Windows XP Exploit Shuts Off Windows Firewall

Detailed exploit code for a Windows XP security vulnerability has been published on the Internet, offering a roadmap for hackers to disable the firewall embedded in the operating system. Microsoft on Oct. 31 confirmed it is investigating the issue, which targets ICS (Internet Connection Sharing), a feature in Windows XP that lets users share a dial-up or broadband connection with other users on a home network.

A spokesperson for the Redmond, Wash., software giant said the risk is minimized because ICS is disabled by default in Windows XP. "In addition, once enabled, an attacker could only attempt to exploit this issue from the user's local network: It cannot be remotely exploited," the spokesperson said in a statement sent to eWEEK.

View: The full story
News source: eWeek

Report a problem with article
Previous Story

Nvidia GeForce 8800 specs a week before launch

Next Story

First $100 laptops to roll out this year

17 Comments

Commenting is disabled on this article.

"A spokesperson for the Redmond, Wash., software giant said the risk is minimized because ICS is disabled by default in Windows XP."

Good.

You still need some kind of software firewall or you should because hardware does not get most outgoing stuff like you would see in ZoneAlarm or anything like that.

There really is no reason why anyone with a broadband connection shouldn't have a hardware firewall. You can, for example, pick up a Zonet 4-port broadband router/firewall for under $30.00 (including shipping) from vendors like Amazon.com.

I don't know if the situation has changed, but it used to be that a hacker could defeat a software firewall by hitting your computer at boot time after the network has loaded, but before the firewall has loaded. With a hardware firewall, you're protected at all times – even when you're booting up.

This is no news to me. I have this problem and I didn't want to be the first to cry out "foul". My firewall had been tampered with and it goes beyond trying to use that to turn off my ZoneAlarm too. With a router and a third-party firewall, my computer is still not secured. Upon logging in to check my Admin account, I notice that ZoneAlarm was completely gone from the service. This has not happen prior to having IE7. To my guess, this probably has something to do with IE7 or the "Network Diagnostics for Windows XP". I checked my Event Viewer and it reports Windows Media Connect and Network Diagnostics for Windows XP had something to do with my security changes.

On the side note, I don't use this computer as Admin. Even with Power User limitation, my ZoneAlarm was completely disabled. I've tested this without any third-party software installed except for ZoneAlarm.

I don't get how this is news. Pretty much any Spyware attacks and disables the Firewall.

Also, "exploit this issue from the user's local network".

Essentially, this is a completely misleading article. Just another asshat trying there best to discredit Microsoft and WindowsXP.

I'm not a Microsoft fan by any stretch of the imagination but this stuff is getting sickening.

I think you've missed a key point.

This is a REMOTE exploit. You just need to send a specially crafted (DNS) packet to the interface and down goes the ICS service, which will in turn drag down your ICF.

There is a WORLD of difference between spyware which is executed locally (probably as a local admin) disabling the ICF and a single packet sent across a network!!!!!!!!!!!!!!!!

Quote - Jon said @ #5.1
I think you've missed a key point.

This is a REMOTE exploit.
...

Did you read the same article that I did?
Quote - The original article
"In addition, once enabled, an attacker could only attempt to exploit this issue from the user's local network: It cannot be remotely exploited," the spokesperson said in a statement sent to eWEEK.

Without trying to sound argumentative, I think you should re-evaluate your understanding of 'remote' and 'local'.

Here is the original advisory: http://blog.ncircle.com/archives/2006/10/microsoft_ics_d.htm

Note the mention of the word remote. Local = executed from the target machine. Not from the target machine's local network. Remote = without physical access. Regardless of whether it's from a corporate lan, home network, Internet connection or a bluetooth dongle ;)

(Obviously I can appreciate that in the context of *networks*, local and remote have specific meanings. In the context of vulnerability assessment remote is as above. This case is slightly different in that there is a defined and unquestionable boundry between local and remote networks that isn't a potentially-miss-configured firewall. Normally a remote vuln is a remote vuln period, the difference is that being hidden behind a corporate firewall, a NATing device etc reduces exposure. It's an odd one, but should still be considered a remote vuln IMO)

I do wonder whose firewall tech they bought for the XP builtin firewall, I thought I remember them scooping up some relatively obscure company and using that third-party firewall solution.
I just tried looking to see if I could find out which one it was but I can't, if anyone knows I would be interested to find out.

It's still a problem however....by I agree that most people using XP will not be bothered by this annoyance due to 3rd party firewalls, or routers or even hardware firewalls.