Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

MS XP SP2 Windows Security Center allows spoofing

from [Jirtme] Network Security [Permanent Link]
Subject: MS XP SP2 Windows Security Center allows spoofing
Date: 26 Aug 2004 07:50:54 -0000 


Hi,

i found some interesting news about the WSC of the SP2 here :
http://www.pcmag.com/article2/0,1759,1639276,00.asp

Summary:

The Windows Security Center displays informations about Firewall, Updates, 
Antivirus... ans stores them in an internal database managed by the Windows 
Management Instrumentation (WMI) subsystem built into Windows.

Due to the nature of WMI, the WSC could potentially allow attackers to spoof 
the state of security on a user's system.

For Windows XP Service Pack 2, Microsoft added new fields or records to keep 
track of the Firewall and Antivirus information in the WMI database.

The WMI database is designed to be accessible via the WBEM API and is available 
to any program that wants to access the WMI. Because the WMI database is not 
set to be a read-only file, an attacking program could simply change the 
disabled product's status to "up-to-date" and "enabled" to avoid suspicion.

About that Microsoft responds:

"In SP2, we added functionality to reduce the likelihood of unknown/devious 
applications running on a user's system, including turning Windows Firewall on 
by default, data execution prevention, attachment execution services to name a 
few. To spoof the Windows Security Center WMI would require system-level access 
to a PC. If the user downloads and runs an application that would allow for 
spoofing of Windows Security Center, they have already opened the door for the 
hacker to do what they want. In addition, if malware is already on the system, 
it does not need to monitor WSC to determine a vulnerable point of attack, it 
can simply shut down any firewall or AV service then attack  no WSC is 
necessary."

"Windows Security Center, found in the Windows XP Control panel, provides 
customers the ability and makes it easier to check the status of these 
essential security functionalities such as firewalls, automatic updates and 
antivirus. Windows Security Center will inform users whether key security 
capabilities are turned on and up to date and will notify users if it appears 
that updates need to be made or if additional action steps may need to be taken 
to help them get more secure." 

YES it requires Administrative privileges to run a malware script...
YES it requires to access the HD of the target to run a malware script...

So if you don't want call that vulnerability, use the word flaw...

Regards.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • MS XP SP2 Windows Security Center allows spoofing, Jirtme <=
Previous by Date:  Re: New google's top query?, Alex Keller
Next by Date:  RE: NETGEAR DG834G SPECIAL FEATURES, prj
Previous by Thread:  [security bulletin] SSRT4779 - rev.0 HP-UX Netscape NSS Library Suite SSLv2 remote buffer overflow, Boren, Rich (SSRT)
Next by Thread:  [Full-Disclosure] [ GLSA 200408-26 ] zlib: Denial of service vulnerability, Sune Kloppenborg Jeppesen
Indexes:  [Date] [Thread] [Top] [All Lists]