New Windows Attack Can Disable Firewall

BobB writes to tell us NetworkWorld is reporting that new code released on Sunday could allow a fully patched Windows XP PC's personal firewall to be disabled via a malicious data packet. The exploit depends on the use of Microsoft's Internet Connection Service. From the article: "The attacker could send a malicious data packet to another PC using ICS that would cause the service to terminate. Because this service is connected to the Windows firewall, this packet would also cause the firewall to stop working, said Tyler Reguly, a research engineer at nCircle Network Security Inc."

Not that big a deal, but still.

Sure, it requires that you be on the internal LAN already, and that you be running ICS, and who runs ICS anyway? But what kind of shit design is this that lets you take down the firewall if you piss off the IP-masquerading software? Did someone cut their fuzz-testing budget? What's their excuse for having this kind of vulnerability?

Re:Is Telstra not one of the biggest?

Eliza? That you?

What can you trust?

If the graphics applications you use require windows, and all of the major firewall vendors are bloated (symantec), worthless (keiro) or both (macaffee) then what can you do?

Re:What can you trust?

A few things:

• Keep all your broken (Windows) boxes in a heavily-firewalled subnet (and make sure the firewall is something secure, i.e., not Windows)
• Don't put the broken box on the network at all
• Run your app in a VM
• Find a new app

Re:What can you trust?

You use an IPS/IDS appliance that goes up to level 7.

For extra effectiveness, make sure your level 7 IPS/IDS appliance is armed with nothing less than a +3 Sword of Packet Smiting.

Re:What can you trust?

You use an IPS/IDS appliance that goes up to level 7.

Mine goes up to 11.

Please explain me...

What those engineers were thinking? A data package, the thing a firewall is filtering to some point, can disable the firewall? Who thought it would be a nice feature to have that?

"We need a firewall of our own!"
"Why?"
"To keep our monopoly; those firewall and antivirus companies are making money that should be in our pockets."
"But antitrust..?"
"We say it's because we want to have a secure system, it should've been in the first place. Those companies have no case! >:D"
"But even we cannot access their systems anymore without logging our activity on our massive 'slave-farm'."
"We'll add a backdoor, so we can remotely disable it. Noone will ever find it >:)"
"Excellent..."

Microsoft's woes..

Bill: "We must delay Vista a few more weeks because Sam the janitor found that if he logged on exactly at 12am, the system would implode and cause a reinstall. Thank god for QC!"

Grunt: "Hey Bill, there is a bug in XP that can totally disable the firewall! How about making an SP3 for XP?"

Bill: "You obviously don't share my vision do you?"

Because, of course, Windows Firewall is awesome!

I never used Windows Firewall on my PC - I used Zonealarm or Tiny Personal Firewall. Why? Because given how many security holes XP had - and probably still has - I wouldn't trust my security to it. And lo and behold, here we are.

Not as bad as it sounds

So for this attack to work, according to the article...

1) The attacker has to be on the LAN already, or executing code from a PC on the LAN

2) The LAN has to be connected to the internet through a PC using ICS, and

3) There can be no external firewall device such as a router sitting between the LAN and the internet

While this is certainly a valid attack... so are a lot of other attacks once you're already in the LAN. This one just happens to nuke a software-based firewall from the inside. Big deal.

Internet Connection Service?

The exploit depends on the use of Microsoft's Internet Connection Service.

Is ICS not Internet Connection Sharing?

"New?"

How is this new? Any attack worth its salt disables the firewall first thing. Saying this is news is like telling people AIDs is linked to death.

Microsoft change the definitions to suit

When they advertise that XP installations come with a firewall, they in fact mean that XP installations come installed with a wall of fire. The EULA clearly states that, somewhere near the bottom next to the pictures of cats and the sudoku puzzles, because no-one ever reads that far...

The Remedy

As it seems judging on the majority of the comments, the first thing an *experienced* user would do on an XP machine would be to deactivate the MS firewall and install a third party firewall.

But then again, which unexperienced user would set up a LAN with the - advanced I would say - specifications described in the article? So, no real need to patch there... I am suprised they ever found out about this thing. It is easy to forget that all these little Windows tools are for users that will do no more than the occasional browsing and multimedia playback.

For the record, I have iSafer always enabled .

Wait, wait, wait

Windows has a firewall?

....sorry, please continue :)

In Soviet Russia ...

... firewalls disable you.

If they use ICS, then they deserve it!

Come on people. Routers are cheap. It is better to use a hardware router instead of a Windows machine as a router. At home, I run a 300MHz Pentium II as a router. At the office, a router is used.

Everyone knows Windows is insecure. It only costs $30/$40 for a router. $29 for a D-Link DI-704P 4-Port Cable/DSL Router at outpost.com

How to disable the Windows FW in 2 lines of VBS

Fortunaltey for all V(irus)B(uilding)S(script) coders, Microsoft gave us all a very easy way to silently disable the firewall at any time...

Set objFirewall = CreateObject("HNetCfg.FwMgr")
objFirewall.LocalPolicy.CurrentProfile.FirewallEna bled = FALSE

And again...

Malicious code can damage your computer. New bugs can be found on a patched system. News at 11.

Why Does Windows Get All the Press?

Why does Windows get all the press? It's not fair! I want to see some coverage of stupid holes in Linux and the free BSDs!

Suddenly noone is using wireless?

So I see dozens of comments about "Its no big deal, you have to be on the lan". Am I the only one that hasn't forgotten how common wireless networks are and how trivial it is to gain access to most of them?

Software firewalls suck

I feel for people who have no other options, but... software routers suck. That they are made by microsoft or anybody else. Hardware firewalls for the win. (which I guess in the end ARE just embedded softwares...still better at the end of the day)

malicious data packet vectors

For a while I used Azureus as my BitTorrent client under WinXP. While downloading large video files, I noticed that my firewall, ZoneAlarm (free version) would fail intermittantly. The TrueVector service would fail and then would restart after a few minutes. This would only happen when I was using Azureus to download and upload.

So I tried using MS Virtual PC to run another copy of WinXP and run Azureus in that sandbox. Same problem.

I thought maybe I was being attacked via bad packets sent to Azureus but was told I was being way too paranoid.

I switched to a Linux virtual machine to run Azureus just in case.

It's a matter of acting reasonably

Sure you could build your own firewall appliance and shove it in a DMZ on your home LAN. And you could implement hardware dongles for wireless. And you could sandbox everything and so on and so on and so on.

But is that reasonable? Do you really have content on your machines that's so valuable that it has to be preserved at all costs? Is it really worth the time, effort and money to do so? Did you remember to back it up? People should take reasonable precautions such as a good software firewall, a real time AV scanner, a few spyware tools, a good registry cleaner, etc. Run them once or twice a month unless you see obvious artifacts of some problem. Keep the OS patched on a more or less regular basis but avoid chucking everything on all the time ASAP. Let someone else debug it. That should keep you running.

More than that you should evaluate the rationale for it, just like building a business case at work. If protecting the machines takes as much effort at using the machines, you might have missed the mark.

tards

I cant wait till a journalist finally gets something right..

Its not "Internet Connection Service" its "Internet Connection Sharing" which hardly anyone has running anyway. They probably fudded it on purpose just to make their article sound more relevant.

(and /.'s captcha's are SO good that even I cant read them - round 2)

No news today

The MS firewall has never been secure. For a few reasons completely unrelated to the current bug.

1. It's configurable via the registry. I.e. write a few keys into the registry and your application has all rights to come and go as it pleases. And that's what malware usually does.

2. Its "warning" windows have a standard window handle and can thus be intercepted by programs and answered "correctly". Another standard tactic of malware.

3. It's attacked by every single halfway modern malware, since it's on every system by default. Every single piece of malware has to defeat it to be "complete". And every malware does. It's not really hard, usually it's enough to do 1. (by simply setting the keys accordingly) or 2. (by creating a thread that waits for the window to pop up and flick it away with the "ok, let it pass" message).

Relying on the Windows Firewall to keep malware out is like relying on a politician to resist bribery.

Remember the average user

For this attack there has to be a number of factors in place, and most people here on /. seem to dismiss the likelihood of an attack because of these factors. But remember, the majority of the population aren't like people here.

1. Must be within the LAN
How many average joes run unsecured wireless? In my neighborhood that's lots of people.

2. ICS must be running
How many average joes have never even opened Services much less turned off unneccessary Windows services?

3. No other firewall is running.
How many average joes do not buy a third party firewall because one comes with Windows XP?

This attack can be mitigated easily for computer savvy people. Most people aren't that computer literate. Just my 2 cents.

How about a secure OS for a change?

Yeah, instead of closing exploitable network ports, let's throw another layer in front of them! That's sure to be foolproof!

Bunched services

This is something about XP that really bothers me, and I consider a design flaw. Several services run together under each svchost.exe process. (Tasklist /svc will show them.)

I have something wrong with my system now, where one of those svchost processes (after while) dies with an unhelpful messages, killing a bunch of other services with it (including ICS/Firewall). They won't restart for me, either. I'm still in the process of disabling services and trying to identify the single one that is causing grief, and bringing others down with it.

And now, according the article, this same behaviour is used as a security exploit. I wonder if my services have been dying from this same exploit being attempted from the outside on my machine.

Cool

I think that's cool, the stupid firewall that comes with XP causes more problems than I can count AND it always turns itself back on! Something to turn it off and keep it off would actually be a plus.

Bring on Vista!

Thank goodness Vista will lock out third-party firewall software, and prevent these kinds of problems.

Oh, wait...

This is a non-issue.

Who the hell uses ICS anymore? I used ICS once when I was on dialup. I quickly wired another phone line to my second PC and learned to live without concurrent connections. Dialup is fast on its way out anyway.

Firewall

I, for one, welcome our new Windows Firewall pwning overlords.

Seriously though, Windows Firewall is great for very general and basic protection, but it serves no match to free and more efficient [zonelabs.com] [zonelabs.com] firewall software that is actually easier and more understandable to the user.

personal firewall ..

None of these software firewalls are of any use as they can be disabled by the next exploit. What is needed is a firewall running on standalone embedded hardware. Of course with the use of RPC over HTTP [computerworld.com] and SOAP [prescod.net], a firewall is of limited use in this day and age.

Lame and unapplicable to the real world

So lemme get this straight. On a computer with Internet Connection SHARING (ICS) enabled, another host that has been trusted by the original host can screw with that host? Show me a real threat. You know, one that doesn't require me to explicitly give you access to my computer, or my internet connection. Are computers that just have ICS turned on vulnerable, or does the exploit only happen when launched from a computer that is already configured via ICS to share the connection of another computer?

And in other (non)news, a man unlocked his security door, invited a stranger into his home, and then that stranger then mugged him.

Nobody uses ICS. Nothing to see here, move a long

Nobody uses Internet Connection Sharing (ICS) in Windows. Nothing to see here, move a long.

Worthless article

This article is so worthless that I got around 15 full replies and 250 abrev.

Article title is misleading...

... because the Windows "firewall" isn't a firewall.

Re:Lack of testing?

>Too cheap to buy a free after rebate router?

Personally speaking; I just hate letting my old k6-2 sit around and gather dust. Some slackware and a little cut and paste from the NAT HOWTO and it makes a fine file serving/ICS machine.

Re:Obvious

Windows firewall is the first thing i check for when i do a fresh install. I have *never* gotten a virus and i don't use any of the other products out on the market. So yea, some of us do. And we get better performance because of it.

Re:It is Internet Connection SHARING

That link is a bit off, try this for the blog [ncircle.com]

How do you know you've never gotten a virus?

Whenever someone brags they have never gotten a virus, especially just after blithely disabling some security feature, it raises a big red flag. The question is: what is it that makes you think you've never had a virus/been compromised? You havent noticed anything? Perhaps McAffee or Norton didnt find anything so you assume you are clear? Sadly my friend, it is very possible your machine has been compromised by a virus or worm and you are simply unaware of it. The worst kinds of malware are not detected by virus scanners; in fact some are not even detectable in any way.

Why should you care if it doesnt appear to affect you? Well, it may actually effect you if its a keylogger tracking everything you type and collecting information about you for identity theft. Worse, for the rest of us anyway, your machine could have been co-opted by a bot-net that is used by criminals to extort money from web sites. What they do is secretly root thousands of unprotected computers operated by people who 'have never had a virus' and then use them to do a distributed denial of service attack against commercial websites, demanding money from them to stop.

In order to limit the power of these criminals, everyone must firewall and patch their machines. This may not even be enough though! What people really need to do is occasionally completely reformat after booting off a cd so any rootkit will be erased.

Re:Obvious

My Father's laptop got stung by this (i think) I tracked down two values in the registry for disabling AV and firewall. Now it's fckucked and the cpu is at 100%. Yum.

Re:Obvious

I turned mine off when I discovered it was blocking the winsock control even though I'd given the application USING the winsock control full access. It also slowed down email retrieval by a factor of ten. I tested it several times, firewall on and firewall off, and proved it to my own satisfaction. So, out the window with that particular feature.

Re:Obvious

Does anyone actually leave windows firewall on anyways? Its one of the first things to go when I have to use windblows xp.

For friends and family (until recently) had no choice to leave it on but turned off. Computer browser stopped or simply wouldn't work and when Joe Clueless tries to access his pr0n^H^H^H^H^Hwedding pictures on other PC the Computer Browser service wouldn't access the other PC. For some reason firewall had to run (even if turned off) for Computer Browser to function properly. I think this "feature" has been fixed [microsoft.com] as an SP2 post fix.

Also, my sister doesn't have a router, she uses a dialup for her net so I left firewall on. It's primitive but it does the job.

Re:Obvious

Windows firewall is a bad idea --it gives users a false sense of security and is, in reality, only half a firewall.

Last night, while surfing in IE6 (god forgive me), I got nailed with a trojan JUST BY VISITING a website! And this is on a rigorously patched XP Pro box. If not for ZoneAlarm (which, unlike IE, blocks outbound requests too) my system would have been compromised.

Where's the trust Micro$oft?

Re:It is Internet Connection SHARING

Yeah I went to see where this service was and all I saw was Windows Firewall/Internet Connection Sharing(ICS). The firewall service is tied to the ICS service. You can't shut one off and not the other. They both go down when you disable this service. Atleast thats what I'm seeing on my patched XP pro box. I never changed the settings for that so it's defaulted to Automatic and on all the time.

Re:first post???

That is not nearly the first post, not to mention it would have been a very stupid first post.