|WinXP SP2 security flaws
||[Wednesday 18th August 2004 at 10:56 am]
|||||The Black Gate Opens ~ Howard Shore/The Return of the King||]|
Flaws in SP2 security features
Basically, there's a new feature which warns people about running files that have come from the internet. It works by storing the file's original zone in an extra stream (:Zone.Identifier). Anything from e-mail or internet gets saved with zone identifier 3, which IIRC is the Internet Zone. You try to run the file with explorer, and it warns you about it. The ZoneID stays with the file even if it is moved (as long as the file stays on an NTFS volume). The built-in ZIP utility persists the ZoneID as well. Secure, right?
cmd.exe ignores the ZoneID. So cmd /c evil.exe works. cmd /c evil.gif will also work if evil.gif is a renamed exe (that's nothing new - it's been around since Win2k at least). The report linked to has a possible e-mail using this attack (i.e. convincing someone to run cmd evil.gif). It's easy to see how someone could be taken in, when you consider how well Bagel and it's friends did.
There's also another bug - explorer caches the ZoneID information. So if you open a 'good' file in explorer, then overwrite it with your evil.exe, explorer will not read the new ZoneID and so won't warn you.
The best part is that MS appear to be ignoring this bug. See the report for the reply from MS, and also see Microsoft: A matter of trust.