1 / 18

Security Flaws in Windows XP Service Pack 2

Security Flaws in Windows XP Service Pack 2. CSE 7339 9/14/04 By: Saeed Abu Nimeh. Outline. Microsoft Introducing SP2 Collaboration with the industry What’s New in SP2 Heise Security Advisory Microsoft’s Response References. Microsoft Introducing SP2.

lane-lowery
Télécharger la présentation

Security Flaws in Windows XP Service Pack 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Flaws in Windows XP Service Pack 2 CSE 7339 9/14/04 By: Saeed Abu Nimeh

  2. Outline • Microsoft Introducing SP2 • Collaboration with the industry • What’s New in SP2 • Heise Security Advisory • Microsoft’s Response • References

  3. Microsoft Introducing SP2 • Microsoft releases a SP every year for Win XP. • It was supposed to be released in the first half of the year. • Friday, August 6, 2004 SP2 was released. • Gates: “SP2 modifies less than 5 percent of the nearly 3-year-old operating system”.

  4. Microsoft Introducing SP2 • Gates: “SP2 2 is a significant step in delivering on our goal to help customers make their PCs better isolated and more resilient in the face of increasingly sophisticated attacks“. • “It is the result of sustained investments in innovation and extensive industry collaboration.“

  5. Collaboration with the industry • Windows Security Center: • Symantec: Antivirus, Firewall and Intrusion Prevention security solutions are compatible with SP2. • Data execution prevention: • Intel: Improve security PC platform by Execute Disable Bit and Microsoft's Data Execution Prevention • AMD: Support for AMD Athlon 64-bit desktop and mobile processors • Preloaded PCs: Working with computer manufacturers: Dell, HP and IBM to ship machines preloaded with SP2 beginning in September and October.

  6. What’s New in SP2 • SP2 reduces the most common attack vectors four ways: • Network protection • Memory protection • More secure browsing • E-mail security and Safer message handling • Improved computer maintenance

  7. Network Protection • Windows Firewall (Internet Connection Firewall-ICF): • Is enabled by default. • The firewall turns on very early in the system boot cycle, and turns off very late in the shutdown cycle. • Enhanced Group Policy settings to support IPv6. • Remote Procedure Call (RPC): • Permissions to block services. • Distributed Component Object Model (DCOM): • Restrictions to reduce the risk, only authenticated administrators can remotely activate and launch COM components. • Disabling the Windows Messenger Service by default

  8. Memory protection • Execution Protection (NX) • Marks all memory locations in a process as non-executable unless the location explicitly contains executable code. • Only processors that support NX are the 64-bit AMD K8 and Intel Itanium. • Sandboxing: • Stack: All binaries in the system recompiled with buffer security checks “enabled” to allow the runtime libraries to catch stack buffer overruns, • Heap: "cookies" have been added to the heap to allow the runtime libraries to catch most heap buffer overruns

  9. E-mail security • New OutlookExpress to block images and external content in HTML email. • View email in plain text mode • Attachment Execution Service (AES) • It looks at the file extension. • It can look up the associated application for a given MIME type and file extension

  10. Secure browsing • Add-on Management Tool • View and control the list of add-ons that can be loaded by IE. • Shows the presence of some add-ons that were previously not shown and could be very difficult to detect. • Add-on Crash Detection: • Detect crashes in IE that are related to an add-on, and gives the user the option to disable add-ons • Attachment Execution Service (AES) • Can not view ActiveX script in IE. • Pop-up Manager: Block Pop-ups

  11. Computer Maintenance • Windows Update 5 • Scan for, download, and install only the critical and security updates • Windows Installer 3 • Enhanced inventory functions that identify what patch components do and don't need to be downloaded, • Supports Microsoft's “delta compression” technology, which makes patches smaller

  12. Heise Security Advisory • August, 13, 2004 Heise Security posted an advisory “Flaws in SP2 security features” by Jürgen Schmidt • There are two flaws: • a cmd issue: The Windows command shell cmd ignores zone information and starts executables without warnings. • The caching of ZoneIDs in Windows Explorer: Windows Explorer does not update zone information properly when files are overwritten.

  13. The cmd Issue • The command shell cmd.exe ignores the ZoneID of files: • cmd /c evil.exe • cmd /c evil.gif • Execute the files without warning, regardless of its ZoneID • Email with an attachment Access.gif • You can not access it, unless its opened from cmd

  14. Windows Explorer caching of ZoneIDs • Windows Explorer caches the result of ZoneID lookups. • If a file is overwritten, Explorer does not properly update this cached information to reflect the new ZoneID. • This allows spoofing of trusted or non-existant ZoneIDs by overwriting files with trusted or non-existent ZoneIDs.

  15. Windows Explorer caching of ZoneIDs • Copy notepad to a new file. • > copy c:\windows\notepad.exe test.exe • Open test.exe in Explorer: no warning. • evil.exe is a file saved from an e-mail attachment and has ZoneID=3. • Check with your editor by opening "evil.exe:Zone.Identifier". It displays: ZoneID=3 • Open evil.exe in Explorer: you will be warned.

  16. Windows Explorer caching of ZoneIDs • Overwrite the copy of notepad.exe: • > copy evil.exe test.exe • test.exe:Zone.Identifier displays: ZoneID=3 • Open test.exe in Explorer: no warning! • test.exe is launched without warning despite of its ZoneID=3. • In the file properties, Explorer shows the correct notice about its origin, but for opening the file the old ZoneID-status is used. • Doublecheck: Kill the Explorer task, restart it and launch test.exe: you will be warned.

  17. Microsoft’s Response • "We have investigated your report, as we do with all reports, however in this case, we don't see these issues as being in conflict with the design goals of the new protections. We are always seeking improvements to our security protections and this discussion will certainly provide additional input into future security features and improvements, but at this time we do not see these as issues that we would develop patches or workarounds to address."

  18. References • Wired News, Microsoft Releases Service Pack 2, URL: http://www.wired.com/news/infostructure/0,1377,64514,00.html • Microsoft Press, Microsoft Releases SP2 with Advanced Security Technologies to Computer Manufacturers, URL: http://www.microsoft.com/presspass/press/2004/aug04/08-06WinXPSP2LaunchPR.asp • Windows XP Service Pack 2 Overview, White Paper, February 2004 • Windows XP Service Pack 2, URL: http://www.updatexp.com/windows-xp-service-pack-2.html • Steve Friedl, Analysis of Microsoft XP Service Pack 2, URL: http://www.unixwiz.net/techtips/xp-sp2.html • Heise Security Advisory, URL: http://www.heise.de/security/artikel/50051/0

More Related