SP2 Flaw Report Falls Short

Opinion: The misguided advisory from Heise Security sets unrealistic expectations for a new Windows security feature and then criticizes Microsoft for not meeting them.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

When I first saw the advisory "Flaws in SP2 security features," written by Jürgen Schmidt of Heise Security, I just laughed and blew it off as a big nothing. Now, I agree that it illustrates limitations in one of the new security features of Windows XP Service Pack 2. But a flaw? Thats a hard claim to make.

The basic claim of the advisory is that the new file-attachment security features of SP2 have a hole that allows attachments from untrusted sources to be executed in spite of protections Windows claims to provide. What are these protections?

According to Microsofts description of these new capabilities, "Application developers will be able to call the new AES [Attachment Execution Service] dialog box from their Windows applications." It appears that CMD.EXE doesnt do this. This is what Heises Schmidt found.

The AES consists of a single COM interface named IAttachmentExecute. It lets programs do all of the safety tasks, including, I presume, persisting the Zone IDs as the Heise Security advisory mentions. It saves applications from having to do some things they might do on their own.

Note that the quote from Microsoft doesnt say that these capabilities automatically accrue to all Windows programs; they are new capabilities available to the programmer. The idea is that a program can become "safe," as Outlook Express has, by using this facility. Programs that use them automatically get a display of warnings and information about the program, such as its publisher. Other programs arent using them, and users cant trust them as much.

/zimages/1/28571.gifClick here to read about Microsoft pushing back automatic delivery of Windows XP SP2.

The heart of the scenario in the advisory is a social engineering attack. The user is told to save the file and run it from a command prompt. The author suggests a message that tells the user to Start-Run "CMD" and drag the attached file to the command window.

This is the part that got me laughing initially, and I still have to laugh. Yes, it does appear that the command shell doesnt use the AES and therefore will execute files that Internet Explorer thinks come from untrusted sources. So? Lets imagine that Windows actually somehow changed all file exchanges to use this facility. Other programs behavior would change and potentially break—and guess who would take the heat for it?

This same scenario, I should point out, works beautifully with non-Microsoft browsers. Theres nothing in Mozilla to stop it. If one more instruction is added to the message, using the chmod command, it works just as well in Linux and Unix, too. Is it a "vulnerability" that users are allowed to run programs?

/zimages/1/28571.gifFor insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

Just how far are we going to go blaming platforms for social engineering attacks? What do you think of this one? From: service@yourcarcompany.com
To: you
Subj: vehicle recall

Our records show that the gas tank in your car model tends to collect dirt deposits. To preserve your vehicle warranty, we recommend that you add a cup of ordinary laundry detergent with each tank of gas.
So, if anyone actually believes this, does it mean that the car is vulnerable to a "detergent attack"? Shouldnt the auto manufacturer have taken steps to prevent this?

The new attachment security in Windows is meant to stop the casual execution of attachments from untrusted sources in the e-mail program where the user encounters them. If the attachments find their way to other environments, such as CMD, theres little Windows can do without seriously getting in the way.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

/zimages/1/28571.gifCheck out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis. /zimages/1/77042.gif

Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: /zimages/1/19420.gif http://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo2.gif

More from Larry Seltzer