Security Flaws in Windows XP Service Pack 2 CSE /14/04 By: Saeed Abu Nimeh
Outline Microsoft Introducing SP2 Collaboration with the industry What’s New in SP2 Heise Security Advisory Microsoft’s Response References
Microsoft Introducing SP2 Microsoft releases a SP every year for Win XP. It was supposed to be released in the first half of the year. Friday, August 6, 2004 SP2 was released. Gates: “SP2 modifies less than 5 percent of the nearly 3-year-old operating system”.
Microsoft Introducing SP2 Gates: “SP2 2 is a significant step in delivering on our goal to help customers make their PCs better isolated and more resilient in the face of increasingly sophisticated attacks“. “It is the result of sustained investments in innovation and extensive industry collaboration.“
Collaboration with the industry Windows Security Center: Symantec: Antivirus, Firewall and Intrusion Prevention security solutions are compatible with SP2. Data execution prevention: Intel: Improve security PC platform by Execute Disable Bit and Microsoft's Data Execution Prevention AMD: Support for AMD Athlon 64-bit desktop and mobile processors Preloaded PCs: Working with computer manufacturers: Dell, HP and IBM to ship machines preloaded with SP2 beginning in September and October.
What’s New in SP2 SP2 reduces the most common attack vectors four ways: Network protection Memory protection More secure browsing security and Safer message handling Improved computer maintenance
Network Protection Windows Firewall (Internet Connection Firewall-ICF): Is enabled by default. The firewall turns on very early in the system boot cycle, and turns off very late in the shutdown cycle. Enhanced Group Policy settings to support IPv6. Remote Procedure Call (RPC): Permissions to block services. Distributed Component Object Model (DCOM): Restrictions to reduce the risk, only authenticated administrators can remotely activate and launch COM components. Disabling the Windows Messenger Service by default
Memory protection Execution Protection (NX) Marks all memory locations in a process as non-executable unless the location explicitly contains executable code. Only processors that support NX are the 64-bit AMD K8 and Intel Itanium. Sandboxing: Stack: All binaries in the system recompiled with buffer security checks “enabled” to allow the runtime libraries to catch stack buffer overruns, Heap: "cookies" have been added to the heap to allow the runtime libraries to catch most heap buffer overruns
security New Outlook Express to block images and external content in HTML . View in plain text mode Attachment Execution Service (AES) It looks at the file extension. It can look up the associated application for a given MIME type and file extension
Secure browsing Add-on Management Tool View and control the list of add-ons that can be loaded by IE. Shows the presence of some add-ons that were previously not shown and could be very difficult to detect. Add-on Crash Detection: Detect crashes in IE that are related to an add-on, and gives the user the option to disable add-ons Attachment Execution Service (AES) Can not view ActiveX script in IE. Pop-up Manager: Block Pop-ups
Computer Maintenance Windows Update 5 Scan for, download, and install only the critical and security updates Windows Installer 3 Enhanced inventory functions that identify what patch components do and don't need to be downloaded, Supports Microsoft's “delta compression” technology, which makes patches smaller
Heise Security Advisory August, 13, 2004 Heise Security posted an advisory “Flaws in SP2 security features” by Jürgen Schmidt There are two flaws: a cmd issue: The Windows command shell cmd ignores zone information and starts executables without warnings. The caching of ZoneIDs in Windows Explorer: Windows Explorer does not update zone information properly when files are overwritten.
The cmd Issue The command shell cmd.exe ignores the ZoneID of files: cmd /c evil.exe cmd /c evil.gif Execute the files without warning, regardless of its ZoneID with an attachment Access.gif You can not access it, unless its opened from cmd
Windows Explorer caching of ZoneIDs Windows Explorer caches the result of ZoneID lookups. If a file is overwritten, Explorer does not properly update this cached information to reflect the new ZoneID. This allows spoofing of trusted or non- existant ZoneIDs by overwriting files with trusted or non-existent ZoneIDs.
Windows Explorer caching of ZoneIDs Copy notepad to a new file. > copy c:\windows\notepad.exe test.exe Open test.exe in Explorer: no warning. evil.exe is a file saved from an attachment and has ZoneID=3. Check with your editor by opening "evil.exe:Zone.Identifier". It displays: ZoneID=3 Open evil.exe in Explorer: you will be warned.
Windows Explorer caching of ZoneIDs Overwrite the copy of notepad.exe: > copy evil.exe test.exe test.exe:Zone.Identifier displays: ZoneID=3 Open test.exe in Explorer: no warning! test.exe is launched without warning despite of its ZoneID=3. In the file properties, Explorer shows the correct notice about its origin, but for opening the file the old ZoneID-status is used. Doublecheck: Kill the Explorer task, restart it and launch test.exe: you will be warned.
Microsoft’s Response "We have investigated your report, as we do with all reports, however in this case, we don't see these issues as being in conflict with the design goals of the new protections. We are always seeking improvements to our security protections and this discussion will certainly provide additional input into future security features and improvements, but at this time we do not see these as issues that we would develop patches or workarounds to address."
References Wired News, Microsoft Releases Service Pack 2, URL: l l Microsoft Press, Microsoft Releases SP2 with Advanced Security Technologies to Computer Manufacturers, URL: 06WinXPSP2LaunchPR.asp 06WinXPSP2LaunchPR.asp Windows XP Service Pack 2 Overview, White Paper, February 2004 Windows XP Service Pack 2, URL: Steve Friedl, Analysis of Microsoft XP Service Pack 2, URL: Heise Security Advisory, URL: