Thomas (boggyb) wrote,

  • Mood:
  • Music:

WinXP SP2 security flaws

Flaws in SP2 security features

Basically, there's a new feature which warns people about running files that have come from the internet. It works by storing the file's original zone in an extra stream (:Zone.Identifier). Anything from e-mail or internet gets saved with zone identifier 3, which IIRC is the Internet Zone. You try to run the file with explorer, and it warns you about it. The ZoneID stays with the file even if it is moved (as long as the file stays on an NTFS volume). The built-in ZIP utility persists the ZoneID as well. Secure, right?


cmd.exe ignores the ZoneID. So cmd /c evil.exe works. cmd /c evil.gif will also work if evil.gif is a renamed exe (that's nothing new - it's been around since Win2k at least). The report linked to has a possible e-mail using this attack (i.e. convincing someone to run cmd evil.gif). It's easy to see how someone could be taken in, when you consider how well Bagel and it's friends did.

There's also another bug - explorer caches the ZoneID information. So if you open a 'good' file in explorer, then overwrite it with your evil.exe, explorer will not read the new ZoneID and so won't warn you.

The best part is that MS appear to be ignoring this bug. See the report for the reply from MS, and also see Microsoft: A matter of trust.


  • Misty creek and eerie fog

    So today started grey, and as the afternoon went on Fareham creek became very misty... The skies cleared for a brief moment as the sun…

  • Pokémon Go

    I've been playing a lot of Pokémon Go while out on walks, and experimenting with the AR photo mode... Cross-posted to deviantArt Cross-posted…

  • Random photo

    Just a random photo taken in the local sensory garden, while out and about today... There was just something that caught my eye about the…

  • Post a new comment


    default userpic
    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.