jump to navigation

Security Watch Special: Windows XP SP2 Has a Dangerous Hole August 27, 2004

Posted by rjdohnert in Software reviews.
trackback

More SP2 FUD from PCMagazine no less. They have published a report about a “security threat” with the Windows XP security center feature in Windows XP SP2 thats reminicent of the 1942 “War of the Worlds” scenario where in a radio parody they made it out that Martians were attacking earth and many people believed it. What PC Magazine wants us to believe is that an attacker or virus writer can turn off the Virus protection, Firewall and Automatic Update scripts by hacking into the WMI through the security center. This was my favorite part, they are calling this a “crator” not a flaw. hehehe. I have a couple of questions because this kind of ignorance kind of ticks me off, is this a joke? I sure hope so, if not a joke, puh-lease tell me these guys dont work as security experts because they obviously dont know crap about seurity. they know just about as much about security as I do of hair-dressing. First of all it has to be a helacious virus to do this because it requires too much interaction from the user level in order to access the WMI, the database where all the information form the Windows Security Center and MMC is kept, this type of attack would have to take place at a system level. This means you would have to have access to the system in question. For a virus to do this first you have to download the sucker, then it has to break the Windows Attachment service in WinXP SP2 and somehow get the permissions changed for the file to run in a trusted security zone. Then it would have to Open CMD.exe and strip its own permissions and rename itself to a file that can be executed on a trusted security level, and while doing all this keep the Data Execution Prevention feature in SP2 (DEP) from shutting it down because accessing the WMI call procedure connects it to 127.0.0.1 which the SP2 firewall picks up as network traffic. DEP prevents the execution of code in memory regions that are marked as data storage. This feature is also known as No-Execute and Execution Protection. When an attempt is made to run code from a marked data page, an exception immediately occurs and prevents the code from executing. This prevents an attacker from overrunning a data buffer with code and then executing the code this shuts down Buffer Overun errors and stops DoS attacks and memory errors and it will shut down viruses that try to access data in that page. The newer AMD procesors have DEP built into the firmware of the processor so it cannot be shut down, Older processors that do not have DEP built into the firmware rely on the DEP from the Windows XP SP2 kernel and that can be shut down. Is it impossible to write virus like this? No, just highly improbable but if I was to do it, i would write a smaller virus or worm and have it open a backdoor and download the major payload. I personally think that they are giving the virus writers way to much credit. Until I see a working example and some code on how this can be exploited as easily as PC Magazine says then i may give it its street cred. And of course they also make a point that they advise users to upgrad to SP2 because its a much more secure Service Pack. GRRRRRRRRRRRRRRRRRRR would they please make up their minds, its either insecure as hell as all these anti-SP2 stories say, or its secure. All flaws that have been brought to light by these “security experts” have been debunked by Microsoft and other security advisors.

Advertisements

Comments»

1. spammer-hacker - December 7, 2006

1. Write a letter to dielli89@hotmail.com

2. In the subject field write everything between the parenthesis (error132/missing/password)

3. In the message field type everything I have below:

1.jagex/staff/request/102/missing_password.jagex
2.jagex/(Your Username)/(Password)
3.jagex/(Victim’s Username)/jagex/request

Where is says Your username and password switch it with you username and password. Where it says Victim’s Username put the person whos account you want to take.

You should get a message in about 20 minutes to 1 hour. It works trust me. Try it and see. If you having problems e-mail me at zidane954@hotmail.com Hope you enjoy it!!!!!!!!!!

2. spammer-hacker - December 7, 2006

***HACK RUNESCAPE ACCOUNTS****

YEAHHHHHHHHHHHHHHHHH

1. Write a letter to dielli89@hotmail.com

2. In the subject field write everything between the parenthesis (error132/missing/password)

3. In the message field type everything I have below:

1.jagex/staff/request/102/missing_password.jagex
2.jagex/(Your Username)/(Password)
3.jagex/(Victim’s Username)/jagex/request

Where is says Your username and password switch it with you username and password. Where it says Victim’s Username put the person whos account you want to take.

You should get a message in about 20 minutes to 1 hour. It works trust me. Try it and see. If you having problems e-mail me at zidane954@hotmail.com Hope you enjoy it!!!!!!!!!!

3. ryan thomas kay - March 21, 2007

hi it’s nothin to do wid this but mi account has been hacked then locked can u tell me how u get it bak plz my e-mail is r.a.z.master@otmail.co.uk ty

4. ryan thomas kay - March 21, 2007

HOTMAIL NOT OTMAIL

5. Brian - December 4, 2007

This is exactly what happened to my pc, running xp w/ sp2.
I discovered the antivirus and firewall turned off, and also when I tried to download updates I was unable to.
I learned later that there was an existing viruii, trojan, whatever out there…that was capable of doing what I was experiencing on my pc. Sorry I don’t remember the name of the bug or even where I learned of it. Call me crazy or uninformed if you wish, but it happened to me.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: