WinXP SP2 security flaws

Aug. 18th, 2004 10:56 am
torkell: (Default)
[personal profile] torkell

Flaws in SP2 security features

Basically, there's a new feature which warns people about running files that have come from the internet. It works by storing the file's original zone in an extra stream (:Zone.Identifier). Anything from e-mail or internet gets saved with zone identifier 3, which IIRC is the Internet Zone. You try to run the file with explorer, and it warns you about it. The ZoneID stays with the file even if it is moved (as long as the file stays on an NTFS volume). The built-in ZIP utility persists the ZoneID as well. Secure, right?

Not.

cmd.exe ignores the ZoneID. So cmd /c evil.exe works. cmd /c evil.gif will also work if evil.gif is a renamed exe (that's nothing new - it's been around since Win2k at least). The report linked to has a possible e-mail using this attack (i.e. convincing someone to run cmd evil.gif). It's easy to see how someone could be taken in, when you consider how well Bagel and it's friends did.

There's also another bug - explorer caches the ZoneID information. So if you open a 'good' file in explorer, then overwrite it with your evil.exe, explorer will not read the new ZoneID and so won't warn you.

The best part is that MS appear to be ignoring this bug. See the report for the reply from MS, and also see Microsoft: A matter of trust.

  • Current Mood: amused
  • Current Music: The Black Gate Opens ~ Howard Shore/The Return of the King
  • Add Memory
  • Share This Entry

Profile

torkell: (Default)
Thomas
Beware the Jabberwock...

January 2026

S M T W T F S
     123
45678910
11121314151617
18192021222324
25262728293031

Most Popular Tags

Active Entries

Style Credit

Expand Cut Tags

No cut tags
Page generated May. 7th, 2026 10:48 pm
Powered by Dreamwidth Studios