XP2 Spotted In The Wild 634
LostCluster writes "WinXP SP2 has just been released to the public via Automatic Update, but eWeek and PC Magazine are together reporting that Windows XP SP2's 'Windows Security Center' is just about as insecure as it could possibly be. According to them, any program (including ActiveX controls) can access and edit the Windows Management Instrumentation database, and therefore spoof the security status of an insecure box to report that it is properly secured."
Re:Can someone answer this question? (Score:5, Informative)
Re:Close it anyway MSFT or stop the default Admins (Score:3, Informative)
Administrator is the default context for XP Pro, too, if you create users at install time. I run as administrator, but I use Firefox to browse everything but windows update, and I have Norton installed and auto-updating itself every day. Hence I am operating in an insecure fashion, but with little risk.
(Watch me get owned tomorrow or something, but nonetheless, I stand by my statements.)
On Linux I do typically do everything as me, and sudo when I can, but some programs don't work right when you sudo, they need a full root environment. On windows, using run as often doesn't work right because spawned programs revert to your user context (though not always? I'm not sure what's going on there), and many processes spawn new processes to do their dirty work. Even a lot of installs work this way, unfortunately.
I installed it last night (Score:5, Informative)
It's 94.50 mb which takes a while to download. Upon installation and restart the new windows security center pops up and trys to get you to turn on your firewall, automatic updates and antivirus software. By default if any of these are off, there's an obnoxious red shield in the system tray. Turning off alerts for these makes it go away.
Otherwise there doesn't seem to be any major changes.
So far nothing's borked.
Re:Scary stuff. (Score:5, Informative)
Step 0: Open IE
Couldn't even drag the scrollbar in Firefox :-/
Then I opened IE and tried it - jackpot. Nice little booom.exe in my startup folder. I have SP2 installed. Good grief.
Re:No problem here! (Score:2, Informative)
Then your system is properly configured, everything is correct.
Re:this is surprising? (Score:3, Informative)
Re:I'm sorry, were you expecting better? (Score:4, Informative)
Re:I'm sorry, were you expecting better? (Score:5, Informative)
STILL Broken (Score:4, Informative)
Great work Microsoft! After all the beta-testing, SP2 is still broken. Here's what I've found so far that's messed up badly:
What I find funny is that ZoneAlarm's AntiVirus monitor feature detects AVG and Norton properly.:P
Re:this is surprising? (Score:5, Informative)
Of course, you can "update" them also with mod chips, but I don't think that that is what you had in mind :)
Re:I'm sorry, were you expecting better? (Score:3, Informative)
First of all, the update was NOT anywhere near 400mb.
Secondly, it contains every update, every fix, etc since XP was released.
Thirdly, it contains these fixes for every version of XP--home, corporate, pro.
thanks for playing!
Re:Actually, no... (Score:5, Informative)
Yes it does [google.com]
Re:SP2 - as secure as any linux distro... (Score:4, Informative)
You run *any* OS as root or equivalent on a daily basis, and you're going to have problems sooner or later.
Okay, so if you're running IE that's more likely to be "sooner" than "later" but the point still stands - the main problem is running systems with more privileges than they need.
Re:Solution (Score:1, Informative)
You might also want to do some research into ACL support in Linux. It's there, and it sounds a lot less complicated than "XML driven agent based security infrastructure". Ever heard of the adage "Perfection in design is not achieved when there is nothing left to add, but when there is nothing left to take away"? Simpler designs are generally better, so long as they get the job.
Re:I'm sorry, were you expecting better? (Score:2, Informative)
Re:Still better than Unix. (Score:4, Informative)
I don't know what Unix you're using (perhaps Version 7 on the Interdata 7/32 or some other forgotten vintage system), but modern Unix-like operating systems, such as *BSD, Linux and Solaris, by default create user's home directories with permissions user: read/write, group: no permissions at all, world: no permissions at all, and no special ACLs. Filesystems for these operating systems support ACLs (much like NTFS ACLs. Personally, I've found the user/group/world permissions have covered every case I've encountered, but that may not be true for everyone hence POSIX ACLs were created).
Certainly in the Linux world, major distributions turn the firewall on by default (RedHat since at least 7.x, and continuing into Fedora Core) during the install process. It's been a proper stateful inspection filter since before XP was even out. Also in a Redhat or Fedora install, you are asked to create a non-root user. The Windows XP install also asks you about what users you want to create, but by default creates them all with root privileges.
Not just those. (Score:1, Informative)
Comment removed (Score:3, Informative)
Re:Need root? (Score:5, Informative)
Most programs on Linux run happily as a non-root user. So many programs on Windows force you to run as an admin user that most people who even think about trying to run as a non-root user quickly give up...
Re:STILL Broken (Score:4, Informative)
# Unreal2 won't run
Both working fine here..
# Norton Antivirus status is not detected by Security Center
Norton's problem, they've said repeatedly they're working on a patch.
# AVG Antivirus is not detected by Security Center
This should be working. It's works for a lot of other people correctly.
Windows crashes on startup if any non-MS OS is doing a SMB network scan while it is starting up
Huh? Did you pull this one out of the air? We haven't had a problem with this on our network here (300+ PCs, 10+ Macs)
Security Center considers having Automatic Updates set to "Ask Before Installing" a security risk
And I agree that it should. Users are totally retarded, and should be treated like a child.
Re:Need root? (Score:3, Informative)
XP SP2 is awesome - leads to blue screen (Score:3, Informative)
http://www.crn.com/sections/breakingnews/breaking
I had to boot into recovery mode and run a batch script to uninstall SP2, just like the article outlines. Then I had to go into the registry and change some keys, then do an uninstall via the add/remove programs wizard. Man, thanks Microsoft for a full night.
I'm not sure if I'm going to try again, we'll see how I feel after stewing about it all day...
Comment removed (Score:5, Informative)
Re:UA String any different? (Score:1, Informative)
How can this even be a story? (Score:1, Informative)
Come on, this is just nonsense. XP SP2 has a slew of security enhancements to make it harder to compromise a box, but it doesn't change the fact that once a box is compromised it can never be trusted again. Game over, reinstall!
Re:I'm sorry, were you expecting better? (Score:2, Informative)
Erm - the version that I downloaded from MSDN is 498,436,096 bytes. This is the ISO image version (which was the only one that was available at that time).
Re:I'm sorry, were you expecting better? (Score:2, Informative)
Linux is a kernel not an OS.
Re:Not running as admin is all that matters? Not s (Score:3, Informative)
Re:SP2 - as secure as any linux distro... (Score:1, Informative)
Its critical that you know and trust your users and take care of what applications you decide to run especially as plenty of exploits [k-otik.com] are readily available.
As for the spoofing "Security Center" it ignores the fact that evil.exe required a prerequisite compromise to have taken place.
Re:this is surprising? (Score:5, Informative)
Windows XP came out in 2001. Do you really need me to tell you that running a RedHat distribution from 2001 would be suicide right now?
Re:I'm sorry, were you expecting better? (Score:4, Informative)
I just looked, and in Internet Options/Security settings, there's an "Allow META REFRESH" checkbox, which for me is enabled. I don't know if I've set it in the past, but I didn't do it recently. I am running a "custom" security level, not a prepackaged one.
But the grandparent's assertion that there's no way to change it appears to be wrong. I've tried both 302 and meta refresh redirects and both work for me on XP/SP2
Re:SP2 - as secure as any linux distro... (Score:5, Informative)
You probably don't know it, but marketing is about giving people the product they want. Unfortunately many companies (and Microsoft is one of them) talk about marketing, but what they are really talking about is advertising.
"What if somebody could tell if their machine was secure just by opening a control panel?"
This statement would be a really bad example of marketing: The company and/or its developers and "marketing" experts sit together and brainstorm without ever actually asking the customer. If they were to ask me this exact question, my answer would be:
"Are you really this insane? I don't want a control panel to tell me whether my machine is secure. I want the machine to be secure, plain and simple. Given MS Windows' (whatever incarnation) security track record, I neither would nor could ever trust any application that tells me the security status of the machine from within. It's probably already cracked, infested or whatever anyway by the time I check it. If history tells us anything, it's that any application can be made to tell me that it is secure."
I couldn't agree less with you. According to developers who are far more experienced with Windows than I am (IANAP), Windows is insecure by design, no fix or additional security layer on top of the current product will ever make it more secure. The only way to fix it, is to dump it and start from scratch.
This is the Microsoft equivalent of Sourceforge Development Status 1. It's a dog and pony panel that will undoubtedly be replaced by something good in the future -- but by that time, most of the industry will have lost all trust in it.
Many people argue that XP is, while more stable than all previous versions, with the notable exception of W2K, is still in development status and many of its design features are so braindead, that many knowledgable people have already lost trust in it.
IMHO, this is yet another stupid toy to make the casual home user and the boss feel more secure without actually delivering on the promises. If you were to ask them, they would all answer that they want a machine that is actually more secure rather than a having a MS tool that tells them they are. Once they told you, you design a product that is actually secure and does what the customer wants. This is marketing from an academic's point of view.
Re:Scary stuff. (Score:1, Informative)
Re:this is surprising? (Score:3, Informative)
Assuming you never patch the system, I agree. However, assuming that you're the slightest bit proactive about maintaining the box, I strongly disagree.
I use RH7.3 as a baseline for my systems (because RHEL costs too damn much, and because I'm not particularly fond of 8, 9, or FC) and while it's not quite that old (early 2002 as opposed to 2001) it's stable and secure. Of course, I do make use of Fedora Legacy via yum for most of my updates, but presuming such are not available it's not exactly a dificult task these days to, say, rebuild OpenSSH from source if security issues are found.
Re:diffrence between the 280 meg and 100 meg SP2? (Score:1, Informative)
The smaller package that is distributed through Windows Update contain only the files necessary for the platform it's downloaded to.
Mattias
Wouldn't matter (Score:3, Informative)
As a receant example later variants of one of the receant worms was zipping itself and encrypting the zip to try and evade virus scanners (successfully, for a little while). That means you had to get the password from the e-mail, and use it to unzip the executable, then run it.
Guess what? People did. They went through all that trouble, because they believed the program to be something they wanted.
There is really no defense against stupid users, when they own the box. They can get admin, and will whenever they want it, even if it's not the default.
Re:Need root? (Score:3, Informative)
No, you've hit the nail on the head. "Administrator" under Windows XP is not like "root" under UNIX. The former is something that came along fairly recently and put down a few arbitrary restrictions on applications. Problem is, most Windows software was written prior to XP, and at one time the restricted items--like writing to your own application folder--were the accepted ways of doing things. There are even developers running older versions of Windows who don't know about the issues involved.
Furthermore, when you install a new application you have no way of knowing if it will work in a restricted account. So first you install it the proper way. Then you have to load it up and experiment with it for a while to find out if it is clean. Sometimes this is hard. Maybe it only gets caught when you try to save a document template or a window layout or some other less common activity. When this happens you have to uninstall and reinstall to a folder outside of "Program Files." This is generally not worth it. If you're running a firewall, anti-virus program, and not using IE, then running as administrator isn't a bad thing. Remember, even in administrator mode programs can do all sorts of bad things to your system, like emailing or deleting your files. It's only the "Windows" and "Program Files" folders that have any protection on them. To repeat: this is not like running as root under UNIX.
Re:Post-install SP2 thoughts / experiences so far? (Score:2, Informative)
http://www.lvllord.de/?url=tools#4226patch [lvllord.de]
And found a fix for it. All of the FUD that I've seen about SP2 breaking things mainly focuses around which apps aren't automagically detected by the built in firewall as "allowed". Considering that having to add rules to a firewall config is pretty standard amongst all firewalls, I'm pretty lost as to why this is considered "breaking" an app. I'll admit the TCP thing was frustrating, but that's the only problem I've encountered.
So for what it's worth, I've been running SP2 in beta and release form for about 1 month now on my primary system. And I've had only the one TCP issue. I've also had it running on 5 other "test" boxes (read: other family member's computers). And so far no one has reported a problem. Although obviously YMMV.
I'll admit I haven't formally been running the XP firewall (I turned it on to check it out, but I have my own firewall solution that I prefer). But turning it off was easy enough and I checked into configuring it and that seemed easy enough as well (you go into the control panel icon and select the programs you want to allow incoming access on).
Now lets not continue down the road complaining that it's broken because it's too difficult for "Joe Blow" to configure his firewall and as a result we should consider it "broken". Realize that at the same time "Joe Blow" probably can't properly configure ANY firewall. User ignorance doesn't mean something is broken. If I put power steering fluid in my brake lines because I don't know better, and my brakes lock up, that's not the car's fault.
Re:Leave it to microsoft (Score:3, Informative)
If the OS has the concept of a superuser, then you're correct. However, that's ignoring other OSes [sun.com] that are built on capabilities or mandatory access controls. Those do away with "root users" altogether, and replace them with users with sufficient access to grant necessary rights to other users. These aren't hypothetical creations, but real systems in use, today, in high-security installations.
Add To This... (Score:3, Informative)
So Windows offers you as an IT manager two options:
- Remove admin rights from users but anytime an application requires a minor elevation in rights you will get pestered.
- Give everyone admin rights but watch installations like hawk because they might accidently misclick some link at some googled web site that wasn't what was said.
Either path is expensive. I curse MS every day for creating a flexible permission system, access control lists that are well integrated across the enterprise and then promptly not use them in any of the right places.
I'm stumped and have given up all hope of figure out what to do beyond pray. As long as MS clings to this system this Windows will be an expensive PITA system to maintain on the enterprise.