×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Windows Attack Can Disable Firewall

ScuttleMonkey posted more than 7 years ago | from the he-shoots-he-scores dept.

273

BobB writes to tell us NetworkWorld is reporting that new code released on Sunday could allow a fully patched Windows XP PC's personal firewall to be disabled via a malicious data packet. The exploit depends on the use of Microsoft's Internet Connection Service. From the article: "The attacker could send a malicious data packet to another PC using ICS that would cause the service to terminate. Because this service is connected to the Windows firewall, this packet would also cause the firewall to stop working, said Tyler Reguly, a research engineer at nCircle Network Security Inc."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

273 comments

Obvious (-1, Troll)

stoneycoder (1020591) | more than 7 years ago | (#16654401)

Does anyone actually leave windows firewall on anyways? Its one of the first things to go when I have to use windblows xp.

Re:Obvious (1)

boobavon (857902) | more than 7 years ago | (#16654519)

Windows firewall is the first thing i check for when i do a fresh install. I have *never* gotten a virus and i don't use any of the other products out on the market. So yea, some of us do. And we get better performance because of it.

Re:Obvious (1, Insightful)

Anonymous Coward | more than 7 years ago | (#16654629)

Well, I wouldn't agree with 'better performance' - software firewalls are ALWAYS a bottleneck. Just use a router :-)

Re:Obvious (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#16654843)

Funny how you seemingly want performance and suggest a router. I've bought at the VERY LEAST 2 dozen routers (I'd say closer to 3) in the 2 or 3 last years. Linksys (the "good" WRT54G), D-Link, Neatgear, etc.

Every single one of them failed on me with NO exception. Not one survived. They just CANNOT handle today's fast connections. Put bt+ed2k thru it, it'll overheat in no time at all. Even if you open the case, put some nice heat sinks and fans, it will STILL die! They're inexpensive, but they're also garbage for the most part. They just can't handle it. (yes, I've tried various firmwares, versions, RMA'ed several, etc)

And the switch chips in most are a bad joke at best. Put a few GBs thru them (god forbid someone make use of them eh?) and they overheat and reset (your connection drops, then reappears, drops again, etc).

I've totally given up on them about a year ago, and with I had NEVER bothered. It's cost me a few hundred $ in router trash that went straight to the garbage. Since then I've been running a firewall (and doing NAT) on a box that's always on anyways (runs a few server processes, P2P apps and things like that), and it's millions of times better than any home/SOHO router's EVER going to be. Those overhyped POS'es are good if you're into low bandwidth stuff like checking email and surfing the web, but that's about it.

Friends don't let friends buy routers.

Re:Obvious (0, Troll)

Kenyon (4231) | more than 7 years ago | (#16654879)

LOL. Either you're joking or you're insane.

Re:Obvious (0)

Anonymous Coward | more than 7 years ago | (#16655031)

I'm not joking. Perhaps you're just clueless?

Show me a router 150$ that can handle bittorrent + ed2k on 10mbit 24/7 (on top of "regular" stuff), and I'll show you flying pigs.

Yeah, I saw a couple nice ones that might have sufficed, but I didn't want to spend the 600$+ they were asking for (that was a sonicwall) when just installing a small app on a already running box with a spare NIC I had laying around works even better (for 600$ less).

Re:Obvious (2, Informative)

toadlife (301863) | more than 7 years ago | (#16655223)

Yep.

My old gateway with two 3com 3c905 and FreeBSD laughs at the measly bit torrent connections I throw at it. Before I set that up a few years ago, I had similar experiences with consumer grade networking gear.

Re:Obvious (2, Interesting)

ajs318 (655362) | more than 7 years ago | (#16654959)

You've most probably been been buying crap routers. D-link, Belkin, Linksys, Netgear - for chuff's sake, they might as well be branded "Barbie (or Action Man) My First Router". Treat yourself to a nice ZyXel router, and you might forget you even have a router in your network.

Re:Obvious (2, Interesting)

Anonymous Coward | more than 7 years ago | (#16655271)

What makes you believe that a (home) router, which is a small microcontroller with some dedicated firmware running on it, will outperform a modern PC that has 10-20 times more CPU power available?

Re:Obvious (1)

Heembo (916647) | more than 7 years ago | (#16654681)

Personal firewalls do not protect you against virus', anti-virus products do that. Personal firewalls protect your from hackers and worms, primarily. And good personal firewalls do egress filtering, which MS firewall does poorly at best.

Re:Obvious (0)

Anonymous Coward | more than 7 years ago | (#16654717)

You should use the antivirus. The viagra & rollex offers that you send to 1000000 mailboxes every day take more CPU cycles and bandwidth than antivirus. Plus, A/V is something you avare of.

How do you know you've never gotten a virus? (1)

rufusdufus (450462) | more than 7 years ago | (#16654685)

Whenever someone brags they have never gotten a virus, especially just after blithely disabling some security feature, it raises a big red flag. The question is: what is it that makes you think you've never had a virus/been compromised? You havent noticed anything? Perhaps McAffee or Norton didnt find anything so you assume you are clear? Sadly my friend, it is very possible your machine has been compromised by a virus or worm and you are simply unaware of it. The worst kinds of malware are not detected by virus scanners; in fact some are not even detectable in any way.

Why should you care if it doesnt appear to affect you? Well, it may actually effect you if its a keylogger tracking everything you type and collecting information about you for identity theft. Worse, for the rest of us anyway, your machine could have been co-opted by a bot-net that is used by criminals to extort money from web sites. What they do is secretly root thousands of unprotected computers operated by people who 'have never had a virus' and then use them to do a distributed denial of service attack against commercial websites, demanding money from them to stop.

In order to limit the power of these criminals, everyone must firewall and patch their machines. This may not even be enough though! What people really need to do is occasionally completely reformat after booting off a cd so any rootkit will be erased.

Re:How do you know you've never gotten a virus? (1)

Orlando (12257) | more than 7 years ago | (#16654769)

...in fact some are not even detectable in any way.

What rubbish, if it's on the machine it's detectable. May not be easy, but you'll find it eventually if you look hard enough.

Re:How do you know you've never gotten a virus? (0)

Anonymous Coward | more than 7 years ago | (#16654809)

Well, if I *have* been rooted, its pretty benign. I never see any unwanted or malicious traffic if I sniff my local segment...or did it root all my other machines too? And also know how to effectively modify Ethereal AND snort to only show the legitimate traffic coming and going from my machine?

Damn, now i'm paranoid! Where is that XP CD again....?

Re:How do you know you've never gotten a virus? (2, Informative)

jimicus (737525) | more than 7 years ago | (#16654831)

In theory, yes. But you'd need to reboot the OS into some kind of diagnostics otherwise you're asking the OS to attest to itself - and if it's been trojaned, you can't trust the OS because the first thing any sensible trojan will do is cover its own tracks.

In practise, if you want a 100% guarantee that any malware has been eradicated, the only solution is a rebuild.

Re:How do you know you've never gotten a virus? (1, Insightful)

Anonymous Coward | more than 7 years ago | (#16654921)

What rubbish, if it's on the machine it's detectable


HackerDefender (http://hxdef.org/) is just begging to disagree with you there. Quite a popular rootkit a few years back where I work, where there were a bunch of Windows 2000 machines which got cracked. The only reason we knew there was anything wrong with them was:

a) We were warned of increasing levels of network traffic
b) When it came time to install SP4 on them, it wouldn't go on (due to the rootkit blocking all access to anything called "ftp.exe", thus the SP couldn't install correctly)

However, had this been a home machine then almost certainly nothing would have been detectable, since there's no one to monitor traffic levels, and I don't think most users would read too much into it if a patch failed.

Re:How do you know you've never gotten a virus? (1)

Jackmn (895532) | more than 7 years ago | (#16655021)

What rubbish, if it's on the machine it's detectable. May not be easy, but you'll find it eventually if you look hard enough.
Not while you are booted into the compromised OS. You have to scan your machine from some read-only media to know with certainty that you are not infected.

Re:How do you know you've never gotten a virus? (1)

frinkacheese (790787) | more than 7 years ago | (#16655161)

>In order to limit the power of these criminals, everyone must firewall and patch their machines. This may not even be >enough though! What people really need to do is occasionally completely reformat after booting off a cd so any rootkit >will be erased.

Oh come on folks, somebody mod this funny!

He can not really be serious. You don't need to re-install to get rid of rootkits, you need to re-install just to make it work.

Sheesh.

Re:How do you know you've never gotten a virus? (1)

Fred_A (10934) | more than 7 years ago | (#16655273)

Whenever someone brags they have never gotten a virus, especially just after blithely disabling some security feature, it raises a big red flag.
Yes, such as "Have you been using that Symantec crap again that took me hours to remove last time ?"

Re:Obvious (1)

surgicaltubing (935958) | more than 7 years ago | (#16654731)

My Father's laptop got stung by this (i think) I tracked down two values in the registry for disabling AV and firewall. Now it's fckucked and the cpu is at 100%. Yum.

Re:Obvious (1)

Spacejock (727523) | more than 7 years ago | (#16654753)

I turned mine off when I discovered it was blocking the winsock control even though I'd given the application USING the winsock control full access. It also slowed down email retrieval by a factor of ten. I tested it several times, firewall on and firewall off, and proved it to my own satisfaction. So, out the window with that particular feature.

first post??? (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#16654409)

pure class

(yay RSS for first(ish by now) post goodness)

pah (0)

Anonymous Coward | more than 7 years ago | (#16654713)

Real FPers use Refresh. You kids and your toys...

Hmmm (0)

Anonymous Coward | more than 7 years ago | (#16654413)

From TFA: Its not clear if it only affects the windows default firewall, or any 3rd party firewall installed on the system.

Re:Hmmm (0)

Anonymous Coward | more than 7 years ago | (#16654499)

Please reread the second to last paragraph on first page of the article.

Either RTFA or don't, but don't pretend that you did.

Not that big a deal, but still. (5, Insightful)

Grendel Drago (41496) | more than 7 years ago | (#16654417)

Sure, it requires that you be on the internal LAN already, and that you be running ICS, and who runs ICS anyway? But what kind of shit design is this that lets you take down the firewall if you piss off the IP-masquerading software? Did someone cut their fuzz-testing budget? What's their excuse for having this kind of vulnerability?

Re:Not that big a deal, but still. (1)

RLiegh (247921) | more than 7 years ago | (#16654445)

>Sure, it requires that you be on the internal LAN already, and that you be running ICS, and who runs ICS anyway?

Anyone using NAT under Linux, for one. Families connecting multiple computers onto a single network, for another. Not to mention people who share the same printer or who have a central file server set up to share mp3s or whatever.

Re:Not that big a deal, but still. (0)

Anonymous Coward | more than 7 years ago | (#16654539)

Anyone using NAT under Linux, for one.

Anyone using NAT under Linux is not using ICS.

Families connecting multiple computers onto a single network, for another.

If they cannot afford a router (but can afford multiple computers and know how to install a second ethernet card and setup ICS perhaps

Not to mention people who share the same printer or who have a central file server set up to share mp3s or whatever.

None of these scenarios have anything to do with ICS whatsoever.

Re:Not that big a deal, but still. (1)

@madeus (24818) | more than 7 years ago | (#16654551)

Anyone using NAT under Linux, for one. Families connecting multiple computers onto a single network, for another. Not to mention people who share the same printer or who have a central file server set up to share mp3s or whatever.

None of those things require Internet Connection Sharing, and I would argue it's not even the easiest or most common way to achive them. Virtually anyone with a consumer DSL offering can just plug their computers (or printers, or network storage devices) right into one of the RJ45 ports on their DSL modem and be served a DHCP IP from the modem - even most cable modems these days even have standard RJ45 interfaces you can plug in to a cheap switch (allowing you to use several machines on the network, even if they have a policy that you are only supposed to use one machine).

It was useful on Windows 98 when so many people were limited to using modems for internet access, but Ethernet is so ubiquitous these days it's a bit of an anachronism. Even in Windows 2000 the ability to configure the routing policy is limited to renaming the connections so that the prefered routes occur first in alphabetical order (I kid you not), that is unless you upgrade to something like Advanced Server which comes with administration tools to enable routing tables to be modified.

Re:Not that big a deal, but still. (1)

Kangburra (911213) | more than 7 years ago | (#16654625)


It was useful on Windows 98 when so many people were limited to using modems for internet access
...and once again the US assumes everyone else in the world has DSL and 4 port modems.

Hello, a lot of people still use 56K modems to connect to the net. The biggest ISP's in Australia supply a USB only DSL modem when you sign up. These people rely on ICS.

Is Telstra not one of the biggest? (1)

N Monkey (313423) | more than 7 years ago | (#16654693)

The biggest ISP's in Australia supply a USB only DSL modem when you sign up.
My parents signed up with Telstra and were offered either a free USB or a (single port) ethernet modem. Naturally, I told them to choose the latter.

Re:Is Telstra not one of the biggest? (1)

Kangburra (911213) | more than 7 years ago | (#16654709)

and had your parents not asked you what would they have got?

Re:Is Telstra not one of the biggest? (1)

N Monkey (313423) | more than 7 years ago | (#16654785)

Given that
(a) My brother has a Mac (so USB drivers might not exist) and
(b) my parents had an "ancient" laptop (now deceased) at the time,
  they might still only have had the option of ethernet anyway. I must admit, I was pleasantly surprised that there was the choice.

Re:Is Telstra not one of the biggest? (1)

Kangburra (911213) | more than 7 years ago | (#16654823)

What used to really annoy me, was people with USB and ethernet on their modem who had (kindly) been set-up using the USB port by a mate (who knows about computers!).

Re:Not that big a deal, but still. (1)

@madeus (24818) | more than 7 years ago | (#16654887)

...and once again the US assumes everyone else in the world has DSL and 4 port modems.

I'm not from the US, and FYI all the other countries in the developed world do pretty much all have broadband, with 4 port DSL modems (from the likes of Negear, Zyxcel, etc.) being very much the norm.

Hello, a lot of people still use 56K modems to connect to the net.

Indeed, but those are not usually people with more than one computer - because people with more than one computer are the sort of people that will just get cable or DSL (unless they are in the sticks, and most bumpkins don't own more than one computer so that's a very small percentage).

The biggest ISP's in Australia supply a USB only DSL modem when you sign up. These people rely on ICS.

Not true. Bigpond/Telstra, Internode, OptusNet, Netspace, Westnet and the rest all supply DSL modems with an Ethernet interface or no modem at all. Providers everwhere - not just in Austrialia - have the option of a USB modem for customers who want the cheap and nasty option, but the people who have chosen to go for the USB-only modem option (where it's still avalible, and it's avaliblity is rapidly declining) are almost certainly not "relying on ICS" because they almost certainly have only one personal computer in the house.

Re:Not that big a deal, but still. (1)

mackyrae (999347) | more than 7 years ago | (#16655165)

hahhaha You're right, the US actually has relatively SLOW internet. We should be assuming fiber optics for East Asia ^_^ You did know that Asia has much faster internet than the US, right? Actually, a large chunk of Americans are /still/ using dial-up (*gag!*) Maybe in 3rd world countries it's all dial-up, but then, do they even have computers of their own? Oh, and yeah, you're right though about 4-port modems. I can tell you for damn sure my modem only has 1 RJ45. The router has 4 out though. Shouldn't mix up hardware components like that.

Re:Not that big a deal, but still. (1)

Lord Kano (13027) | more than 7 years ago | (#16654449)

What's their excuse for having this kind of vulnerability?

I'm pretty sure that it goes a little something like this...

We're Microsoft, what are you going to do? Switch?

LK

Re:Not that big a deal, but still. (2)

happy monday (574985) | more than 7 years ago | (#16654489)

Well, I tried to check whether I'm running ICS, so ran services.msc, and couldn't find it. The I noticed the firewall and ICS are listed together as one service, called Windows Firewall/Internet Connection Service (ICS). So it seems to two services have been merged together somehow, and running one entails running the other.

What can you trust? (3, Insightful)

RLiegh (247921) | more than 7 years ago | (#16654425)

If the graphics applications you use require windows, and all of the major firewall vendors are bloated (symantec), worthless (keiro) or both (macaffee) then what can you do?

Re:What can you trust? (1)

snsr (917423) | more than 7 years ago | (#16654469)

Use Ghost Security's appdefend and a decent silent firewall to gain adequate security for the average graphics user.

Re:What can you trust? (0)

Anonymous Coward | more than 7 years ago | (#16654503)

... get Comodo?

Re:What can you trust? (0)

Anonymous Coward | more than 7 years ago | (#16654507)

As MS firewall can be ignored at will by some applications, IMHO it's worthless

Re:What can you trust? (4, Insightful)

oGMo (379) | more than 7 years ago | (#16654579)

A few things:

  • Keep all your broken (Windows) boxes in a heavily-firewalled subnet (and make sure the firewall is something secure, i.e., not Windows)
  • Don't put the broken box on the network at all
  • Run your app in a VM
  • Find a new app

Re:What can you trust? (1)

jonwil (467024) | more than 7 years ago | (#16654583)

Having the machines behind a NAT router should stop a lot of attacks. And if that isnt enough, find a NAT router with a built in firewall (or add an extra firewall appliance such as a old PC with linux on it)

I have yet to see a windows based firewall that doesnt suck.

Re:What can you trust? (1)

kjart (941720) | more than 7 years ago | (#16654781)

Having the machines behind a NAT router should stop a lot of attacks. And if that isnt enough, find a NAT router with a built in firewall (or add an extra firewall appliance such as a old PC with linux on it)

Seems like good advice - no matter what your OS is. Not much to pay for another (solid) layer of security, and the second option is a nice way to recycle old PCs.

Re:What can you trust? (3, Interesting)

orpheus_okt (879958) | more than 7 years ago | (#16654591)

worthless (keiro)

Uh... Is there something I missed in the last weeks/months? No, I'm not implying that I heard exactly the opposite, but it sounds like there are serious security holes in the old Kerio firewall although I was always convinved it's still one of the better free ones out there. And I really must have missed the news then...

Up to now, I was sticking to Kerio on Windows. Especially because of its rather powerful options to filter single applications, addresses, ports and plenty of other manually configurable stuff instead of a placebo firewall which provides a "Yes, I'll save you from all Evil"- and a "Take care of yourself"-Button (at maximum with a Beginner-Amateur-BetterAmateur switch). Those are worthless.

Come on, tell me people! Why is Kerio considered bad these days? (

Re:What can you trust? (1)

ZERO1ZERO (948669) | more than 7 years ago | (#16654749)

I always thought Keiro was the best free one as well, so I too am interested in why it is (apparently) out of favour now.

Re:What can you trust? (1)

Alarash (746254) | more than 7 years ago | (#16654617)

You use an IPS/IDS appliance that goes up to level 7.

Re:What can you trust? (4, Funny)

gbobeck (926553) | more than 7 years ago | (#16654777)

You use an IPS/IDS appliance that goes up to level 7.

For extra effectiveness, make sure your level 7 IPS/IDS appliance is armed with nothing less than a +3 Sword of Packet Smiting.

Re:What can you trust? (1)

EvilIdler (21087) | more than 7 years ago | (#16654635)

You can use Outpost (firewall+spyware protection)m or Norman (all that and good antivirus).

Re:What can you trust? (1)

rufusdufus (450462) | more than 7 years ago | (#16654793)

This is the only truly safe thing you can do: repartition and format your drive and reinstall with the internet disconnected. You can also install firewalls et al other people on this thread are suggesting. Install and configure your main applications. Then, make a image* of the drive.
When you use your computer for important stuff, save your data to external drives.
Then every few days, restore the image. Once you've learned how to do it it will take about 5 minutes which is actually quite a bit faster than a virus scan, and guaranteed to clean even invisible root kits.

*the key thing is to get an imager than can boot the computer from a CD. The old Norton ghost can do this. You don't want to use any program that is running inside the OS you are restoring since it wont be able to remove root kits. Another example is Acronis Trueimage. There are many others.

Use a secure firewall (1)

Bunyip Redgum (641801) | more than 7 years ago | (#16654873)

Use a proven firewall such as OpenBSD which can both act as a firewall and provide NAT dhcp etc for the LAN.

Unlike windows OenBSD has suffered "Only one remote hole in the default install, in more than 10 years!".

Oh and version 4.0 is due out tomorrow - see http://openbsd.org/40.html [openbsd.org]

Re:What can you trust? (1)

mjjw (560868) | more than 7 years ago | (#16654945)

Use different graphics programs on a different operating system (although *most* major graphics apps run on Mac as well as PC).

Or sit your windows PC behind a hardware / linux firewall (or both).

Or run those graphics applications inside a VM running on your windows PC. If the PC is compromised, the VM should still be relatively safe (especially if running with networking disabled - you can usually still copy files in and out of the VM).

Or combine all of the above and use e.g. Mac OS X behind a hardware firewall, with the Mac OS X software firewall enabled and run your graphics apps on windows running inside a Parallels VM (which runs at near full speed). This is the approach I use.

Re:What can you trust? (1)

master_p (608214) | more than 7 years ago | (#16655079)

I use ZoneAlarm by ZoneLabs...it is the best software firewall for Windows. The first thing I do when I do a fresh Windows install is to disable the Windows Firewall and install ZoneAlarm...

Re:What can you trust? (1)

mackyrae (999347) | more than 7 years ago | (#16655199)

Howabout Avast? It's free (woo!). I use it to keep from sending virus-ified Windows files to Windows users (it's not like I'd notice if there was a virus on mine cuz it'd be dormant).

Very Naughty (1)

davro (539320) | more than 7 years ago | (#16654427)

Microsofts company's public relations agency said Monday in a statement.
"Microsoft is not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time."

Well then everything is fine and dandy then ;(

It is Internet Connection SHARING (0)

Anonymous Coward | more than 7 years ago | (#16654431)

The article didn't sound right calling it Internet Connection Service so I did some poking around on the blog the article referenced: http://blog.ncircle.com/archives/2006/10/microsoft _ics_d.htm/ [ncircle.com]

ICS == Internet Connection Sharing.

Lack of testing? (0)

Anonymous Coward | more than 7 years ago | (#16654443)

Maybe the bug slipped past because nobody uses ICS. Too cheap to buy a free after rebate router?

Re:Lack of testing? (1)

RLiegh (247921) | more than 7 years ago | (#16654467)

>Too cheap to buy a free after rebate router?

Personally speaking; I just hate letting my old k6-2 sit around and gather dust. Some slackware and a little cut and paste from the NAT HOWTO and it makes a fine file serving/ICS machine.

Re:Lack of testing? (0)

Anonymous Coward | more than 7 years ago | (#16654483)

If you are using slackware, what the fuck does that have to do with ICS?

Re:Lack of testing? (1)

Antiocheian (859870) | more than 7 years ago | (#16654577)

It doesn't have to be GNU/Linux (although it is better) -- Windows has fine NAT software products too.

BTW, I was using software NAT on a very clean BNC cable-based ethernet and it was very stable and very configurable. All printers and shared devices were connected to the "server", no extra cables no extra boxes, no problems.

Staying away from MS networking solutions is always a safe choice.

Re:Lack of testing? (1)

hcdejong (561314) | more than 7 years ago | (#16654655)

The drawback of that approach is that you have yet another large box with noisy fans using 10 times the amount of power a router would use. But if you need a file server anyway...

Re:Lack of testing? (1)

bigberk (547360) | more than 7 years ago | (#16654677)

I've got a 200 MHz Pentium (also slackware) doing my NAT and firewalling ... easily handles 10 Mbps. I've read that even an ancient, free (100 MHz) linux router can do 50 Mbps. I think the best approach in layered network security is diversification of your defences; maybe a Linux or BSD router, but still have the desktop PCs run their own firewalls.

Please explain me... (2, Funny)

Anonymous Coward | more than 7 years ago | (#16654463)

What those engineers were thinking? A data package, the thing a firewall is filtering to some point, can disable the firewall? Who thought it would be a nice feature to have that?

"We need a firewall of our own!"
"Why?"
"To keep our monopoly; those firewall and antivirus companies are making money that should be in our pockets."
"But antitrust..?"
"We say it's because we want to have a secure system, it should've been in the first place. Those companies have no case! >:D"
"But even we cannot access their systems anymore without logging our activity on our massive 'slave-farm'."
"We'll add a backdoor, so we can remotely disable it. Noone will ever find it >:)"
"Excellent..."

Microsoft's woes.. (1)

hexed_2050 (841538) | more than 7 years ago | (#16654473)

Bill: "We must delay Vista a few more weeks because Sam the janitor found that if he logged on exactly at 12am, the system would implode and cause a reinstall. Thank god for QC!"

Grunt: "Hey Bill, there is a bug in XP that can totally disable the firewall! How about making an SP3 for XP?"

Bill: "You obviously don't share my vision do you?"

Because, of course, Windows Firewall is awesome! (1)

Channard (693317) | more than 7 years ago | (#16654487)

I never used Windows Firewall on my PC - I used Zonealarm or Tiny Personal Firewall. Why? Because given how many security holes XP had - and probably still has - I wouldn't trust my security to it. And lo and behold, here we are.

Re:Because, of course, Windows Firewall is awesome (0)

Anonymous Coward | more than 7 years ago | (#16654901)

Considering the number of security alerts concerning ZoneAlarm compared to the ones concerning Windows Firewall I would not be so proud...

But we are on slashdot so surely anything marked windows is worse!

Re:Because, of course, Windows Firewall is awesome (0)

Anonymous Coward | more than 7 years ago | (#16655255)

But we are on slashdot so surely anything marked windows is worse!

Squeal, fanboy! Squeal!

Not as bad as it sounds (5, Informative)

DavidD_CA (750156) | more than 7 years ago | (#16654553)

So for this attack to work, according to the article...

1) The attacker has to be on the LAN already, or executing code from a PC on the LAN

2) The LAN has to be connected to the internet through a PC using ICS, and

3) There can be no external firewall device such as a router sitting between the LAN and the internet

While this is certainly a valid attack... so are a lot of other attacks once you're already in the LAN. This one just happens to nuke a software-based firewall from the inside. Big deal.

Rats (0)

Anonymous Coward | more than 7 years ago | (#16654737)

So much for my plans for shutting my firewall off remotely from work...

Re:Not as bad as it sounds (1)

dhammabum (190105) | more than 7 years ago | (#16654747)


While this is certainly a valid attack... so are a lot of other attacks once you're already in the LAN. This one just happens to nuke a software-based firewall from the inside. Big deal.


Well, if a trojan or virus gets on a LAN-based machine and it takes out ICS and the firewall, that leaves that machine more open to attack. It would also be a DoS as IP forwarding is killed.

What if the attacker gets a PC on the LAN... (0)

Anonymous Coward | more than 7 years ago | (#16654819)

What if the attack just gets a PC on the LAN to send the attack packet?

Internet Connection Service? (2, Informative)

Red_Deth (733789) | more than 7 years ago | (#16654587)

The exploit depends on the use of Microsoft's Internet Connection Service.
Is ICS not Internet Connection Sharing?

"New?" (1)

TheShadowzero (884085) | more than 7 years ago | (#16654593)

How is this new? Any attack worth its salt disables the firewall first thing. Saying this is news is like telling people AIDs is linked to death.

How could you be this wrong? (1)

SanityInAnarchy (655584) | more than 7 years ago | (#16654723)

How is this new?

RTFA. It's new because it is a specific attack that's just been discovered. If you still don't think it's new, look up the word "specific" in a dictionary and see if you can figure it out. Hint: No one is claiming that it's a new kind of attack.

Any attack worth its salt disables the firewall first thing.

The hell it does. Are you sure you know what a firewall is?

Most attacks these days would completely ignore the firewall, and look for a way around it. Once inside, the only point to disabling the firewall would be to send spam, I guess, and the smarter ones would, again, attempt to go around it, so that a sneaky admin would still see their firewall supposedly working, and wouldn't see any suspicious rules to allow that particular app to connect.

In fact, I can't really think of any firewall-disabling attacks that make any sense. Even if we're talking about a big, corporate firewall, disabling it would be downright retarded -- the admin will be onto you in a heartbeat, and if it's any kind of decent firewall and you have the kind of access it takes to disable it, you almost certainly already have a tunnel as far in as you can go.

(Note: Almost. I can imagine some strange networks and situations where you'd be right, but you're still wrong, because we're talking about a single attack on a single Windows computer.)

Now, this attack is actually new and of a somewhat rare kind -- it disables the Windows firewall, which means it could potentially allow other attacks. It's amazing how stupid it is -- this attack should not work -- but it is not, by itself, a real danger.

Saying this is news is like telling people AIDs is linked to death.

I think you meant to say "AIDS". AIDS is not the plural of AID. AIDS stands for Auto-Immune Deficiency Syndrome. AIDS is singular.

Also, AIDS does not necessarily cause death. It just weakens your immune system ridiculously. Think of it like playing Halo without a shield, if such a thing was possible. People with AIDS have to be insanely cautious in order to simply stay alive, and to prevent spreading the virus to others, but it's entirely possible to live with AIDS.

So, basically, you're entirely wrong in every single thing you said. That's impressive! That's an accomplishment!

Re:How could you be this wrong? (1)

TheShadowzero (884085) | more than 7 years ago | (#16654931)

Actually, you're right. I should have RTFA. I thought the discussion was about a virus.
I think you meant to say "AIDS". AIDS is not the plural of AID. AIDS stands for Auto-Immune Deficiency Syndrome. AIDS is singular. Also, AIDS does not necessarily cause death. It just weakens your immune system ridiculously. Think of it like playing Halo without a shield, if such a thing was possible. People with AIDS have to be insanely cautious in order to simply stay alive, and to prevent spreading the virus to others, but it's entirely possible to live with AIDS.
Jeez, give me a break. I forgot to hold down the shift key for the last letter. I know what AIDS is. Anyway, I didn't say AIDS causes death, as you seem to have thought. I said it was linked to it. Weakening your immune system such that relatively common illnesses may cause death seems like a link to me. Also, it's not that hard to avoid spreading AIDS to other people as long as you are informed. It's called abstinence, and plenty of people practice it.

sir (0)

Anonymous Coward | more than 7 years ago | (#16654733)

please step away from the keyboard until you have conquered your substance abuse problem

thanks

Re:"New?" (1)

jimicus (737525) | more than 7 years ago | (#16654851)

Saying this is news is like telling people AIDs is linked to death.

You think that's bad? Recent research shows life is linked to death.

Microsoft change the definitions to suit (3, Funny)

Centurix (249778) | more than 7 years ago | (#16654729)

When they advertise that XP installations come with a firewall, they in fact mean that XP installations come installed with a wall of fire. The EULA clearly states that, somewhere near the bottom next to the pictures of cats and the sudoku puzzles, because no-one ever reads that far...

The Remedy (1)

excelsior_gr (969383) | more than 7 years ago | (#16654755)

As it seems judging on the majority of the comments, the first thing an *experienced* user would do on an XP machine would be to deactivate the MS firewall and install a third party firewall.

But then again, which unexperienced user would set up a LAN with the - advanced I would say - specifications described in the article? So, no real need to patch there... I am suprised they ever found out about this thing. It is easy to forget that all these little Windows tools are for users that will do no more than the occasional browsing and multimedia playback.

For the record, I have iSafer always enabled .

In Soviet Russia ... (1, Funny)

Anonymous Coward | more than 7 years ago | (#16654799)

... firewalls disable you.

If they use ICS, then they deserve it! (1)

www.sorehands.com (142825) | more than 7 years ago | (#16654827)

Come on people. Routers are cheap. It is better to use a hardware router instead of a Windows machine as a router. At home, I run a 300MHz Pentium II as a router. At the office, a router is used.

Everyone knows Windows is insecure. It only costs $30/$40 for a router. $29 for a D-Link DI-704P 4-Port Cable/DSL Router at outpost.com

How to disable the Windows FW in 2 lines of VBS (1, Interesting)

Anonymous Coward | more than 7 years ago | (#16654857)

Fortunaltey for all V(irus)B(uilding)S(script) coders, Microsoft gave us all a very easy way to silently disable the firewall at any time...

Set objFirewall = CreateObject("HNetCfg.FwMgr")
objFirewall.LocalPolicy.CurrentProfile.FirewallEna bled = FALSE

And again... (0)

Klaidas (981300) | more than 7 years ago | (#16654867)

Malicious code can damage your computer. New bugs can be found on a patched system. News at 11.

Why Does Windows Get All the Press? (3, Funny)

RAMMS+EIN (578166) | more than 7 years ago | (#16655085)

Why does Windows get all the press? It's not fair! I want to see some coverage of stupid holes in Linux and the free BSDs!

Re:Why Does Windows Get All the Press? (1)

mackyrae (999347) | more than 7 years ago | (#16655263)

Find one and start bitching. If it's not fixed within a week of your public bitching (which must be online, not to Aunt Sally), then complain about how insecure *nix is.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...