XP2 Spotted In The Wild

LostCluster writes "WinXP SP2 has just been released to the public via Automatic Update, but eWeek and PC Magazine are together reporting that Windows XP SP2's 'Windows Security Center' is just about as insecure as it could possibly be. According to them, any program (including ActiveX controls) can access and edit the Windows Management Instrumentation database, and therefore spoof the security status of an insecure box to report that it is properly secured."

Re:Can someone answer this question?

[hardreset]

Microsoft released SP2 in a staggered fashion. First to MSDN subscribers, OEM's, Enterprise customers, etc. Second, SP2 was unleashed to XP Home Edition via Windows Update. Today, they're finally allowing XP Pro users to get the patch. It was intended to allow corporate customers the ability to disable the update to their clients.

Re:Close it anyway MSFT or stop the default Admins

[drinkypoo]

Administrator is the default context for XP Pro, too, if you create users at install time. I run as administrator, but I use Firefox to browse everything but windows update, and I have Norton installed and auto-updating itself every day. Hence I am operating in an insecure fashion, but with little risk.

(Watch me get owned tomorrow or something, but nonetheless, I stand by my statements.)

On Linux I do typically do everything as me, and sudo when I can, but some programs don't work right when you sudo, they need a full root environment. On windows, using run as often doesn't work right because spawned programs revert to your user context (though not always? I'm not sure what's going on there), and many processes spawn new processes to do their dirty work. Even a lot of installs work this way, unfortunately.

I installed it last night

[mrgreenfur]

I noticed it was up last night to I installed it.

It's 94.50 mb which takes a while to download. Upon installation and restart the new windows security center pops up and trys to get you to turn on your firewall, automatic updates and antivirus software. By default if any of these are off, there's an obnoxious red shield in the system tray. Turning off alerts for these makes it go away.

Otherwise there doesn't seem to be any major changes.

So far nothing's borked.

Re:Scary stuff.

[spellraiser]

You forgot ...

Step 0: Open IE

Couldn't even drag the scrollbar in Firefox :-/

Then I opened IE and tried it - jackpot. Nice little booom.exe in my startup folder. I have SP2 installed. Good grief.

Re:No problem here!

[joxeanpiti]

My box says it's insecure! So therefor, I can't possibly have some spoofing ActiveX control thingie, can I?

Then your system is properly configured, everything is correct.

Re:this is surprising?

[LilMikey]

I guess that depends on what you mean by "have to". An out of the box Fedora Core 2 system will work and play just nicely with your email, office, internet, graphics, video, etc. An OOB Windows XP install will only last 20 minutes [slashdot.org] once connected to the internet.

Re:I'm sorry, were you expecting better?

[Hungry Student]

That's because you got the network admin version, which has every little bit for every possible system so that admins can customise it for the systems running on their networks. The version designed for single computers is between 50 and 80MB according to how well patched your pc is to start off with. You're right that they're, effectively, rolling out XPv2, but your reasoning's off.

Re:I'm sorry, were you expecting better?

[Vann_v2]

That's the network install, which includes every update since XP was released plus code to figure out what version of Windows you're actually running. If you download it from Windows Update it does all that before-hand and only sends you the stuff you need, which makes for a much smaller download.

STILL Broken

[Roguelazer]

Great work Microsoft! After all the beta-testing, SP2 is still broken. Here's what I've found so far that's messed up badly:

• FarCry Demo fails to install
• Unreal2 won't run
• Norton Antivirus status is not detected by Security Center
• AVG Antivirus is not detected by Security Center
• Windows crashes on startup if any non-MS OS is doing a SMB network scan while it is starting up
• Security Center considers having Automatic Updates set to "Ask Before Installing" a security risk

What I find funny is that ZoneAlarm's AntiVirus monitor feature detects AVG and Norton properly.:P

Re:this is surprising?

[halowolf]

Oh XBOXs can be updated. Its the first thing that happens to them when you connect to XBOX Live, and there are more updates after that.

Of course, you can "update" them also with mod chips, but I don't think that that is what you had in mind :)

Re:I'm sorry, were you expecting better?

[Moridineas]

What a moron.

First of all, the update was NOT anywhere near 400mb.

Secondly, it contains every update, every fix, etc since XP was released.

Thirdly, it contains these fixes for every version of XP--home, corporate, pro.

thanks for playing!

Re:Actually, no...

[BabyDave]

The reason they say its safer is because they took advantage of the new processor features that allow you to mark a block of memory as "non-executable" thus stopping buffer overrun 'sploits and similar problems. Linux doesn't have this feature.

Yes it does [google.com]

Re:SP2 - as secure as any linux distro...

[dotcher]

Mozilla has never had a security bug, right?

You run *any* OS as root or equivalent on a daily basis, and you're going to have problems sooner or later.

Okay, so if you're running IE that's more likely to be "sooner" than "later" but the point still stands - the main problem is running systems with more privileges than they need.

Re:Solution

[Anonymous Coward]

XML-based file system? I think I'd rather superglue my hands to a rhino's ass - I'd be less likely to get a Darwin award.

You might also want to do some research into ACL support in Linux. It's there, and it sounds a lot less complicated than "XML driven agent based security infrastructure". Ever heard of the adage "Perfection in design is not achieved when there is nothing left to add, but when there is nothing left to take away"? Simpler designs are generally better, so long as they get the job.

Re:I'm sorry, were you expecting better?

[Apathetic1]

The way I understand it, SP2 is 400 MB because it replaces the entire core of the operating system with executables and libraries compiled with a newer version of the compiler.

Re:Still better than Unix.

[Alioth]

I was going to mod you down, but just in case you really are ill-informed and not just a troll, in the interest of enlightenment I'll reply instead.

I don't know what Unix you're using (perhaps Version 7 on the Interdata 7/32 or some other forgotten vintage system), but modern Unix-like operating systems, such as *BSD, Linux and Solaris, by default create user's home directories with permissions user: read/write, group: no permissions at all, world: no permissions at all, and no special ACLs. Filesystems for these operating systems support ACLs (much like NTFS ACLs. Personally, I've found the user/group/world permissions have covered every case I've encountered, but that may not be true for everyone hence POSIX ACLs were created).

Certainly in the Linux world, major distributions turn the firewall on by default (RedHat since at least 7.x, and continuing into Fedora Core) during the install process. It's been a proper stateful inspection filter since before XP was even out. Also in a Redhat or Fedora install, you are asked to create a non-root user. The Windows XP install also asks you about what users you want to create, but by default creates them all with root privileges.

Not just those.

[Anonymous Coward]

Home, Pro, Corporate, Media Center Edition and Tablet PC Edition.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Need root?

[0123456]

"Someone please explain to me how this is different than Linux?"

Most programs on Linux run happily as a non-root user. So many programs on Windows force you to run as an admin user that most people who even think about trying to run as a non-root user quickly give up...

Re:STILL Broken

[delus10n0]

# FarCry Demo fails to install
# Unreal2 won't run

Both working fine here..

# Norton Antivirus status is not detected by Security Center

Norton's problem, they've said repeatedly they're working on a patch.

# AVG Antivirus is not detected by Security Center

This should be working. It's works for a lot of other people correctly.

Windows crashes on startup if any non-MS OS is doing a SMB network scan while it is starting up

Huh? Did you pull this one out of the air? We haven't had a problem with this on our network here (300+ PCs, 10+ Macs)

Security Center considers having Automatic Updates set to "Ask Before Installing" a security risk

And I agree that it should. Users are totally retarded, and should be treated like a child.

Re:Need root?

[twbecker]

If you could both install and run software in limited mode, how is it limited??? I'll probably get flamed for this, but limited users under XP are more trouble than they're worth. A lot of older software refuses to run. As long as you run a firewall, Antivirus software, spyware detection software, know what software you install and why, and don't casually click past warning messages on the web (or better yet use Firefox), you're fine as an Administrator. Granted that's a lot of shit, but hey, that's what it takes. The *nix approach of only having access to your account's data is great for a multiuser box, and can probably stop your machine from being turned into a drone, but for most desktop users, your data is the most important stuff on the box!! Screw the OS internals, you can always reinstall. . .

XP SP2 is awesome - leads to blue screen

[kronin]

I installed the official release of SP2 and installed it on my mom's laptop last night, only to be greeted with a nice informative blue screen upon reboot.

http://www.crn.com/sections/breakingnews/breakingn ews.jhtml?articleId=23905071 [crn.com]

I had to boot into recovery mode and run a batch script to uninstall SP2, just like the article outlines. Then I had to go into the registry and change some keys, then do an uninstall via the add/remove programs wizard. Man, thanks Microsoft for a full night.

I'm not sure if I'm going to try again, we'll see how I feel after stewing about it all day...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:UA String any different?

[Anonymous Coward]

I think the code you were looking for was more like:

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colSettings = objWMIService.ExecQuery _
("Select * from Win32_OperatingSystem")
For Each objOperatingSystem in colSettings
Wscript.echo "Service Pack: " & objOperatingSystem.ServicePackMajorVersion _
& "." & objOperatingSystem.ServicePackMinorVersion
Next

and Yes.. by changing the "strComputer =" to accept parms you can do it on remote machines.

How can this even be a story?

[Anonymous Coward]

I fail to see what the fuzz is about. That a program running with admin priviliges on a compromised box can do whatever it wants to?

Come on, this is just nonsense. XP SP2 has a slew of security enhancements to make it harder to compromise a box, but it doesn't change the fact that once a box is compromised it can never be trusted again. Game over, reinstall! .m

Re:I'm sorry, were you expecting better?

[pmc]

First of all, the update was NOT anywhere near 400mb.

Erm - the version that I downloaded from MSDN is 498,436,096 bytes. This is the ISO image version (which was the only one that was available at that time).

Re:I'm sorry, were you expecting better?

[Anonymous Coward]

"Linux is an OS"

Linux is a kernel not an OS.

Re:Not running as admin is all that matters? Not s

[praxis]

Actually, under XP, many programs take advantage of NETWORK SERVICE and LOCAL SERVICE accounts, which are not quite the same as SYSTEM. I believe IIS is one of these programs.

Re:SP2 - as secure as any linux distro...

[Deviate_X]

Root? Unfortunately privilege escalation [google.co.uk] seems to very big problem which does not get as much attention as it deserves.

Its critical that you know and trust your users and take care of what applications you decide to run especially as plenty of exploits [k-otik.com] are readily available.

As for the spoofing "Security Center" it ignores the fact that evil.exe required a prerequisite compromise to have taken place.

Re:this is surprising?

[DashEvil]

Hey. I hate Windows as much as the next guy, but if you want to make a compelling argument you should at least be fair.

Windows XP came out in 2001. Do you really need me to tell you that running a RedHat distribution from 2001 would be suicide right now?

Re:I'm sorry, were you expecting better?

[jridley]

Hmm, I just tried it, and the meta redirect is working for me on XP/SP2.

I just looked, and in Internet Options/Security settings, there's an "Allow META REFRESH" checkbox, which for me is enabled. I don't know if I've set it in the past, but I didn't do it recently. I am running a "custom" security level, not a prepackaged one.

But the grandparent's assertion that there's no way to change it appears to be wrong. I've tried both 302 and meta refresh redirects and both work for me on XP/SP2

Re:SP2 - as secure as any linux distro...

[bankman]

And designing new programs from a marketing impetus instead of what people want.

You probably don't know it, but marketing is about giving people the product they want. Unfortunately many companies (and Microsoft is one of them) talk about marketing, but what they are really talking about is advertising.

"What if somebody could tell if their machine was secure just by opening a control panel?"

This statement would be a really bad example of marketing: The company and/or its developers and "marketing" experts sit together and brainstorm without ever actually asking the customer. If they were to ask me this exact question, my answer would be:

"Are you really this insane? I don't want a control panel to tell me whether my machine is secure. I want the machine to be secure, plain and simple. Given MS Windows' (whatever incarnation) security track record, I neither would nor could ever trust any application that tells me the security status of the machine from within. It's probably already cracked, infested or whatever anyway by the time I check it. If history tells us anything, it's that any application can be made to tell me that it is secure."

...but it will take at least a year to develop something like this that actually works well enough to be a part of windows.

I couldn't agree less with you. According to developers who are far more experienced with Windows than I am (IANAP), Windows is insecure by design, no fix or additional security layer on top of the current product will ever make it more secure. The only way to fix it, is to dump it and start from scratch.

This is the Microsoft equivalent of Sourceforge Development Status 1. It's a dog and pony panel that will undoubtedly be replaced by something good in the future -- but by that time, most of the industry will have lost all trust in it.

Many people argue that XP is, while more stable than all previous versions, with the notable exception of W2K, is still in development status and many of its design features are so braindead, that many knowledgable people have already lost trust in it.

IMHO, this is yet another stupid toy to make the casual home user and the boss feel more secure without actually delivering on the promises. If you were to ask them, they would all answer that they want a machine that is actually more secure rather than a having a MS tool that tells them they are. Once they told you, you design a product that is actually secure and does what the customer wants. This is marketing from an academic's point of view.

Re:Scary stuff.

[Anonymous Coward]

I *think* that exploit is XP only.

Re:this is surprising?

[Zak3056]

Windows XP came out in 2001. Do you really need me to tell you that running a RedHat distribution from 2001 would be suicide right now?

Assuming you never patch the system, I agree. However, assuming that you're the slightest bit proactive about maintaining the box, I strongly disagree.

I use RH7.3 as a baseline for my systems (because RHEL costs too damn much, and because I'm not particularly fond of 8, 9, or FC) and while it's not quite that old (early 2002 as opposed to 2001) it's stable and secure. Of course, I do make use of Fedora Legacy via yum for most of my updates, but presuming such are not available it's not exactly a dificult task these days to, say, rebuild OpenSSH from source if security issues are found.

Re:diffrence between the 280 meg and 100 meg SP2?

[Anonymous Coward]

The ~280MB "Network Installation Package" is targeted primarily at network administrators who'll want to update multiple computers. It contains files for updating all versions of XP, including Home, Professional and Media Center Edition. It can also be distributed through SMS, GPO etc. or "slipstreamed" into XP installation sources so that new installations have SP2 from start.

The smaller package that is distributed through Windows Update contain only the files necessary for the platform it's downloaded to.

Mattias

Wouldn't matter

[Sycraft-fu]

Even if you could get a user to dot run as admin all the time, it's not going to help. Why? Because users WANT to run the stupid shit that infects their comptuer. They go to install Kaazaa, it says "I need root to install", you think they are NOT going to enter the root password? Of COURSE they will, they want Kaazaa on their computer, they'll do whatever it asks them to do.

As a receant example later variants of one of the receant worms was zipping itself and encrypting the zip to try and evade virus scanners (successfully, for a little while). That means you had to get the password from the e-mail, and use it to unzip the executable, then run it.

Guess what? People did. They went through all that trouble, because they believed the program to be something they wanted.

There is really no defense against stupid users, when they own the box. They can get admin, and will whenever they want it, even if it's not the default.

Re:Need root?

[Junks Jerzey]

I'll probably get flamed for this, but limited users under XP are more trouble than they're worth.

No, you've hit the nail on the head. "Administrator" under Windows XP is not like "root" under UNIX. The former is something that came along fairly recently and put down a few arbitrary restrictions on applications. Problem is, most Windows software was written prior to XP, and at one time the restricted items--like writing to your own application folder--were the accepted ways of doing things. There are even developers running older versions of Windows who don't know about the issues involved.

Furthermore, when you install a new application you have no way of knowing if it will work in a restricted account. So first you install it the proper way. Then you have to load it up and experiment with it for a while to find out if it is clean. Sometimes this is hard. Maybe it only gets caught when you try to save a document template or a window layout or some other less common activity. When this happens you have to uninstall and reinstall to a folder outside of "Program Files." This is generally not worth it. If you're running a firewall, anti-virus program, and not using IE, then running as administrator isn't a bad thing. Remember, even in administrator mode programs can do all sorts of bad things to your system, like emailing or deleting your files. It's only the "Windows" and "Program Files" folders that have any protection on them. To repeat: this is not like running as root under UNIX.

Re:Post-install SP2 thoughts / experiences so far?

[Milhouse_ph]

As far as I've managed to tell it has only "broken" one thing for me. The outbound TCP connections were limited to 10/sec. But then I went here:

http://www.lvllord.de/?url=tools#4226patch [lvllord.de]

And found a fix for it. All of the FUD that I've seen about SP2 breaking things mainly focuses around which apps aren't automagically detected by the built in firewall as "allowed". Considering that having to add rules to a firewall config is pretty standard amongst all firewalls, I'm pretty lost as to why this is considered "breaking" an app. I'll admit the TCP thing was frustrating, but that's the only problem I've encountered.

So for what it's worth, I've been running SP2 in beta and release form for about 1 month now on my primary system. And I've had only the one TCP issue. I've also had it running on 5 other "test" boxes (read: other family member's computers). And so far no one has reported a problem. Although obviously YMMV.

I'll admit I haven't formally been running the XP firewall (I turned it on to check it out, but I have my own firewall solution that I prefer). But turning it off was easy enough and I checked into configuring it and that seemed easy enough as well (you go into the control panel icon and select the programs you want to allow incoming access on).

Now lets not continue down the road complaining that it's broken because it's too difficult for "Joe Blow" to configure his firewall and as a result we should consider it "broken". Realize that at the same time "Joe Blow" probably can't properly configure ANY firewall. User ignorance doesn't mean something is broken. If I put power steering fluid in my brake lines because I don't know better, and my brakes lock up, that's not the car's fault.

Re:Leave it to microsoft

[Just Some Guy]

No OS can protect against malicious code running as root/admin.

If the OS has the concept of a superuser, then you're correct. However, that's ignoring other OSes [sun.com] that are built on capabilities or mandatory access controls. Those do away with "root users" altogether, and replace them with users with sufficient access to grant necessary rights to other users. These aren't hypothetical creations, but real systems in use, today, in high-security installations.

Add To This...

[EXTomar]

Add to this that Windows doesn't give the user a facility to promote (and demote!) themselves easily its really hopeless. This problem has been around since NT 3.1 and has been compounded by the integration of IE into the kernel. And yes I know about "runas" but it doesn't work correctly for many apps (even ones provided by MS).

So Windows offers you as an IT manager two options:

- Remove admin rights from users but anytime an application requires a minor elevation in rights you will get pestered.

- Give everyone admin rights but watch installations like hawk because they might accidently misclick some link at some googled web site that wasn't what was said.

Either path is expensive. I curse MS every day for creating a flexible permission system, access control lists that are well integrated across the enterprise and then promptly not use them in any of the right places.

I'm stumped and have given up all hope of figure out what to do beyond pray. As long as MS clings to this system this Windows will be an expensive PITA system to maintain on the enterprise.