to most of them?

Re:

[walt-sjc]

Most people with home wireless lans use wireless routers with the built-in firewall instead of an access point, switch, and a PC with ICS, so I wouldn't expect wireless networks to be a major issue in this specific issue.

Re:

[walt-sjc]

Why would you be using ICS if you are logged on to a wireless router?

Exactly.

Bingo!

[KwKSilver]

Hey mods, mod parent up.

Software firewalls suck

[Shados]

I feel for people who have no other options, but... software routers suck. That they are made by microsoft or anybody else. Hardware firewalls for the win. (which I guess in the end ARE just embedded softwares...still better at the end of the day)

It's a matter of acting reasonably

[gelfling]

Sure you could build your own firewall appliance and shove it in a DMZ on your home LAN. And you could implement hardware dongles for wireless. And you could sandbox everything and so on and so on and so on.

But is that reasonable? Do you really have content on your machines that's so valuable that it has to be preserved at all costs? Is it really worth the time, effort and money to do so? Did you remember to back it up? People should take reasonable precautions such as a good software firewall, a real time

Re:

[burnin1965]

Sure you could build your own firewall appliance and shove it in a DMZ on your home LAN. And you could implement hardware dongles for wireless. And you could sandbox everything and so on and so on and so on.

But is that reasonable? Do you really have content on your machines that's so valuable that it has to be preserved at all costs? Is it really worth the time, effort and money to do so? Did you remember to back it up?

I tried backing up the cash I keep in my online banking account just in case my Windows b

No news today

[Opportunist]

The MS firewall has never been secure. For a few reasons completely unrelated to the current bug.

1. It's configurable via the registry. I.e. write a few keys into the registry and your application has all rights to come and go as it pleases. And that's what malware usually does.

2. Its "warning" windows have a standard window handle and can thus be intercepted by programs and answered "correctly". Another standard tactic of malware.

3. It's attacked by every single halfway modern malware, since it's on every

Remember the average user

[UnknowingFool]

For this attack there has to be a number of factors in place, and most people here on /. seem to dismiss the likelihood of an attack because of these factors. But remember, the majority of the population aren't like people here.

1. Must be within the LAN
How many average joes run unsecured wireless? In my neighborhood that's lots of people.

2. ICS must be running
How many average joes have never even opened Services much less turned off unneccessary Windows services?

3. No other firewall is running.

Putting the "average joe" into perspective

[ratboy666]

And, laying blame properly.

When you buy a new computer, it comes with XP. On the hard disk. Without a manual. Really.

My nanny just bought an Acer laptop. It did come with a "quick start guide".

Nothing about security. Although XP does pop up a dialog asking you to install anti-something-ware software. And natters about using unencrypted wireless links.

So for you points 2 and 3, the vendors are to blame. For point 1? I believe that the warning that you are using an unsecured wireless connection is probably ju

How about a secure OS for a change?

[freeweed]

Yeah, instead of closing exploitable network ports, let's throw another layer in front of them! That's sure to be foolproof!

Bunched services

[PhotoGuy]

This is something about XP that really bothers me, and I consider a design flaw. Several services run together under each svchost.exe process. (Tasklist /svc will show them.)

I have something wrong with my system now, where one of those svchost processes (after while) dies with an unhelpful messages, killing a bunch of other services with it (including ICS/Firewall). They won't restart for me, either. I'm still in the process of disabling services and trying to identify the single one that is causing gri

Re:

[RLiegh]

>Too cheap to buy a free after rebate router?

Personally speaking; I just hate letting my old k6-2 sit around and gather dust. Some slackware and a little cut and paste from the NAT HOWTO and it makes a fine file serving/ICS machine.

Re:

[hcdejong]

The drawback of that approach is that you have yet another large box with noisy fans using 10 times the amount of power a router would use. But if you need a file server anyway...

Re:

[udippel]

Try Soekris (http://www.soekris.com/); for example.
Get the Soekris version from
http://www.zelow.no/floppyfw/download/floppyfw-3.0 /floppyfw-3.0.0/ [zelow.no]

No moving parts, no noise, less than 10 W.

Recommended.

Re:

[bigberk]

I've got a 200 MHz Pentium (also slackware) doing my NAT and firewalling ... easily handles 10 Mbps. I've read that even an ancient, free (100 MHz) linux router can do 50 Mbps. I think the best approach in layered network security is diversification of your defences; maybe a Linux or BSD router, but still have the desktop PCs run their own firewalls.

Re:

[bigberk]

That link is a bit off, try this for the blog [ncircle.com]

How do you know you've never gotten a virus?

[rufusdufus]

Whenever someone brags they have never gotten a virus, especially just after blithely disabling some security feature, it raises a big red flag. The question is: what is it that makes you think you've never had a virus/been compromised? You havent noticed anything? Perhaps McAffee or Norton didnt find anything so you assume you are clear? Sadly my friend, it is very possible your machine has been compromised by a virus or worm and you are simply unaware of it. The worst kinds of malware are not detected

Re:

[Orlando]

...in fact some are not even detectable in any way.

What rubbish, if it's on the machine it's detectable. May not be easy, but you'll find it eventually if you look hard enough.

Re:

[jimicus]

In theory, yes. But you'd need to reboot the OS into some kind of diagnostics otherwise you're asking the OS to attest to itself - and if it's been trojaned, you can't trust the OS because the first thing any sensible trojan will do is cover its own tracks.

In practise, if you want a 100% guarantee that any malware has been eradicated, the only solution is a rebuild.

Re:

[Fred_A]

Whenever someone brags they have never gotten a virus, especially just after blithely disabling some security feature, it raises a big red flag.

Yes, such as "Have you been using that Symantec crap again that took me hours to remove last time ?"

Re:

[ehrichweiss]

Sad but sooo very true...and funny.

Re:

[dc29A]

Whenever someone brags they have never gotten a virus, especially just after blithely disabling some security feature, it raises a big red flag. The question is: what is it that makes you think you've never had a virus/been compromised?

I use a few precautions on my Windoze machine.

- Have a virtual machine that runs a naked copy of XP for testing "suspicious" attchements.
- I use a virtual machine as my SSH server, if it's compromised, erase VM, rebuild from backup, patch or secure.
- I never use my PC under a

Re:

[AcidLacedPenguiN]

what? That's overkill!!! the only way I solve my virus/malware problems is by removing the hard drive and nuking it from orbit, it's the only way to be sure!

What are you talking about?

[140Mandak262Jamuna]

in fact some are not even detectable in any way.

Are you talking about viruses and worms that afflict computers or some kind mystic God? If they are not detectable in anyway, even you might be hosting malware and would not be aware of it. Right?

Re:

[Spacejock]

I turned mine off when I discovered it was blocking the winsock control even though I'd given the application USING the winsock control full access. It also slowed down email retrieval by a factor of ten. I tested it several times, firewall on and firewall off, and proved it to my own satisfaction. So, out the window with that particular feature.

Re:

[dc29A]

Does anyone actually leave windows firewall on anyways? Its one of the first things to go when I have to use windblows xp.

For friends and family (until recently) had no choice to leave it on but turned off. Computer browser stopped or simply wouldn't work and when Joe Clueless tries to access his pr0n^H^H^H^H^Hwedding pictures on other PC the Computer Browser service wouldn't access the other PC. For some reason firewall had to run (even if turned off) for Computer Browser to function properly. I think this

Re:

[Heembo]

Personal firewalls do not protect you against virus', anti-virus products do that. Personal firewalls protect your from hackers and worms, primarily. And good personal firewalls do egress filtering, which MS firewall does poorly at best.

Re:

[b100dian]

Personal firewalls protect your from hackers and worms
And also protects others from you:)

Re:

[spacefight]

A router does nothing to protect you from other hosts within the network.

Re:

[Anonymous Coward]

What makes you believe that a (home) router, which is a small microcontroller with some dedicated firmware running on it, will outperform a modern PC that has 10-20 times more CPU power available?

Re:

[KDR_11k]

Because you can't meaningfully implement NAT on a single-machine "network"?

Re:

[ajs318]

You've most probably been been buying crap routers. D-link, Belkin, Linksys, Netgear - for chuff's sake, they might as well be branded "Barbie (or Action Man) My First Router". Treat yourself to a nice ZyXel router, and you might forget you even have a router in your network.

Re:

[Propaganda13]

Actually, he's probably partly referring to the routers flooding their wireless connection which happens with Zyxel routers too.
http://www.tomsnetworking.com/lans_routers/charts/ index.html?chart=124 [tomsnetworking.com]
You set up a p2p like bittorrent that is willing to use a lot of simulataneous connections and it floods your router and your connection drops.
Of course, it does sound like a lot of routers(1 a month?) to go through so if he's returning a lot of dead routers, a possible power problem in the home is possible.

Re:

[ajs318]

The smaller ZyXel routers use a traditional transformer power pack with 12V AC output. Judging by the temperature rise, the on-board regulator is most probably a switched-mode type. I'd guess this would be quite tolerant of power surges, just with the presence of a mains transformer (hefty inductance; doesn't like rapidly-changing current). The "surge suppressor coils" found in cheap, switched-mode power packs are laughable. A well-designed power supply should fail safely and protect the connected equi

Re:

[Tim C]

As for the wireless stuff, well, that's too bad. But your computer already needs one connection to the wall to get its power. Will one more for data kill you?

No, but my girlfriend nearly did when I started laying bright yellow cat5 cable in the house...

Re:

[account_deleted]

Comment removed based on user account deletion

WRT65GL

[coder111]

I have a Linksys WRT54GL router (http://en.wikipedia.org/wiki/WRT54GL [wikipedia.org]). It uplinks via 36-54mbit (depending on conditions) wireless connection, and acts as a router for a network of ~10 computers with quite heavy p2p traffic. It is stable and rarely slows down. Of course, I run a custom linux firmware on top of it (HyperWRT Thibor, original firmware sucks quite bad).

Oh, and it cost me ~70 USD.

--Coder

How could you be this wrong?

[SanityInAnarchy]

How is this new?

RTFA. It's new because it is a specific attack that's just been discovered. If you still don't think it's new, look up the word "specific" in a dictionary and see if you can figure it out. Hint: No one is claiming that it's a new kind of attack.

Any attack worth its salt disables the firewall first thing.

The hell it does. Are you sure you know what a firewall is?

Most attacks these days would completely ignore the firewall, and look for a way around it. Once inside, the only point to disab

Re:

[jimicus]

Saying this is news is like telling people AIDs is linked to death.

You think that's bad? Recent research shows life is linked to death.

Re:

[cortana]

What's you point? That's only a problem if you can run that code as a non-administrator...

Re:

[Shadow99_1]

That's actually an issue that efects alot of free Firewalls in windows... They just can't handle the load from torrents very well and eventually fail or turn your computer into a slow POS and force you to restart... It's actually the reason I switched to using the crappy windows firewall, as it's the only firewall that only protects one way (which I know is a bad thing, but it's tracking a high number of inbound and outbound connections that causes the issue between most software firewalls and torrent softw