Sp2 Flaw That Nobody Saw

[kabal1234]

SP2 flaw that nobody saw

By Sam Varghese

December 17, 2004 - 9:59AM

From: The Age - Australia

A critical update for the second service pack issued for Windows XP was quietly released by Microsoft on Tuesday without any mention of it on the company's main security page.

The flaw, which could leave a computer open to anyone on the internet when the user connects through a dial-up connection, was instead mentioned in an article in the company's Knowledge Base.

According to the article, the computer of a user becomes accessible to anyone on the net because of the way Windows Firewall interprets local subnets when the "My network (subnet) only" option is used.

"Because of the way that some dialing software configures routing tables, Windows Firewall in Windows XP SP2 can sometimes interpret the whole internet to be a local subnet. This can let anyone on the internet access the Windows Firewall exceptions," it says.

"When the "My network (subnet) only" option is enabled, it is automatically selected for file and print sharing. Therefore, your shared drives can be unexpectedly revealed on the internet when you use a dial-up connection."

Advertisement

AdvertisementThe article provides a link to a patch with this legend: "To resolve this problem, you must download and install the Critical Update for Windows XP (KB886185)

Well-known security expert Richard Forno, who noticed this and posted details about it on his own mailing list, had just one comment: "How many ways can Redmond say 'oops?'"

Microsoft's security lead in Australia, Ben English, said details of the flaw were not included in the December releases "because it didn't fit the security vulnerability criteria as stated publicly."

"These criteria are reviewed regularly and we strive to provide a definition which meets our customers' needs," English said.

"Microsoft is aware of a report detailing behaviour in the Windows XP SP2 'Windows Firewall' when users enable an exception for file and print sharing. This report notes that certain configurations of the Windows Firewall on some network connections could allow the file and print sharing services to be open to a larger number of computers than the user intended. Microsoft has reviewed the report and verified the behavior as reported but in accordance with the design of Windows Firewall."

Edited December 17, 2004 by kabal1234

[RDN]

Thanks for this, George. I just went to "Windows Update" using IE (I usually use Firefox) and there were 4 updates waiting for me - 3 security updates and 1 critical update. My Windows XP is set up to automatically download updates and, I thought, to automatically install them. But that did not happen - when I selected all 4 updates to be downloaded and installed, nothing was downloaded, but all 4 were installed. So the updates must have been already downloaded but not installed. I wonder why? I think it's because I don't use IE and if I don't use it, I don't get directed to the Windows Update web site and I don't know that there are updates waiting.

Anyone else have an idea why my updates weren't installed automatically after they were downloaded?

Edited December 17, 2004 by RDN

[waldwolf]

........Anyone else have an idea why my updates weren't installed automatically after they were downloaded?

<{POST_SNAPBACK}>

"Auto-update" is a new feature of WinXP SP-2 .

You can turn the feature on-off, or select from several "install" options, whichever you prefer.

More details here

Edited December 17, 2004 by waldwolf

[RDN]

"Auto-update" is a new feature of WinXP SP-2 .

You can turn the feature on-off, or select from several "install" options, whichever you prefer.

More details  here

<{POST_SNAPBACK}>

Thanks waldwolf, I just double-checked my settings, and it is already set up for 7 pm each day:

and I can't figure out why the updates weren't installed . Any more thoughts gratefully received .

Edit: just thought of something - does the computer have to be idle? I chose 7 pm because I knew it would be turned on, but it would also be busy.

Edited December 17, 2004 by RDN

[JimGant]

Thank you for your interest in Windows Update

Windows Update is the online extension of Windows that helps you get the most out of your computer.

You need to be running a version of Internet Explorer 5 or higher in order to use Windows Update.

I guess you need to be running IE to get your updates. The above quote is what you get when you use Firefox and try to open "windowsupdate.microsoft.com/ "

[cdnvic]

Thats been going on forever. I can remember trying to get into the MS website with Netscape 2.0 years ago and it always crashed. IE worked fine. Lynx worked best

Love the little games software companies play

cv

[RDN]

Thank you for your interest in Windows Update

Windows Update is the online extension of Windows that helps you get the most out of your computer.

You need to be running a version of Internet Explorer 5 or higher in order to use Windows Update.

I guess you need to be running IE to get your updates. The above quote is what you get when you use Firefox and try to open "windowsupdate.microsoft.com/ "

<{POST_SNAPBACK}>

Hi Jim, yes I know I must use IE to manually go to the Windows Update web site - and that is what I did. But the odd thing that happened was that the 4 "security and critical" updates that I saw were already downloaded onto my PC. I know this because when I clicked on the "download and install" button, nothing came down from the web, but all 4 got installed. (I have "DUMeter" running so I can see graphically what is being downloaded and uploaded).

So while Windows Update was working, there was nothing coming down, and yet each was installed over a period of a few minutes. That's why I believe the updates were already obtained from the web on one of the previous daily update processes that my Win XP is setup to run at 7pm, but they were not installed until I went to the web site using IE and clicked on "Download and install".

I don't believe Micro$oft are playing games - spotting that my PC is setup to use Firefox by default and therefore not installing the updates - they wouldn't be so stupid (or so clever?).

Still a mystery to me.

[waldwolf]

RDN - Failure to install the updates, which were apparently downloaded OK, is a puzzle. Neither the use nor lack thereof of any browser (IE or any other) should not have prevented the installation.

I suspect another utility you have running (e.g. antivirus, spyware detector, etc.) may be the culpert. Perhaps you could give us a brief rundown of these type programs your running. (Also version of XP your using.)

Will then do some investigation/testing.

cheers

[RDN]

RDN - Failure to install the updates, which were apparently downloaded OK, is a puzzle. Neither the use nor lack thereof of any browser (IE or any other) should not have prevented the installation.

I suspect another utility you have running (e.g. antivirus, spyware detector, etc.) may be the culpert. Perhaps you could give us a brief rundown of these type programs your running. (Also version of XP your using.)

Will then do some investigation/testing.

cheers

<{POST_SNAPBACK}>

Thanks waldwolf for your offer of help.

I thought I had found the problem, but now I don't think so. This is why: I just went to Windows Update web site and saw that there was an optional update for Outlook Express. I decided to install it and just as I clicked the "Custom Install" button, I saw on the right side the notice "Automatic Updates: Turned ON. Your computer is set to receive security & critical updates automatically. Pick a time to install updates.". Now, I have never clicked the "Pick a time to install updates" link - I'd always assumed that what I set on my PC (7 pm) is when they would be installed. So after the OE update had been installed and PC restarted, I went to that link and set the Install Updates time to 20:00. I then checked what the time was set to on my PC (in Control Panel / System / Automatic Updates) and it had changed to 20:00. So, I had hoped the link on the web site was something extra - but it was just another way of setting the "Install" time, which I already had set to 7 pm.

SO, for your offer of assistance, I have XP Pro SP2 fully updated.

I run:

MSN Messenger 6.2.0137

ZoneAlarm 5.5

Norton System Works Pro 2004 (v7.00, build 81) which includes

Norton Antivirus (fully updated)

Password Manager

Connection Keep Alive

Thanks again for your help - much appreciated.

Cheers

RDN

[mussen]

........Anyone else have an idea why my updates weren't installed automatically after they were downloaded?

<{POST_SNAPBACK}>

"Auto-update" is a new feature of WinXP SP-2 .

You can turn the feature on-off, or select from several "install" options, whichever you prefer.

More details here

<{POST_SNAPBACK}>

The auto update feature is not new to SP2, it is also available on SP1

[waldwolf]

........The auto update feature is not new to SP2, it is also available on SP1

You are correct, I should have indicated that with SP2, Microsoft made a number of changes and added new features such as the "Windows Security Center", which provides more secure and easier recognition of ones settings.

Note difference between "System Properties" window I posted and that posted by RDN which contains what I like to call "Norton Type Shields", such as:

cheers

[waldwolf]

RDN - I should have mentioned earlier, that I am not of fan of anything which automatically installs, uninstalls or tweaks my computer settings. I personally want to know, in advance, all details of such operations, so I may elect or reject their implementation. In other words, I want to know in advance, all possible effects any new software might have on my computers overall operation.

For reference, the WinXP "Auto-Update" feature only downloads/installs what Microsoft designates as "high-priority updates", which includes security updates, critical updates, and service packs . It will not download/install ALL updates offered.

I am highly suspicious of the Norton SystemWorks your running. Over the years it has caused more problems than it reports to cure. (Akin to their "CrashGuard" which caused more crashes than it saved. A fact Symantec finally admitted to, just before it was discontinued.) Of all the Symantec products, the only one I still use is WinFaxPro. All the others, including Norton AV, have become so bloated and cause so many problems, I've retired them.

I would suggest you shut-down all Norton programs running in the background, then test the update function for a week or two to see how it reacts. Even though the Norton programs will not be running in the background, you will still have full-manual control to run things like virus checks, etc., when necessary.

Question: The "Connection Keep Alive" routine you mentioned. Are you on dial-up or is this a MTU/MSS/RWIN tweaking utility?

cheers

[RDN]

I must admit that I too am uneasy installing major updates - I did wait about 6 to 8 weeks before I updated to SP2 - and then I waited for the official CD to be sent to me. But when I see a critical or security update, then I just hope that it's at least better then what I've got .

I actually like Norton products - do you remember Norton Commander? I used to run it in DOS and then every version through to Windows NT. But then Windows Explorer got just as good so I stopped using it. I am a little worried about not running Norton Antivirus. Maybe there's a free alternative that you could recommend. I know a lot of people use free ones, but as I have the full System Works package, with license, I use it and get automatic (and these work!) updates at least once per week, sometimes every day.

The connection Keep Alive is part of System Works. Yes, I'm on dial-up and the keep Alive pings Google and Symantec every 2 minutes. I could try disabling that one without any worries.

[waldwolf]

Ah yes.....the good old DOS days. Peter Norton's utilities way-back-then were first rate. Unfortunately, after Symantec bought his company and started to "improve" on his work, things slowly went to pot. But thats a very long, sad story.

In any event, I understand your reluctance at shutting down various systems, such as your antivirus, however, it will eventually be necessary to do so, to see what is causing your problem.

First, let me comfort you in the fact that, being on dialup, the chances of anyone getting into your system is rather slim, as with most dialup connections you have a different ISP address each time you connect online. Therefore someone looking for you specifically, first needs to find your ISP address. Now, in the case of broadband, in most instances you have the same address each time you connect and many if not most "broadbanders" stay connected 24/7. That presents many problems, as the "targeter" knows exactly where to find you, anytime, any day.

Second, you also have (in my opinion) the best software firewall available, so even if someone were lucky enough to find you, Zone Alarm (properly configured) will stop them cold.

OK.....Now, another way you can do the checks, is to reconfigure the System Properties window, so as to Notify you of the updates, but not automatically download/install them. Then when you get the notice of new updates, you just shutdown Norton, reconfigure the "System Properties" to update automatically, reconnect and see if it now works. After the test you can "reactivate" Norton, and you'll then be back to square one.

Don't worry about "Connection Keep Alive", as I doubt it is capable of causing your problem. As you indicated, its just a pinger, similar to InkLineGlobal's "Stay Connected".

Keep us posted on your findings.

cheers

[RDN]

...OK.....Now, another way you can do the checks, is to reconfigure the System Properties window, so as to Notify you of the updates, but not automatically download/install them....

<{POST_SNAPBACK}>

Excellent idea - and I've done just that. Now we just have to wait for MS to produce another critical or security update.....

Shouldn't be too long

Cheers

P.S. Yes, pity about Peter Norton's company. I wonder what he's doing now?

[Abandon]

I use windows 2000 pro as I find it nicer and less buggy than XP

I never instal any 'security' updates, so I must be years behind. I was forced to instal SP4 for W2K to use usb2 ports.

I'm not sure what the point of the security stuff is. I don't even use a real time virus acanner - just do a check about once a month on Trend PC cillin.

I use zone alarm (free version) for a firewall.

My ADSL internet is on 24/7 but it changes IP every 24 hours when I redial making me an unlikely target of hackers (who use automated programs to scour the net for open machines with constant connections)

By far the best way to protect your system is to stay away from nasty porn sites or banners offering you things for free.

What I don't like to allow is Windows putting in patches that reset things it shouldn't. Too often these patches, when I thought they were important and tried to use them, reset various settings to default. And also make outlook express etc.. reappear after I'd turned them off. One patch turned on the XP firewall after I'd turned it off. (I did try XP out a few years ago) and the IE updates would always reset security settings that I had tweaked for various reasons, for e.g. it made IE decide when to check a site for updated web pages when I'd set it to check each time I redialed.

In 5 years of using a pc I never had any problems except for a few viruses that had come in through Kazaa 4 years ago.

[RDN]

Well, it wasn't too long to wait for another update, was it?

So for the last couple of days, I've been getting a message when I start up my PC: "Ready to download updates" popping out from the system tray.

I guessed it was the update to fix this vulnerability:

http://secunia.com/internet_explorer_comma...erability_test/

- which I tested and found that I was vulnerable.

So to prove whether Norton is stopping the automatic update installation I did the following:

Disconnected the modem.

Exit Firefox.

Disable Norton Antivirus and set it to not start up with Windows.

Change the Security Centre option from "Notify" to "Automatic install"

Restart the PC

Reconnect to Internet.

(The utility I have for monitoring Internet activity - DUMeter - showed a lot of downloading occurring).

(Task manager showed two processes - update.exe and wuauclt.exe - fairly active).

After a few minutes, the message "Updates are ready for your computer. Click here to install these updates" appeared at the System Tray.

At this time activity on the DUMeter had stopped.

So I clicked and a 'Automatic updates' window appeared giving two options to install. I went for the express option and accepted the License agreement and the message "Installing Updates..." appeared at the System Tray. Still no activity on DUMeter, so the updates were already on my PC. When that message disappeared, there was no other indication that the update process was complete, but disk activity had stopped, so I disconnected from the Internet, re-enabled Norton Antivirus and changed the Security Centre setting back to "notify".

Restarted the PC and connected to the Internet again.

Did the same test again

http://secunia.com/internet_explorer_comma...erability_test/

and this time I passed, so the update appears to have worked.

The only thing I did not do, which I think I should have, was to change only the security centre setting to "Automatic" and restart the PC to see if the update would get installed with Norton Antivirus enabled - but this is how I had it set up before (see earlier posts) and it didn't update automatically. But I think I'll do that the next time there's another update...

Shouldn't be too long...

(Did I say that before? )

[stumonster]

Second, you also have (in my opinion) the best software firewall available, so even if someone were lucky enough to find you, Zone Alarm (properly configured) will stop them cold.

this is the crux In my opinion - disable the windows firewall and use zonealarm instead , it will save you alot of drama

but with zone alam I recommend every once in awhile to go through the list of programs that have access to the internet and check what has been enabled for full access and server rights , reset a few ones you are not sure of to ask so you will get a message next time it tries to access the outside world - this will give you an indication of what program is using the processes and also lock down some ports that you do not use often , if at all.

[Bluffer]

RDN - How do you get the picture of that menu?

Waldwolf - you as well, how did you get those buttons in your post?

Thanks

Edited January 14, 2005 by Bluffer

[RDN]

RDN - How do you get the picture of that menu?...

<{POST_SNAPBACK}>

1. Make the menu window the active window by clicking on it (safest place is at the top where the title "System Properties" is - just so you don"t hit a button and change something)

2. Hit ALT+Print Screen - this gets the image into the copy/paste buffer of your PC

3. Run "Paint" - should be in "Programs/Accessories".

4. Click on "Edit/Paste".

Then it's up to you what file type you save it as, and whether you want to edit it. I have a program called Compupic which I've used for years to do that:

5. Upload to your favourite image hosting web site - I use ImageShack.

6. Put the image's URL - given by the web site - into your post.

Easy, peasy.

[Bluffer]

cheers