New Windows Attack Can Disable Firewall

BobB writes to tell us NetworkWorld is reporting that new code released on Sunday could allow a fully patched Windows XP PC's personal firewall to be disabled via a malicious data packet. The exploit depends on the use of Microsoft's Internet Connection Service. From the article: "The attacker could send a malicious data packet to another PC using ICS that would cause the service to terminate. Because this service is connected to the Windows firewall, this packet would also cause the firewall to stop working, said Tyler Reguly, a research engineer at nCircle Network Security Inc."

Not that big a deal, but still.

[Grendel Drago]

Sure, it requires that you be on the internal LAN already, and that you be running ICS, and who runs ICS anyway? But what kind of shit design is this that lets you take down the firewall if you piss off the IP-masquerading software? Did someone cut their fuzz-testing budget? What's their excuse for having this kind of vulnerability?

What can you trust?

[RLiegh]

If the graphics applications you use require windows, and all of the major firewall vendors are bloated (symantec), worthless (keiro) or both (macaffee) then what can you do?

Re:What can you trust?

[oGMo]

A few things:

• Keep all your broken (Windows) boxes in a heavily-firewalled subnet (and make sure the firewall is something secure, i.e., not Windows)
• Don't put the broken box on the network at all
• Run your app in a VM
• Find a new app

Re:Obvious

[Anonymous Coward]

Well, I wouldn't agree with 'better performance' - software firewalls are ALWAYS a bottleneck. Just use a router :-)

Re:How do you know you've never gotten a virus?

[Anonymous Coward]

What rubbish, if it's on the machine it's detectable

HackerDefender (http://hxdef.org/) is just begging to disagree with you there. Quite a popular rootkit a few years back where I work, where there were a bunch of Windows 2000 machines which got cracked. The only reason we knew there was anything wrong with them was:

a) We were warned of increasing levels of network traffic
b) When it came time to install SP4 on them, it wouldn't go on (due to the rootkit blocking all access to anything called "ftp.exe", thus the SP couldn't install correctly)

However, had this been a home machine then almost certainly nothing would have been detectable, since there's no one to monitor traffic levels, and I don't think most users would read too much into it if a patch failed.

Re:Obvious

[Propaganda13]

Actually, he's probably partly referring to the routers flooding their wireless connection which happens with Zyxel routers too.
http://www.tomsnetworking.com/lans_routers/charts/ index.html?chart=124 [tomsnetworking.com]
You set up a p2p like bittorrent that is willing to use a lot of simulataneous connections and it floods your router and your connection drops.
Of course, it does sound like a lot of routers(1 a month?) to go through so if he's returning a lot of dead routers, a possible power problem in the home is possible.

Suddenly noone is using wireless?

[db32]

So I see dozens of comments about "Its no big deal, you have to be on the lan". Am I the only one that hasn't forgotten how common wireless networks are and how trivial it is to gain access to most of them?

Re:Obvious

[Tim C]

As for the wireless stuff, well, that's too bad. But your computer already needs one connection to the wall to get its power. Will one more for data kill you?

No, but my girlfriend nearly did when I started laying bright yellow cat5 cable in the house...