Log in

No account? Create an account
'Twas brillig, and the slithy toves did gyre and gimble in the wabe [entries|archive|friends|userinfo]

[ website | Beware the Jabberwock... ]
[ deviantArt | the-boggyb ]
[ FanFiction | Torkell ]
[ Tumblr | torkellr ]

[Random links| BBC news | Vulture Central | Slashdot | Dangerous Prototypes | LWN | Raspberry Pi]
[Fellow blogs| a Half Empty Glass | the Broken Cube | The Music Jungle | Please remove your feet | A letter from home]
[Other haunts| Un4seen Developments | Jazz 2 Online | EmuTalk.net | Feng's shui]

WinXP SP2 security flaws [Wednesday 18th August 2004 at 10:56 am]

[Feeling |amusedamused]
[Playing |The Black Gate Opens ~ Howard Shore/The Return of the King]

Flaws in SP2 security features

Basically, there's a new feature which warns people about running files that have come from the internet. It works by storing the file's original zone in an extra stream (:Zone.Identifier). Anything from e-mail or internet gets saved with zone identifier 3, which IIRC is the Internet Zone. You try to run the file with explorer, and it warns you about it. The ZoneID stays with the file even if it is moved (as long as the file stays on an NTFS volume). The built-in ZIP utility persists the ZoneID as well. Secure, right?


cmd.exe ignores the ZoneID. So cmd /c evil.exe works. cmd /c evil.gif will also work if evil.gif is a renamed exe (that's nothing new - it's been around since Win2k at least). The report linked to has a possible e-mail using this attack (i.e. convincing someone to run cmd evil.gif). It's easy to see how someone could be taken in, when you consider how well Bagel and it's friends did.

There's also another bug - explorer caches the ZoneID information. So if you open a 'good' file in explorer, then overwrite it with your evil.exe, explorer will not read the new ZoneID and so won't warn you.

The best part is that MS appear to be ignoring this bug. See the report for the reply from MS, and also see Microsoft: A matter of trust.

Link | Previous Entry | Share | Next Entry[ Penny for your thoughts? ]