Security Flaws in Windows XP Service Pack 2 - PowerPoint PPT Presentation

1 / 18
About This Presentation
Title:

Security Flaws in Windows XP Service Pack 2

Description:

Security Flaws in Windows XP Service Pack 2 CSE 7339 9/14/04 By: Saeed Abu Nimeh Outline Microsoft Introducing SP2 Collaboration with the industry What s New in SP2 ... – PowerPoint PPT presentation

Number of Views:48
Avg rating:3.0/5.0
Slides: 19
Provided by: lyleSmuE7
Learn more at: https://www.smu.edu
Category:

less

Transcript and Presenter's Notes

Title: Security Flaws in Windows XP Service Pack 2


1
Security Flaws in Windows XP Service Pack 2
  • CSE 7339 9/14/04
  • By
  • Saeed Abu Nimeh

2
Outline
  • Microsoft Introducing SP2
  • Collaboration with the industry
  • Whats New in SP2
  • Heise Security Advisory
  • Microsofts Response
  • References

3
Microsoft Introducing SP2
  • Microsoft releases a SP every year for Win XP.
  • It was supposed to be released in the first half
    of the year.
  • Friday, August 6, 2004 SP2 was released.
  • Gates SP2 modifies less than 5 percent of the
    nearly 3-year-old operating system.

4
Microsoft Introducing SP2
  • Gates SP2 2 is a significant step in delivering
    on our goal to help customers make their PCs
    better isolated and more resilient in the face of
    increasingly sophisticated attacks.
  • It is the result of sustained investments in
    innovation and extensive industry collaboration.

5
Collaboration with the industry
  • Windows Security Center
  • Symantec Antivirus, Firewall and Intrusion
    Prevention security solutions are compatible with
    SP2.
  • Data execution prevention
  • Intel Improve security PC platform by Execute
    Disable Bit and Microsoft's Data Execution
    Prevention
  • AMD Support for AMD Athlon 64-bit desktop and
    mobile processors
  • Preloaded PCs Working with computer
    manufacturers Dell, HP and IBM to ship machines
    preloaded with SP2 beginning in September and
    October.

6
Whats New in SP2
  • SP2 reduces the most common attack vectors four
    ways
  • Network protection
  • Memory protection
  • More secure browsing
  • E-mail security and Safer message handling
  • Improved computer maintenance

7
Network Protection
  • Windows Firewall (Internet Connection
    Firewall-ICF)
  • Is enabled by default.
  • The firewall turns on very early in the system
    boot cycle, and turns off very late in the
    shutdown cycle.
  • Enhanced Group Policy settings to support IPv6.
  • Remote Procedure Call (RPC)
  • Permissions to block services.
  • Distributed Component Object Model (DCOM)
  • Restrictions to reduce the risk, only
    authenticated administrators can remotely
    activate and launch COM components.
  • Disabling the Windows Messenger Service by
    default

8
Memory protection
  • Execution Protection (NX)
  • Marks all memory locations in a process as
    non-executable unless the location explicitly
    contains executable code.
  • Only processors that support NX are the 64-bit
    AMD K8 and Intel Itanium.
  • Sandboxing
  • Stack All binaries in the system recompiled with
    buffer security checks enabled to allow the
    runtime libraries to catch stack buffer overruns,
  • Heap "cookies" have been added to the heap to
    allow the runtime libraries to catch most heap
    buffer overruns

9
E-mail security
  • New Outlook Express to block images and external
    content in HTML email.
  • View email in plain text mode
  • Attachment Execution Service (AES)
  • It looks at the file extension.
  • It can look up the associated application for a
    given MIME type and file extension

10
Secure browsing
  • Add-on Management Tool
  • View and control the list of add-ons that can be
    loaded by IE.
  • Shows the presence of some add-ons that were
    previously not shown and could be very difficult
    to detect.
  • Add-on Crash Detection
  • Detect crashes in IE that are related to an
    add-on, and gives the user the option to disable
    add-ons
  • Attachment Execution Service (AES)
  • Can not view ActiveX script in IE.
  • Pop-up Manager Block Pop-ups

11
Computer Maintenance
  • Windows Update 5
  • Scan for, download, and install only the critical
    and security updates
  • Windows Installer 3
  • Enhanced inventory functions that identify what
    patch components do and don't need to be
    downloaded,
  • Supports Microsoft's delta compression
    technology, which makes patches smaller

12
Heise Security Advisory
  • August, 13, 2004 Heise Security posted an
    advisory Flaws in SP2 security features by
    Jürgen Schmidt
  • There are two flaws
  • a cmd issue The Windows command shell cmd
    ignores zone information and starts executables
    without warnings.
  • The caching of ZoneIDs in Windows Explorer
    Windows Explorer does not update zone information
    properly when files are overwritten.

13
The cmd Issue
  • The command shell cmd.exe ignores the ZoneID of
    files
  • cmd /c evil.exe
  • cmd /c evil.gif
  • Execute the files without warning, regardless of
    its ZoneID
  • Email with an attachment Access.gif
  • You can not access it, unless its opened from cmd

14
Windows Explorer caching of ZoneIDs
  • Windows Explorer caches the result of ZoneID
    lookups.
  • If a file is overwritten, Explorer does not
    properly update this cached information to
    reflect the new ZoneID.
  • This allows spoofing of trusted or non-existant
    ZoneIDs by overwriting files with trusted or
    non-existent ZoneIDs.

15
Windows Explorer caching of ZoneIDs
  • Copy notepad to a new file.
  • gt copy c\windows\notepad.exe test.exe
  • Open test.exe in Explorer no warning.
  • evil.exe is a file saved from an e-mail
    attachment and has ZoneID3.
  • Check with your editor by opening
    "evil.exeZone.Identifier". It displays ZoneID3
  • Open evil.exe in Explorer you will be warned.

16
Windows Explorer caching of ZoneIDs
  • Overwrite the copy of notepad.exe
  • gt copy evil.exe test.exe
  • test.exeZone.Identifier displays ZoneID3
  • Open test.exe in Explorer no warning!
  • test.exe is launched without warning despite of
    its ZoneID3.
  • In the file properties, Explorer shows the
    correct notice about its origin, but for opening
    the file the old ZoneID-status is used.
  • Doublecheck Kill the Explorer task, restart it
    and launch test.exe you will be warned.

17
Microsofts Response
  • "We have investigated your report, as we do with
    all reports, however in this case, we don't see
    these issues as being in conflict with the design
    goals of the new protections. We are always
    seeking improvements to our security protections
    and this discussion will certainly provide
    additional input into future security features
    and improvements, but at this time we do not see
    these as issues that we would develop patches or
    workarounds to address."

18
References
  • Wired News, Microsoft Releases Service Pack 2,
    URL http//www.wired.com/news/infostructure/0,137
    7,64514,00.html
  • Microsoft Press, Microsoft Releases SP2 with
    Advanced Security Technologies to Computer
    Manufacturers, URL http//www.microsoft.com/press
    pass/press/2004/aug04/08-06WinXPSP2LaunchPR.asp
  • Windows XP Service Pack 2 Overview, White Paper,
    February 2004
  • Windows XP Service Pack 2, URL
    http//www.updatexp.com/windows-xp-service-pack-2.
    html
  • Steve Friedl, Analysis of Microsoft XP Service
    Pack 2, URL http//www.unixwiz.net/techtips/xp-sp
    2.html
  • Heise Security Advisory, URL http//www.heise.de/
    security/artikel/50051/0
Write a Comment
User Comments (0)
About PowerShow.com