Forgot your password?
typodupeerror

New Windows Attack Can Disable Firewall 273

Posted by ScuttleMonkey
from the he-shoots-he-scores dept.
BobB writes to tell us NetworkWorld is reporting that new code released on Sunday could allow a fully patched Windows XP PC's personal firewall to be disabled via a malicious data packet. The exploit depends on the use of Microsoft's Internet Connection Service. From the article: "The attacker could send a malicious data packet to another PC using ICS that would cause the service to terminate. Because this service is connected to the Windows firewall, this packet would also cause the firewall to stop working, said Tyler Reguly, a research engineer at nCircle Network Security Inc."
This discussion has been archived. No new comments can be posted.

New Windows Attack Can Disable Firewall

Comments Filter:
  • by Grendel Drago (41496) on Tuesday October 31, 2006 @03:46AM (#16654417) Homepage
    Sure, it requires that you be on the internal LAN already, and that you be running ICS, and who runs ICS anyway? But what kind of shit design is this that lets you take down the firewall if you piss off the IP-masquerading software? Did someone cut their fuzz-testing budget? What's their excuse for having this kind of vulnerability?
    • by RLiegh (247921) *
      >Sure, it requires that you be on the internal LAN already, and that you be running ICS, and who runs ICS anyway?

      Anyone using NAT under Linux, for one. Families connecting multiple computers onto a single network, for another. Not to mention people who share the same printer or who have a central file server set up to share mp3s or whatever.
      • by @madeus (24818)
        Anyone using NAT under Linux, for one. Families connecting multiple computers onto a single network, for another. Not to mention people who share the same printer or who have a central file server set up to share mp3s or whatever.

        None of those things require Internet Connection Sharing, and I would argue it's not even the easiest or most common way to achive them. Virtually anyone with a consumer DSL offering can just plug their computers (or printers, or network storage devices) right into one of the RJ45
        • by Kangburra (911213)

          It was useful on Windows 98 when so many people were limited to using modems for internet access
          ...and once again the US assumes everyone else in the world has DSL and 4 port modems.

          Hello, a lot of people still use 56K modems to connect to the net. The biggest ISP's in Australia supply a USB only DSL modem when you sign up. These people rely on ICS.
          • The biggest ISP's in Australia supply a USB only DSL modem when you sign up.
            My parents signed up with Telstra and were offered either a free USB or a (single port) ethernet modem. Naturally, I told them to choose the latter.
          • by @madeus (24818)
            ...and once again the US assumes everyone else in the world has DSL and 4 port modems.

            I'm not from the US, and FYI all the other countries in the developed world do pretty much all have broadband, with 4 port DSL modems (from the likes of Negear, Zyxcel, etc.) being very much the norm.

            Hello, a lot of people still use 56K modems to connect to the net.

            Indeed, but those are not usually people with more than one computer - because people with more than one computer are the sort of people that will just get cab
          • by walt-sjc (145127)
            Personally, I dumped the Telco supplied POS DSL modem and got a Sangoma S518 PCI card. Best thing ever. Can do full rate QOS (since you eliminate the "Huge Buffer of Doom") and syncs at a higher rate than the crappy Westell modem. Not sure if they work in AU, but it's worth looking into.
      • Please see here:
        http://isc.sans.org/diary.php?storyid=1809 [sans.org]

        MS Cluster Service will not work without ICS running, it is used for internal NAT handling.

        So the problem is much more widespread than small LANs using ICS.
    • according to this sans article [sans.org] the DOS attacks comes from outside.

      If i understand it is with a corrupted DNS reply packet.
    • ...who runs ICS anyway?


      0.1% of Windows desktops is still a lot of desktops.
  • by RLiegh (247921) * on Tuesday October 31, 2006 @03:48AM (#16654425) Homepage Journal
    If the graphics applications you use require windows, and all of the major firewall vendors are bloated (symantec), worthless (keiro) or both (macaffee) then what can you do?
    • by oGMo (379) on Tuesday October 31, 2006 @04:14AM (#16654579)

      A few things:

      • Keep all your broken (Windows) boxes in a heavily-firewalled subnet (and make sure the firewall is something secure, i.e., not Windows)
      • Don't put the broken box on the network at all
      • Run your app in a VM
      • Find a new app
      • Don't put the broken box on the network at all

        lol, that's what I keep telling the security guy in my office :) The only way to make sure your network is 100% secure is to pull all the patch cables... I think we might be able to push him over that tipping point now ^_^
    • by jonwil (467024)
      Having the machines behind a NAT router should stop a lot of attacks. And if that isnt enough, find a NAT router with a built in firewall (or add an extra firewall appliance such as a old PC with linux on it)

      I have yet to see a windows based firewall that doesnt suck.
      • by kjart (941720)

        Having the machines behind a NAT router should stop a lot of attacks. And if that isnt enough, find a NAT router with a built in firewall (or add an extra firewall appliance such as a old PC with linux on it)

        Seems like good advice - no matter what your OS is. Not much to pay for another (solid) layer of security, and the second option is a nice way to recycle old PCs.

    • Re: (Score:3, Interesting)

      by orpheus_okt (879958)

      worthless (keiro)

      Uh... Is there something I missed in the last weeks/months? No, I'm not implying that I heard exactly the opposite, but it sounds like there are serious security holes in the old Kerio firewall although I was always convinved it's still one of the better free ones out there. And I really must have missed the news then...

      Up to now, I was sticking to Kerio on Windows. Especially because of its rather powerful options to filter single applications, addresses, ports and plenty of other manually

      • by zerojoker (812874)
        I can't think of any reason why Kerio - or the new Sunbelt Kerio PF should be not effective.
        I mean blocking applications from within is always a problem (for every Firewall) and it has been shown that there's always a method of sending data out (no matter which vendor), however I think Kerio is still quite effective on blocking incoming traffic
      • by thelost (808451)
        I've heard nothing bad about Kerio and as far as I'm concerned it's fine. Personally I recently switched to Outpost Firewall and am very impressed, plus it's got an active user community [outpostfirewall.com] which i always look for when deciding whether to take up a product.
    • by Alarash (746254)
      You use an IPS/IDS appliance that goes up to level 7.
    • by EvilIdler (21087)
      You can use Outpost (firewall+spyware protection)m or Norman (all that and good antivirus).
      • This is the only truly safe thing you can do: repartition and format your drive and reinstall with the internet disconnected. You can also install firewalls et al other people on this thread are suggesting. Install and configure your main applications. Then, make a image* of the drive.
        When you use your computer for important stuff, save your data to external drives.
        Then every few days, restore the image. Once you've learned how to do it it will take about 5 minutes which is actually quite a bit faster th
    • by master_p (608214)
      I use ZoneAlarm by ZoneLabs...it is the best software firewall for Windows. The first thing I do when I do a fresh Windows install is to disable the Windows Firewall and install ZoneAlarm...
    • by Jessta (666101)
      You don't need a firewall. Just disabled the network services that you aren't using.
    • You have a few options:

      1. Run Windows natively but unplug your CAT-5 cable or disable your networking devices under the device manager. Having no internet access under Windows fixes this and many other problems nicely.

      2. Are you really sure that the graphics applications you use require Microsoft Windows? I think that you would be very surprised by how good the support is for most Adobe products, including Photoshop, using WINE. [winehq.com]

      3. Run Windows and your graphics applications in a virtual environment using V [vmware.com]
    • by couchslug (175151)
      Not rely on software firewalls?

      I've run Freesco and later MonoWall firewalls on mostly-free hardware (Asus P255T2P4/128MB/P233 with super-glued passive heatsink) almost 24/7 since 1999. Neither have been difficult to set up, and Freesco is very noob-friendly. Freesco needs minimal resources and will even run on a 486.
      Both have performed with boring, appliance-like reliability. I run from a Compact Flash card in an IDE adapter instead of a hard disk. Those parts are dirt cheap nowadays.

      http://www.freesco.or [freesco.org]
  • by Anonymous Coward

    What those engineers were thinking? A data package, the thing a firewall is filtering to some point, can disable the firewall? Who thought it would be a nice feature to have that?

    "We need a firewall of our own!"
    "Why?"
    "To keep our monopoly; those firewall and antivirus companies are making money that should be in our pockets."
    "But antitrust..?"
    "We say it's because we want to have a secure system, it should've been in the first place. Those companies have no case! >:D"
    "But even we cannot access their

  • I never used Windows Firewall on my PC - I used Zonealarm or Tiny Personal Firewall. Why? Because given how many security holes XP had - and probably still has - I wouldn't trust my security to it. And lo and behold, here we are.
    • by MtViewGuy (197597)
      The fact that ZoneAlarm can do bi-directional firewall control is the reason why I don't use Windows' own incoming-block only firewall.
  • by DavidD_CA (750156) on Tuesday October 31, 2006 @04:09AM (#16654553) Homepage
    So for this attack to work, according to the article...

    1) The attacker has to be on the LAN already, or executing code from a PC on the LAN

    2) The LAN has to be connected to the internet through a PC using ICS, and

    3) There can be no external firewall device such as a router sitting between the LAN and the internet

    While this is certainly a valid attack... so are a lot of other attacks once you're already in the LAN. This one just happens to nuke a software-based firewall from the inside. Big deal.
    • by bazorg (911295)
      so are a lot of other attacks once you're already in the LAN. This one just happens to nuke a software-based firewall from the inside. Big deal.Exactly what I thought.. when I'm already in the LAN I want to attack I use a sledgehammer not these computer thingies.
    • by gad_zuki! (70830)
      Not to mention, by default, windows firewall allows local segment traffic onto ports 135-139. So if the cracker wants to brute force the shares he doesnt even need to take down the firewall.
  • The exploit depends on the use of Microsoft's Internet Connection Service.
    Is ICS not Internet Connection Sharing?
  • by Centurix (249778) <centurix@ g m a i l.com> on Tuesday October 31, 2006 @04:52AM (#16654729) Homepage
    When they advertise that XP installations come with a firewall, they in fact mean that XP installations come installed with a wall of fire. The EULA clearly states that, somewhere near the bottom next to the pictures of cats and the sudoku puzzles, because no-one ever reads that far...
  • Windows has a firewall?

    ....sorry, please continue :)

  • Come on people. Routers are cheap. It is better to use a hardware router instead of a Windows machine as a router. At home, I run a 300MHz Pentium II as a router. At the office, a router is used.

    Everyone knows Windows is insecure. It only costs $30/$40 for a router. $29 for a D-Link DI-704P 4-Port Cable/DSL Router at outpost.com

  • by RAMMS+EIN (578166) on Tuesday October 31, 2006 @05:53AM (#16655085) Homepage Journal
    Why does Windows get all the press? It's not fair! I want to see some coverage of stupid holes in Linux and the free BSDs!
  • by db32 (862117) on Tuesday October 31, 2006 @07:31AM (#16655601) Journal
    So I see dozens of comments about "Its no big deal, you have to be on the lan". Am I the only one that hasn't forgotten how common wireless networks are and how trivial it is to gain access to most of them?
    • by walt-sjc (145127)
      Most people with home wireless lans use wireless routers with the built-in firewall instead of an access point, switch, and a PC with ICS, so I wouldn't expect wireless networks to be a major issue in this specific issue.
    • Hey mods, mod parent up.
  • I feel for people who have no other options, but... software routers suck. That they are made by microsoft or anybody else. Hardware firewalls for the win. (which I guess in the end ARE just embedded softwares...still better at the end of the day)
  • Sure you could build your own firewall appliance and shove it in a DMZ on your home LAN. And you could implement hardware dongles for wireless. And you could sandbox everything and so on and so on and so on.

    But is that reasonable? Do you really have content on your machines that's so valuable that it has to be preserved at all costs? Is it really worth the time, effort and money to do so? Did you remember to back it up? People should take reasonable precautions such as a good software firewall, a real time
    • Sure you could build your own firewall appliance and shove it in a DMZ on your home LAN. And you could implement hardware dongles for wireless. And you could sandbox everything and so on and so on and so on.

      But is that reasonable? Do you really have content on your machines that's so valuable that it has to be preserved at all costs? Is it really worth the time, effort and money to do so? Did you remember to back it up?

      I tried backing up the cash I keep in my online banking account just in case my Windows b

  • The MS firewall has never been secure. For a few reasons completely unrelated to the current bug.

    1. It's configurable via the registry. I.e. write a few keys into the registry and your application has all rights to come and go as it pleases. And that's what malware usually does.

    2. Its "warning" windows have a standard window handle and can thus be intercepted by programs and answered "correctly". Another standard tactic of malware.

    3. It's attacked by every single halfway modern malware, since it's on every
  • For this attack there has to be a number of factors in place, and most people here on /. seem to dismiss the likelihood of an attack because of these factors. But remember, the majority of the population aren't like people here.

    1. Must be within the LAN
    How many average joes run unsecured wireless? In my neighborhood that's lots of people.

    2. ICS must be running
    How many average joes have never even opened Services much less turned off unneccessary Windows services?

    3. No other firewall is running.

    • And, laying blame properly.

      When you buy a new computer, it comes with XP. On the hard disk. Without a manual. Really.

      My nanny just bought an Acer laptop. It did come with a "quick start guide".

      Nothing about security. Although XP does pop up a dialog asking you to install anti-something-ware software. And natters about using unencrypted wireless links.

      So for you points 2 and 3, the vendors are to blame. For point 1? I believe that the warning that you are using an unsecured wireless connection is probably ju
  • Yeah, instead of closing exploitable network ports, let's throw another layer in front of them! That's sure to be foolproof!
  • This is something about XP that really bothers me, and I consider a design flaw. Several services run together under each svchost.exe process. (Tasklist /svc will show them.)

    I have something wrong with my system now, where one of those svchost processes (after while) dies with an unhelpful messages, killing a bunch of other services with it (including ICS/Firewall). They won't restart for me, either. I'm still in the process of disabling services and trying to identify the single one that is causing gri

You don't have to know how the computer works, just how to work the computer.

Working...