Microsoft: February 2005 Archives
I started the morning with a quick glance at the blog headlines. Donna's Security Flash has a headline "Windows Firewall has a backdoor". Donna is a MVP, I would assume based in security based on the name of the blog.
The blog entry contains a link to discussion on bugtraq. It seems someone has reported that if they add a new key to HKEY_LOCAL_MACHINE/SYSTEM/Services/SharedAccess/Parameters/FirewallPolicy/StandardProfile/AuthorizedApplications/List they can "circumvent" the firewall. I have no doubt that this will be picked up by the usual Microsoft hating press eg, news.com and The Register. Of course reading bugtraq would require real work. They likely wont pick up the story until after it appears in Slashdot.
Others quickly replied to debunk this story. "This is not a backdoor or vulnerability. The default permissions on this key are Full Control for SYSTEM and Administrators and Read for Users. The Administrator should be able to configure the firewall to allow programs to connect outbound."
Another reply from a Pivx employee "having an exception list is not a back door". Basically any time you run code as administrator there is no limit to the damage that you can do. This is true with any software.
He went on to say that there was a Blackhat 2004 Briefings in Las Vegas where Eugene Tsyrklevich had a presentation called "Attacking Host Intrusion Prevention Systems" in which he demonstrated on-stage how to completely circumvent McAfee Entercept, a behavioral host based protection product which tries to limit the actions of malicious code once it is already running on the machine.
Computer world has an artiicle quoting microsoft as saying spyware and malware is beginning to use rootkits more. Currently malware is relatively easy to fine. Most is as vanilla as looking in the run key in the registry. Spyware takes advantage of many places to start from that the typical user and even many admins weren't aware of until they began battling spyware. Rootkits go deeper than that. Possibly even modifying the kernel. This brings a new urgency to the advise to reload your system if compromised!
On the same subject, Microsoft Research has a paper on detecting rootkits that is an interesting read.
Why it it every time you want to read a document from Microsoft, they wrap it up into an EXE file? I've read somewhere that this is so they can digitally sign the exe to prevent content spoofing. I guess that is an indication of how little trust they put in digital signatures attached to Word documents.
