RE: Fw: Serious Security Issue in Windows XP SP2's Firewall

From: Jens Mickerts (jens_at_mickerts-partner.de)
Date: 09/25/04

  • Next message: Laura A. Robinson: "RE: Items within XP SP2 and Win2003" 
    Date: Sat, 25 Sep 2004 09:39:28 +0200
To: <focus-ms@securityfocus.com>

    Hi Frank,

    I was able to reproduce the bug and things are a bit different, so I
    must disagree.

    >I think the contention is that when file/printer sharing is enabled,
    and
    >the firewalls is activated, SMB ports are open on the dial-up interface
    >without having been explicitly opened via the firewall policy (unlike
    >the network interface). So in a sense, yes, there is a bug. The
    implicit
    >allow is probably not a good thing, but the main issue seems to be that
    >while SMB ports are closed on exiting interfaces (like network cards),
    >the policy setting is not applied to inactive, dynamic interfaces --
    the
    >RAS interface in essence. Once you dial-up, and thus activate the
    >interface, the ports are open even though that is not specified in the
    >firewall policy.

    Correct, but the real bad news is that this happens on machines that had
    an enabled Internet Connection Firewall before applying SP-2! This
    indeed opens "new" holes (at least on RAS-Interfaces).
    Furthermore this is not limited to RAS-Interfaces. All Interface types I
    tested (RAS via DSL and LAN) have been affected as long as "local
    subnet" was allowed access to file an printer sharing.
    I also do not like PC Welt, but this is not a small issue. The problem
    possibly affects all Windows XP Systems with enabled ICF and disabled
    ICS that are upgraded to SP-2. I guess that approx. 80% of these Systems
    are using weak or no passwords on admin-accounts, so you can imagine
    what might happen.

    Regards,

    Jens

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Laura A. Robinson: "RE: Items within XP SP2 and Win2003"

    Relevant Pages

    • Re: ftp problem
      ... > here is my whole firewall script ... > # No restrictions on Loopback Interface ... > # or from this gateway server destine for the public Internet. ... > # Allow out secure FTP, Telnet, and SCP ...
      (freebsd-questions)
    • Re: Checkpoint experiences
      ... decide they want the firewall used by the big boys...often repeated, ... The Nokia appliance IPSO, is useful if you don't want to take the ... It is no wonder that the Nokia interface is called ... > billions on training, and classes, consultants, support contracts, etc. ...
      (comp.security.firewalls)
    • Re: Problem about ppp -nat
      ... ipfw firewall, ... Just setup your fw of choice as if the tun0 device is the external device and leave all the nat stuff completely out of it. ... My Internet interface is rl0, ... # /etc/rc.d/routing restart ...
      (freebsd-questions)
    • Re: Lets talk about firewalls - what do we as a group think a firewall should be/have?
      ... part of the same network as the LAN. ... Each interface of a firewall should be distinct from ... interfaces, so a "DMZ interface" is not a requirement. ...
      (comp.security.firewalls)
    • Proxy ARP and Routing
      ... some CPE from our ISP connected to a firewall. ... the public IPs on the physical DMZ network. ... packets to the host on the DMZ? ... on the DMZ interface. ...
      (SunManagers)