[Op-Ed] Say What? Part Two

[Reply] [View by Thread] [Help]
[Back To Article Discussion Forum]

View and vote on the article here: Say What? Part Two

Say What? Part Two

Category

Op-Ed

Summary

Body

Making the usual rounds of the news this fine sunny morning, I notice quite a few mentions of a security advisory on the Windows Firewall so I head over to the Microsoft Security Response Center Blog (1) to see what the word is.

Mike Reavey explains that "This advisory discusses how a malformed registry key entry could allow an exception to be entered into the firewall, but this exception wouldn't be visible in the standard firewall graphical user interfaces." This doesn't sound good, and I imagine crackers could be punching holes in my firewall and doing strange things while I sip my coffee. A quick glance at my user interface is not reassuring.

Mike goes on to say that "...to clear up any confusion, we wanted to be explicit that in order for this type of action to happen a system would already have to be compromised and malicious code be running as an administrator. This is typical of most applications and platforms - once an attacker or criminal controls a system they can take what would normally be safe actions, and misuse them to confuse customers."

Well, ok, my system would have to be compromised for this to happen, no confusion there, but what's this about an attacker that controls my system taking safe actions to confuse me?

"So," Mike says, "the best protection in these types of issues would to take preventative measures, like following the Protect Your PC guidance of enabling a firewall...".

Say what? Now I'm getting confused, and thinking of getting more coffee. I got the firewall and enabled it already, should I enable it again even if it may be swiss cheese by now?

I read further with trepidation: "However, that said, if you wanted to view all the exceptions in a firewall, even if the type of entries discussed in the advisory have been made, then you go do that with command line tools that come with Windows XP. Detailed instructions are in the advisory."
Command line? That sounds authoritative. Maybe I should read the advisory, follow the detailed instructions, and nip this vulnerability in the bud!

The Advisory (2), Microsoft Security Advisory (897663), takes up a scant three paragraphs. The first pretty much says that unseen exceptions can be created and that my firewall really is swiss cheese. The second paragraph, which must be the "detailed instructions", is so short I'll quote it in full: "It is important to note that this is not a vulnerability. Administrative privileges are required to access the associated section of the Windows Registry that contains this configuration information. By using documented methods to manage and create Windows Firewall exceptions, it is unlikely that a malformed registry entry will be produced which would exhibit this behavior. It is more likely that an attacker who has already compromised the system would create such malformed registry entries with intent to confuse a user."

I lean back and mull this over: Hmmm, "not a vulnerability", this is getting to be boilerplate and maybe they should just avoid the word altogether and start saying "feature". If my machine has been compromised is it possible the attacker has (Gasp!) "Administrative privileges"? Would an attacker use "documented methods" to laugh at my firewall?

Maybe not, maybe the attacker would be happy just to confuse me after compromising my system! Maybe I don't need those "detailed instructions" after all! Hey, what's a little more confusion!

I'm so relieved.

1746

(1)*This posting is provided "AS IS" with no warranties, and confers no rights.*
posted Friday, September 02, 2005 5:57 PM by stepto (Comments Off)
http://blogs.technet.com/msrc/default.aspx

(2) Microsoft Security Advisory (897663)
Windows Firewall Exception May Not Display in the User Interface
Published: August 31, 2005
http://www.microsoft.com/technet/security/advisory/897663.mspx

This article was imported from zZine. (original author: 1746)

There are no replies to this post yet.

Guest:
Subject:
Message:	On 2007-04-29 10:02:18, 1746 wrote >View and vote on the article here: [url=/library/article?id=1243]Say What? Part Two[/url]<br/><br/><hr width="90%"/><center><h3>Say What? Part Two</h3></center><table width="100%"><tr><td valign="top">[b]Category[/b]</td><td width="100%"><center><table border="1" cellpadding="3" cellspacing="0" style="border-collapse: collapse" bordercolor="#000000" width="95%" bgcolor="#364C7D"><tr><td width="100%">Op-Ed</td></tr></table></center></td></tr><tr><td valign="top">[b]Summary[/b]</td><td width="100%"><center><table border="1" cellpadding="3" cellspacing="0" style="border-collapse: collapse" bordercolor="#000000" width="95%" bgcolor="#364C7D"><tr><td width="100%"> Making the usual rounds of the news this fine sunny morning, I notice quite a few mentions of a security advisory on the Windows Firewall so I head over to the Microsoft Security Response Center Blog (1) to see what the word is. > > Mike Reavey explains </td></tr></table></center></td></tr><tr><td valign="top">[b]Body[/b]</td><td width="100%"><center><table border="1" cellpadding="3" cellspacing="0" style="border-collapse: collapse" bordercolor="#000000" width="95%" bgcolor="#364C7D"><tr><td width="100%"> Making the usual rounds of the news this fine sunny morning, I notice quite a few mentions of a security advisory on the Windows Firewall so I head over to the Microsoft Security Response Center Blog (1) to see what the word is. > > Mike Reavey explains that "This advisory discusses how a malformed registry key entry could allow an exception to be entered into the firewall, but this exception wouldn't be visible in the standard firewall graphical user interfaces." This doesn't sound good, and I imagine crackers could be punching holes in my firewall and doing strange things while I sip my coffee. A quick glance at my user interface is not reassuring. > > Mike goes on to say that "...to clear up any confusion, we wanted to be explicit that in order for this type of action to happen a system would already have to be compromised and malicious code be running as an administrator. This is typical of most applications and platforms - once an attacker or criminal controls a system they can take what would normally be safe actions, and misuse them to confuse customers." > > Well, ok, my system would have to be compromised for this to happen, no confusion there, but what's this about an attacker that controls my system taking safe actions to confuse me? > > "So," Mike says, "the best protection in these types of issues would to take preventative measures, like following the Protect Your PC guidance of enabling a firewall...". > > Say what? Now I'm getting confused, and thinking of getting more coffee. I got the firewall and enabled it already, should I enable it again even if it may be swiss cheese by now? > > I read further with trepidation: "However, that said, if you wanted to view all the exceptions in a firewall, even if the type of entries discussed in the advisory have been made, then you go do that with command line tools that come with Windows XP. Detailed instructions are in the advisory." > Command line? That sounds authoritative. Maybe I should read the advisory, follow the detailed instructions, and nip this vulnerability in the bud! > > The Advisory (2), Microsoft Security Advisory (897663), takes up a scant three paragraphs. The first pretty much says that unseen exceptions can be created and that my firewall really is swiss cheese. The second paragraph, which must be the "detailed instructions", is so short I'll quote it in full: "It is important to note that this is not a vulnerability. Administrative privileges are required to access the associated section of the Windows Registry that contains this configuration information. By using documented methods to manage and create Windows Firewall exceptions, it is unlikely that a malformed registry entry will be produced which would exhibit this behavior. It is more likely that an attacker who has already compromised the system would create such malformed registry entries with intent to confuse a user." > > I lean back and mull this over: Hmmm, "not a vulnerability", this is getting to be boilerplate and maybe they should just avoid the word altogether and start saying "feature". If my machine has been compromised is it possible the attacker has (Gasp!) "Administrative privileges"? Would an attacker use "documented methods" to laugh at my firewall? > > Maybe not, maybe the attacker would be happy just to confuse me after compromising my system! Maybe I don't need those "detailed instructions" after all! Hey, what's a little more confusion! > > I'm so relieved. > >1746 > > >(1)This posting is provided "AS IS" with no warranties, and confers no rights. >posted Friday, September 02, 2005 5:57 PM by stepto (Comments Off) >http://blogs.technet.com/msrc/default.aspx > >(2) Microsoft Security Advisory (897663) >Windows Firewall Exception May Not Display in the User Interface >Published: August 31, 2005 >http://www.microsoft.com/technet/security/advisory/897663.mspx ></td></tr></table></center></td></tr></table><br/><br/>This article was imported from [url=http://www.zzine.org]zZine[/url]. <small>(original author: 1746)</small>
Signature:
Optional Image Link:
http://

CyberArmy::Forum v0.6
Generated In 0.02824 seconds