Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

New Windows Attack Can Disable Firewall

Posted by ScuttleMonkey on Tue Oct 31, 2006 02:40 AM
from the he-shoots-he-scores dept.
Operating Systems Software Windows Security
BobB writes to tell us NetworkWorld is reporting that new code released on Sunday could allow a fully patched Windows XP PC's personal firewall to be disabled via a malicious data packet. The exploit depends on the use of Microsoft's Internet Connection Service. From the article: "The attacker could send a malicious data packet to another PC using ICS that would cause the service to terminate. Because this service is connected to the Windows firewall, this packet would also cause the firewall to stop working, said Tyler Reguly, a research engineer at nCircle Network Security Inc."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

New Windows Attack Can Disable Firewall 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Not that big a deal, but still. (Score:5, Insightful)

    by Grendel Drago (41496) on Tuesday October 31 2006, @02:46AM (#16654417) Homepage
    Sure, it requires that you be on the internal LAN already, and that you be running ICS, and who runs ICS anyway? But what kind of shit design is this that lets you take down the firewall if you piss off the IP-masquerading software? Did someone cut their fuzz-testing budget? What's their excuse for having this kind of vulnerability?
    • >Sure, it requires that you be on the internal LAN already, and that you be running ICS, and who runs ICS anyway?

      Anyone using NAT under Linux, for one. Families connecting multiple computers onto a single network, for another. Not to mention people who share the same printer or who have a central file server set up to share mp3s or whatever.
      • Anyone using NAT under Linux, for one. Families connecting multiple computers onto a single network, for another. Not to mention people who share the same printer or who have a central file server set up to share mp3s or whatever.

        None of those things require Internet Connection Sharing, and I would argue it's not even the easiest or most common way to achive them. Virtually anyone with a consumer DSL offering can just plug their computers (or printers, or network storage devices) right into one of the RJ45

        • It was useful on Windows 98 when so many people were limited to using modems for internet access
          ...and once again the US assumes everyone else in the world has DSL and 4 port modems.

          Hello, a lot of people still use 56K modems to connect to the net. The biggest ISP's in Australia supply a USB only DSL modem when you sign up. These people rely on ICS.
          • The biggest ISP's in Australia supply a USB only DSL modem when you sign up.
            My parents signed up with Telstra and were offered either a free USB or a (single port) ethernet modem. Naturally, I told them to choose the latter.
          • ...and once again the US assumes everyone else in the world has DSL and 4 port modems.

            I'm not from the US, and FYI all the other countries in the developed world do pretty much all have broadband, with 4 port DSL modems (from the likes of Negear, Zyxcel, etc.) being very much the norm.

            Hello, a lot of people still use 56K modems to connect to the net.

            Indeed, but those are not usually people with more than one computer - because people with more than one computer are the sort of people that will just get cab
      • Please see here:
        http://isc.sans.org/diary.php?storyid=1809 [sans.org]

        MS Cluster Service will not work without ICS running, it is used for internal NAT handling.

        So the problem is much more widespread than small LANs using ICS.
    • according to this sans article [sans.org] the DOS attacks comes from outside.

      If i understand it is with a corrupted DNS reply packet.

  • What can you trust? (Score:4, Insightful)

    by RLiegh (247921) * on Tuesday October 31 2006, @02:48AM (#16654425) Homepage Journal
    If the graphics applications you use require windows, and all of the major firewall vendors are bloated (symantec), worthless (keiro) or both (macaffee) then what can you do?

    • Re:What can you trust? (Score:5, Insightful)

      by oGMo (379) on Tuesday October 31 2006, @03:14AM (#16654579)

      A few things:

      • Keep all your broken (Windows) boxes in a heavily-firewalled subnet (and make sure the firewall is something secure, i.e., not Windows)
      • Don't put the broken box on the network at all
      • Run your app in a VM
      • Find a new app
    • Having the machines behind a NAT router should stop a lot of attacks. And if that isnt enough, find a NAT router with a built in firewall (or add an extra firewall appliance such as a old PC with linux on it)

      I have yet to see a windows based firewall that doesnt suck.

      • Having the machines behind a NAT router should stop a lot of attacks. And if that isnt enough, find a NAT router with a built in firewall (or add an extra firewall appliance such as a old PC with linux on it)

        Seems like good advice - no matter what your OS is. Not much to pay for another (solid) layer of security, and the second option is a nice way to recycle old PCs.

    • Re: (Score:3, Interesting)

      by orpheus_okt (879958)

      worthless (keiro)

      Uh... Is there something I missed in the last weeks/months? No, I'm not implying that I heard exactly the opposite, but it sounds like there are serious security holes in the old Kerio firewall although I was always convinved it's still one of the better free ones out there. And I really must have missed the news then...

      Up to now, I was sticking to Kerio on Windows. Especially because of its rather powerful options to filter single applications, addresses, ports and plenty of other manually

    • You use an IPS/IDS appliance that goes up to level 7.
    • You can use Outpost (firewall+spyware protection)m or Norman (all that and good antivirus).
      • This is the only truly safe thing you can do: repartition and format your drive and reinstall with the internet disconnected. You can also install firewalls et al other people on this thread are suggesting. Install and configure your main applications. Then, make a image* of the drive.
        When you use your computer for important stuff, save your data to external drives.
        Then every few days, restore the image. Once you've learned how to do it it will take about 5 minutes which is actually quite a bit faster th

  • Please explain me... (Score:2, Funny)

    by Anonymous Coward

    What those engineers were thinking? A data package, the thing a firewall is filtering to some point, can disable the firewall? Who thought it would be a nice feature to have that?

    "We need a firewall of our own!"
    "Why?"
    "To keep our monopoly; those firewall and antivirus companies are making money that should be in our pockets."
    "But antitrust..?"
    "We say it's because we want to have a secure system, it should've been in the first place. Those companies have no case! >:D"
    "But even we cannot access their

  • I never used Windows Firewall on my PC - I used Zonealarm or Tiny Personal Firewall. Why? Because given how many security holes XP had - and probably still has - I wouldn't trust my security to it. And lo and behold, here we are.

  • Not as bad as it sounds (Score:5, Informative)

    by DavidD_CA (750156) on Tuesday October 31 2006, @03:09AM (#16654553) Homepage
    So for this attack to work, according to the article...

    1) The attacker has to be on the LAN already, or executing code from a PC on the LAN

    2) The LAN has to be connected to the internet through a PC using ICS, and

    3) There can be no external firewall device such as a router sitting between the LAN and the internet

    While this is certainly a valid attack... so are a lot of other attacks once you're already in the LAN. This one just happens to nuke a software-based firewall from the inside. Big deal.
  • The exploit depends on the use of Microsoft's Internet Connection Service.
    Is ICS not Internet Connection Sharing?
  • When they advertise that XP installations come with a firewall, they in fact mean that XP installations come installed with a wall of fire. The EULA clearly states that, somewhere near the bottom next to the pictures of cats and the sudoku puzzles, because no-one ever reads that far...

  • Windows has a firewall?

    ....sorry, please continue :)

  • Come on people. Routers are cheap. It is better to use a hardware router instead of a Windows machine as a router. At home, I run a 300MHz Pentium II as a router. At the office, a router is used.

    Everyone knows Windows is insecure. It only costs $30/$40 for a router. $29 for a D-Link DI-704P 4-Port Cable/DSL Router at outpost.com

  • Why Does Windows Get All the Press? (Score:4, Funny)

    by RAMMS+EIN (578166) on Tuesday October 31 2006, @04:53AM (#16655085) Homepage Journal
    Why does Windows get all the press? It's not fair! I want to see some coverage of stupid holes in Linux and the free BSDs!

  • Suddenly noone is using wireless? (Score:3, Insightful)

    by db32 (862117) on Tuesday October 31 2006, @06:31AM (#16655601) Journal
    So I see dozens of comments about "Its no big deal, you have to be on the lan". Am I the only one that hasn't forgotten how common wireless networks are and how trivial it is to gain access to most of them?
    • >Too cheap to buy a free after rebate router?

      Personally speaking; I just hate letting my old k6-2 sit around and gather dust. Some slackware and a little cut and paste from the NAT HOWTO and it makes a fine file serving/ICS machine.
      • The drawback of that approach is that you have yet another large box with noisy fans using 10 times the amount of power a router would use. But if you need a file server anyway...
      • I've got a 200 MHz Pentium (also slackware) doing my NAT and firewalling ... easily handles 10 Mbps. I've read that even an ancient, free (100 MHz) linux router can do 50 Mbps. I think the best approach in layered network security is diversification of your defences; maybe a Linux or BSD router, but still have the desktop PCs run their own firewalls.
    • Whenever someone brags they have never gotten a virus, especially just after blithely disabling some security feature, it raises a big red flag. The question is: what is it that makes you think you've never had a virus/been compromised? You havent noticed anything? Perhaps McAffee or Norton didnt find anything so you assume you are clear? Sadly my friend, it is very possible your machine has been compromised by a virus or worm and you are simply unaware of it. The worst kinds of malware are not detected
      • ...in fact some are not even detectable in any way.

        What rubbish, if it's on the machine it's detectable. May not be easy, but you'll find it eventually if you look hard enough.

        • Re: (Score:3, Informative)

          by jimicus (737525)
          In theory, yes. But you'd need to reboot the OS into some kind of diagnostics otherwise you're asking the OS to attest to itself - and if it's been trojaned, you can't trust the OS because the first thing any sensible trojan will do is cover its own tracks.

          In practise, if you want a 100% guarantee that any malware has been eradicated, the only solution is a rebuild.
    • I turned mine off when I discovered it was blocking the winsock control even though I'd given the application USING the winsock control full access. It also slowed down email retrieval by a factor of ten. I tested it several times, firewall on and firewall off, and proved it to my own satisfaction. So, out the window with that particular feature.
      • Personal firewalls do not protect you against virus', anti-virus products do that. Personal firewalls protect your from hackers and worms, primarily. And good personal firewalls do egress filtering, which MS firewall does poorly at best.
        • A router does nothing to protect you from other hosts within the network.

          • Re: (Score:3, Interesting)

            by ajs318 (655362)
            You've most probably been been buying crap routers. D-link, Belkin, Linksys, Netgear - for chuff's sake, they might as well be branded "Barbie (or Action Man) My First Router". Treat yourself to a nice ZyXel router, and you might forget you even have a router in your network.

            • Re: (Score:3, Insightful)

              by Propaganda13 (312548)
              Actually, he's probably partly referring to the routers flooding their wireless connection which happens with Zyxel routers too.
              http://www.tomsnetworking.com/lans_routers/charts/ index.html?chart=124 [tomsnetworking.com]
              You set up a p2p like bittorrent that is willing to use a lot of simulataneous connections and it floods your router and your connection drops.
              Of course, it does sound like a lot of routers(1 a month?) to go through so if he's returning a lot of dead routers, a possible power problem in the home is possible.

              • Re: (Score:3, Interesting)

                by ajs318 (655362)
                The smaller ZyXel routers use a traditional transformer power pack with 12V AC output. Judging by the temperature rise, the on-board regulator is most probably a switched-mode type. I'd guess this would be quite tolerant of power surges, just with the presence of a mains transformer (hefty inductance; doesn't like rapidly-changing current). The "surge suppressor coils" found in cheap, switched-mode power packs are laughable. A well-designed power supply should fail safely and protect the connected equi

                • Re: (Score:3, Insightful)

                  by Tim C (15259)
                  As for the wireless stuff, well, that's too bad. But your computer already needs one connection to the wall to get its power. Will one more for data kill you?

                  No, but my girlfriend nearly did when I started laying bright yellow cat5 cable in the house...

    • How is this new?

      RTFA. It's new because it is a specific attack that's just been discovered. If you still don't think it's new, look up the word "specific" in a dictionary and see if you can figure it out. Hint: No one is claiming that it's a new kind of attack.

      Any attack worth its salt disables the firewall first thing.

      The hell it does. Are you sure you know what a firewall is?

      Most attacks these days would completely ignore the firewall, and look for a way around it. Once inside, the only point to disab

    • Saying this is news is like telling people AIDs is linked to death.

      You think that's bad? Recent research shows life is linked to death.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.