Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


SP2 Flaw Report Falls Short



 By: Larry Seltzer
2004-08-18
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Opinion: The misguided advisory from Heise Security sets unrealistic expectations for a new Windows security feature and then criticizes Microsoft for not meeting them.

When I first saw the advisory "Flaws in SP2 security features," written by Jürgen Schmidt of Heise Security, I just laughed and blew it off as a big nothing. Now, I agree that it illustrates limitations in one of the new security features of Windows XP Service Pack 2. But a flaw? Thats a hard claim to make.

The basic claim of the advisory is that the new file-attachment security features of SP2 have a hole that allows attachments from untrusted sources to be executed in spite of protections Windows claims to provide. What are these protections?

According to Microsofts description of these new capabilities, "Application developers will be able to call the new AES [Attachment Execution Service] dialog box from their Windows applications." It appears that CMD.EXE doesnt do this. This is what Heises Schmidt found.

The AES consists of a single COM interface named IAttachmentExecute. It lets programs do all of the safety tasks, including, I presume, persisting the Zone IDs as the Heise Security advisory mentions. It saves applications from having to do some things they might do on their own.

Resource Library:

Note that the quote from Microsoft doesnt say that these capabilities automatically accrue to all Windows programs; they are new capabilities available to the programmer. The idea is that a program can become "safe," as Outlook Express has, by using this facility. Programs that use them automatically get a display of warnings and information about the program, such as its publisher. Other programs arent using them, and users cant trust them as much.

Click here to read about Microsoft pushing back automatic delivery of Windows XP SP2.

The heart of the scenario in the advisory is a social engineering attack. The user is told to save the file and run it from a command prompt. The author suggests a message that tells the user to Start-Run "CMD" and drag the attached file to the command window.

This is the part that got me laughing initially, and I still have to laugh. Yes, it does appear that the command shell doesnt use the AES and therefore will execute files that Internet Explorer thinks come from untrusted sources. So? Lets imagine that Windows actually somehow changed all file exchanges to use this facility. Other programs behavior would change and potentially break—and guess who would take the heat for it?

This same scenario, I should point out, works beautifully with non-Microsoft browsers. Theres nothing in Mozilla to stop it. If one more instruction is added to the message, using the chmod command, it works just as well in Linux and Unix, too. Is it a "vulnerability" that users are allowed to run programs?

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

Just how far are we going to go blaming platforms for social engineering attacks? What do you think of this one?

    From: service@yourcarcompany.com
    To: you
    Subj: vehicle recall

    Our records show that the gas tank in your car model tends to collect dirt deposits. To preserve your vehicle warranty, we recommend that you add a cup of ordinary laundry detergent with each tank of gas.
So, if anyone actually believes this, does it mean that the car is vulnerable to a "detergent attack"? Shouldnt the auto manufacturer have taken steps to prevent this?

The new attachment security in Windows is meant to stop the casual execution of attachments from untrusted sources in the e-mail program where the user encounters them. If the attachments find their way to other environments, such as CMD, theres little Windows can do without seriously getting in the way.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Check out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.

Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:  

More from Larry Seltzer



  Reader Comments: SP2 Flaw Report Falls Short
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Larry Seltzer
 


x}r۸j9km"u)%rx:U*$)lk欟/Oo<xӅ|xNR%hݍFw?I9w4ôǤ3ݩc |{֤w.? !ߙF0Bo92tv\{軇d3#L=Vya/ w-m~@M-GW*cOfnƋaz.91rx&h G,gs9"ScO$աNIp'0:G^C]ݱR,RE͌iAw4Ԭ=kSzcG 3G(&$gtjv?ĭ?(Q If%a(5g?LG`B'lǦ" Gm_j|5f938 3z3 wj%NXE ?q74BazHO L"9ˁ,kFpf0閩mȺus*Z+ReP?ߋ*www;6;2ٽSugF?~* E2G -;жD^ԢCi_u{>~nkr m |'kL Z.JX<&ȇ T|5 {3P\㍒~wny%ܲ_/P-]jz[zOa`%pfQ>2Qu?-~k~:E,3SAVU̠`W:+㭩S>=~n_t{{ENZǭg:Rڟl3HokCp='^=zb M u4}G{IE&Ժtt>&9IDz|?!;پBdu#7W=R(y#0ri4(ߦA@w[@ +:YK70ShK_3;nZK}0[=RFp&\ ДaCǘذ 1"%ߨҞye TY&嗋m|*\($ٛ"Gn;z̈+\R@1Al8{Ø*^*뻹(-j\G֛esJVt];3Eя0-px=nOWһ^Z0Wb}PhvZM]qsuV+J,KP @8ʍ??1m!S[ö@ .Si3+k{~L>:NRm)5ٴ>l;4}t>჆$>hhƋMriOLrӇu4A;ͣn]=&tfo7,Abχa`Ns>Fm|&6l d $4o)ssLnM)σ5JCˋF0P= 2/?6a9N@tmS(r`)QmV3-mhZ`1 5f:%ޥ6N\IQ ' dQJ$@!-i]R@Az68 -8,rr4 /~'~zGBJe6Os@PGҹ3vJ|_.τRZ z)0ٜʬ$5M힟u]_ ȉ#m"0%X -'Z Xk5Ʋ fT8TJ >Ҥ75 K9bi]yfe&,`b D%\Ew,Ofsp=7c@Cys[J`p=EiŬ9c߃ 9 xFvKM'95mX0NL}B"+H5L6LhH,ioasYu-yA\#oUMf;aMv"Wv6P0ʇSMrF9;e7S \Лv39n(!+hWY 2cdRUyrt+[f4ݤ|r*#wTB~*)dj~#Jw͸^`3h{q#%IAg =e河xOd:[ֽXKnuEI8{Ұ.R.ei -a-VXt jQVt(:АT um:bXGJG!1~h/a2(Opw{{j`aC_/E\?>2ei[aZPګY37ld tAq!r?-j(6 /gSXSq:hzE>wH;k\O'hr fG ǏipBa e ֤PLM>kQ@/ı``{s7w9pJ.k>uM^\ϗ+]4|zjN > |4'Z>pdZ`/R7:4wҵJ)كI ,ǒR.%&L*'i~?DFQ}G=ܴ>?CU^of-"jXUcjxSC(JzXR*oVX&)R3KuqF'|m>/NTFi Y: ;012& z@jAbv67;gor2A-rfF7V=_`%tmAșY%G:aۤs:n&2006y-0P>\Qr,09|փu8홗[?g`̦Sk`p1\An#>+jm{6~ z&zi0bNw)n<0{L3gJ=6 Pho`$dmPP VZ[zGd!9js-!OR4pg +f[I)xW cIU}ڽKN2`^G}#^^ab>$g~&`}/5.š_IR>$DjwZb8 !,Uށ `i8Fnx{H(}׆̿{%g%e}Aui? `yBѰQvNCB|I{޽'y%%{w/Es5A nTHF_!y[ͫFSLo2YHzI]a "AKuřB9I.Dz=d_Ug0YTtp-̓ cgEw~em`!1ߐdPZC  @RPOh[#NڽvZgp=6" BtX 1tJ1 _RJMQ=#ijqə/PIS):(9Q{0[JӷoHWY;GD{_q-5sz4~&\1Z9ntL{d>o ?$i^K?p𽇻oEpASB9kթ-pOӆO|BYATwJ߃d:$-zdeQfIlx0eRJ锐']J8 z>RB'T5˓$/+IYO)Eqhd*꒐~*~ j&'ءXґ֛]6/6'8{Hpo6+n`e>!G[yRb}b%&h8W߅u^<~xZr)txkiWY^ϗ;'RvS f#m[=rS$6lQ}y:b1 ?nOa7pϲ]ta|`|;FG5];6'cvjQ']9zlm D{O{,Bj8;?P.V=w%hh*6fWyn8: ˳0q1~<,?4fڈb9钋n4+Ҽ?5LZ0c,H~"ZЭ>u?y{ho&<)ǣAlk59obXKwfkv6Ş`4tͥovV<}'i?vݷ;޽¶"CWq k:Y+`*1$XhHnm e_~EVd.tѓ dx|t21@7YUd3tT?#zi16P3-|Cx>y~}I.~([]bO뻬,J骇\v%(c|MZ^|:W%0.ՁKR7D;ư|sKJixkw0Wt<ĩKD? }%}?R{dgG>ž\!)[)?Q*/{93m+As;YjowQiG71e%Um.www. h LxcgfCsN Hˢ.apsBlbd5>Ds2Pq <: )>8Vc"Ql cjGqY?eFi3SjUYT0 g~ dVbwfebp5P9 zW!bd) 'PBbsRA<ͮWkjIlx7F@]DCY?K;ZbҴ1㩭dMܗ}iLHpX~ wJaYc98d7KRg!"J =]LˎZȔoIll-‹wo@JRMٹOC4o.9t&~>0K^"6Bڐ  ڸe; ?fW唪o)sJLLuݺ|)}p$`Cje)Ϛ5ÀH椶=rY ]:ӈSK̫}\[`5~X3o* 4+7=X>< a{,vz~x!n|T Dm<7ĭe_RI-o*,hf,#1qߨHO}铋c7.<ө {<;/KUR"Z a I"H«`WH'T3R۔aΰM 03BX:3_j2Q$PS J*i^=gh5zc+<)T7'ob2O'f>p,l Æ/G^|5 Ԇ|^8 ޲*BɑX竨.au&u9s؆G ܋ 0:YVyfph1W-("um꼲A6z!f529~Hzxhwwww+wi)~]Z\m7f~್9bks[ca"t ]x]f{6jҴa:F[7ñ{/[62MxRJ{vFB!B{\+TGk@x٦ 5a8cH!h"[1bWש pl ~]*VHunyIӾzȞN#ԂXjfXģ[D̏mԓ0^kFI!7:b6C.+FV9%to2Oik5>8ԗ:,ȣt5I&k.YxAff &֗Yo'WUvNrΠZWx!Fܲ{VB\B/~e\.4u\`?JD%R+n_|9'5W32uwmMFܐ{mXoIeڬ5fERroi5[of6௺auV^eGǕ<ͅfF:t)?۬RfW;1}ļD=z( ʬk$I1Ʊ;}_8cET2̭,96df5Ôj_$`ybuIKɸ))W0.Oz[ݸ$n!`vƏ;"A/W z]kF9- W or*2n?mFX(t^qwPVj '*>dWh  g*Dz'q'h."J\Db냒0-)N]Y a C^( #%1w礛{c8bgc8RFooMY+ ,U he+cZrD,?tUHEV./> l?. dP/Z6`;TP3܅m.͂͢EoB tMc%5RՒ|Rӊ,w9]dDo-71j֘1h*B ǯ9-Qj5dRUBI37֠6}Oj6zZC L8`;쭧5nYz|if‹yb+n'-owghDP:QLs7'7g*E[TvX۟K֙;p#  dn-&~iXe>H'*t=jhD&̤Jd i[XCX(+J Pc0uؑZfG@.(r|Ǯ5rsL1|z`{gsܖಈVuζücn?yJ Y#TXC>S)&Z:<~Q-mEr1&P~4쇇0l˖C/0Ƹl4ܵ4Q@%FgJ|xI,zDm#i!',wt:ó]NDB r ݫ?SRmF 96z_`yZܾ\`9>peY &xfVؖmmq.]YٓFJO`srٚmj{6~Lp Ñ`7~uJ0ǘ7Z4J\QG%\0] Om*F&#ZMikxw42u4ƿJ< E)<1_+AjLB(eYiv' .GAцov;p+XWkݷd}exx쀯J"r ,̢qf5+ SxC7)*=E-%=hpaـjcE~E:td‹6ȭ;"&s'?ަ\vD_ _!߰,VIm{7R[ Eꊍ\Dx56f:n[9h][~몇zsgD&#xwM3~ `p,4:flxrCER+o wfA-='Vh c6zSp s)؇c*W~aHE t03{*)F2*mG&^I79mN-i`Ik0'ld Dps<dl9SۈX ji0阿aں5c3bwt]ןY_jt/:G>wۗLQZj*!b3wȣ4ϓo }ro~H'U,%@S "PF: 9n Q&@Ĕv767p>9YxkJ Lma`t.tѦaP/nNxfp͒w\j:rtT {b8+M 5߃3,ȏKlݜ(8SZ1I(tCK/Hzs4w'H_PbޅR-'I]+A !2,=Vr(|[wy |wfE3{8~WBOz%rEeW0`A='92bg44\A%b=k`fڟh`I_i4UEzzW~{AZk<܄m[8Z?V9|9^~9m_.}fbv>H5mk+LJY22 N)3C9-j6"Gd;πW}VX\m#;lFyїU1zũ4 ?Yz ''W^OͦVֆCy'>;j12;Zx Ma`1D*'MMo )nu:E+Mj^+Q_<v<(3ʿB׌+(Z_~NmfwQ__~48ieCSi}>@?d'(kחOrIF9?ϴ/2ʡ{_sfF'c|:'dv2t2;w?;d'EsFeQށNF9E^\dEu݌wAt3OK7C\\f%Կ̨s?=eg_W(u}'O?g~3 Ak(*kh:k Ku1Rrּą)QFy98rEV*SV9,.N3s2 'GY+wU/3yKwS+=}n]˻H^-AીOW}ExvY몮|j7m!ϋ9y}³2wفGh /O WX-Jaġ$Л=̑x7_j nAmzOW4`.{hϦ"di󠮰iPͩȪ9(H+"7<R9Kq`F]QKt-WCtz ̹H3v1X1-H$ΆR% J\ܑN0lzGDd= ̈JA.$`rXR/PK=# .=M^t f 5ϡ'!pA>fJC Dk(1=:6dۨ V,6of!3^8ռD<gu~o2P e +?o9Xj,.#vRQ!+\ęg_ po1iR `-kD҃Yhp䓿 t89tfi[Ìs,i܂zm 4@[4Xݴ)9?g)b|3S7dLdp!gB-ҋKt^T@aD˺UK՞/kf7:aKƈ DUKIn6ɑ"9<;$}uF(s{}&"0 ;Vӄ.򡟼?wwŃq`a\m8q QiC0>fS@Z/`51ꬸXR $L%x}^T6bZYƠ}QO45~/#P< ^_H8݈qd@(e6L6u 1bpajZ\lY8=ۚ9t؆"ʮnǝ)ZO!NufB~:TÓȘ bwr pIi)4Lˌ%4n' i]c 6{Nzs̄0Qx\|0q/=Y}T.q 5sEEאE,&J {kͅ*q8w I7,Nd=:rMhq傃XH1[)#,|HVSP}XO-N-Nk&|cVf&}#KmjcTF\gȌa)x܁AR(~Q nnՂ]#rF31F#qyU YT8T"zK-Ŝz JJ @b S%JuLfoUeTx/ē_| P'H2Gd!᳤c*5S3m-(E.ir};{,ݤd/+2b%m=HY_Ow. ?!#R.ܐOߦ "_Sanhoy>ಁe"}`S so#gTt r!,N"[Pŗ-;1) m+#8)t +e[ O"C24`)zc<9znG}4֢ƘJ:Ɛ9-)0p,\ftG6C|eKz7[5H_d%\"d⮭@FWD0;"6Zi},KE%&(Xp\GAΙ=i3;>Ba2\HGx k͜ԋO0xeҕhOYm0w6L%/#]Z$C`WH؂{!mR>L1e~}=3ӲG(q",@zqt3B Wo,^zXٻ$Ps::hՆG0ޏqY7PRl@ xS ar=Vcm;pSz QmQ-xa[8~n`PCwϏp`2uz/ON7p2$82" $8jo.-wvua4,Lb9"[^QI(`жX,lu KebrYMzS cJ\g'ۂ~c˱Y)iV~LʙcaPֽA5FElT$b.i|Ԃ!gnh]1fnBM .&DW6K54Ƙb޻Yy& W{څGSy6:|,ݐbVS"Nd׊rI-9폭N*D!la,:r3 ⛈Ej z.t1R04xqBaʩȩ(v}_|JѬd;π/(83}E.tqea=Vt*N`wX;yB(O}i9!3 *`gq^k+|vQJe