Thomas (boggyb) wrote,

  • Mood:
  • Music:

WinXP SP2 security flaws

Flaws in SP2 security features

Basically, there's a new feature which warns people about running files that have come from the internet. It works by storing the file's original zone in an extra stream (:Zone.Identifier). Anything from e-mail or internet gets saved with zone identifier 3, which IIRC is the Internet Zone. You try to run the file with explorer, and it warns you about it. The ZoneID stays with the file even if it is moved (as long as the file stays on an NTFS volume). The built-in ZIP utility persists the ZoneID as well. Secure, right?


cmd.exe ignores the ZoneID. So cmd /c evil.exe works. cmd /c evil.gif will also work if evil.gif is a renamed exe (that's nothing new - it's been around since Win2k at least). The report linked to has a possible e-mail using this attack (i.e. convincing someone to run cmd evil.gif). It's easy to see how someone could be taken in, when you consider how well Bagel and it's friends did.

There's also another bug - explorer caches the ZoneID information. So if you open a 'good' file in explorer, then overwrite it with your evil.exe, explorer will not read the new ZoneID and so won't warn you.

The best part is that MS appear to be ignoring this bug. See the report for the reply from MS, and also see Microsoft: A matter of trust.


  • Post a new comment


    default userpic
    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.