digg

Facebook Connect Join Digg About

New Windows Attack Can Kill Firewall

infoworld.com The code, which was posted on the Internet early Sunday morning, could be used to disable the Windows Firewall on a fully patched Windows XP PC that was running Windows' Internet Connection Service (ICS).

Who dugg this? Made popular Oct 31, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

46 Comments

show profanity settings
expand all
  • Claymore, on 10/12/2007, -0/+14FTA:
    "the attacker would have to be within the LAN in order to make the attack work, and, of course, it would only work on systems using ICS, which is disabled by default."

    Any security hole is bad but at least this is a "less likely" one...
  • drewskyjones, on 10/12/2007, -2/+15I agree. When I saw that they said ICS was "Internet Connection Service" I thought, the author does not know what they are talking about. Plus, if they have to be on the LAN side of the connection, the hacker would need to come to your house. Sure an open wireless network might let someone in if they were nearby, but why would you be using ICS if you had a wireless router?. This is a weak article about a vulnerability that is unlikely to be exploited...Lame
  • jjk5, on 10/12/2007, -0/+12Yeah, this is clearly sensationalized, as it was on Slashdot. If something's already on your LAN, whether you're using ICS or not (why would you??) you're at risk. This is a whole that effects such a small percentage of people working under such a specific of circumstances.
  • duke_nate, on 10/12/2007, -3/+11I guess its good that I am not running Windows Firewall then. It can have fun trying to shut off my NAT router :-)
  • moogog, on 10/14/2007, -0/+8Let's be honest though, doesn't just about every infection that's recent kill the windows firewall, so what's new? I work at a university and this is really a daily activity to see computers with watered firewalls : (
  • hello2usir, on 10/12/2007, -0/+7Since most Windows users are running as Administrator anyway, a malicious program doesn't need any fancy code to shut down Windows firewall. It just needs to stop the service using the normal APIs.
  • Claymore, on 10/12/2007, -3/+9from Microsoft's site "Internet Connection Sharing":
    http://support.microsoft.com/kb/234815

  • WackyT, on 10/12/2007, -0/+5Attacker has to be on the shared side.

    I think you might have more problems than this if you allow an attacker onto the shared side of your network.
  • mancat, on 10/12/2007, -0/+4"Always install a third party firewall."

    Why?
  • mancat, on 10/12/2007, -0/+4Only if the system is acting as a NAT router using Internet Connection Sharing, and the attacker is one of the ICS clients. Read the article.
  • donte, on 10/12/2007, -0/+4@msgyrd: Exploits don't bother anybody when they're not.... well... exploited.
  • nailz420, on 10/12/2007, -0/+4"Once the firewall is down, where's your line of defense?" - the patches...

  • mancat, on 10/12/2007, -0/+3Okay. Besides this particular exploit, can you name one?

    Just because the firewall software is written by a third party does not mean it is inherently more secure.
  • trylleklovn, on 10/12/2007, -0/+3It was posted on the Internetzz!eond

    oh noes teh tubes :(
  • hello2usir, on 10/12/2007, -2/+5No, Zone Alarm is crap.
  • netferret, on 10/12/2007, -0/+3The windows firewall is pretty useless anyway in my mind. I have a dual hardware firewall, so I have nothing to worry about :D
  • Bobbler, on 10/12/2007, -0/+3Yes you do, because they can just come in and unplug your firewall from your network. Which is essentially what this article is saying, they need physical access to your network in order to run the exploit.
    Don't know about you, but letting some wannabe hacker come and plug his machine into my CAT5e isn't high on my list of things to do this week ;)
    Sensationalistic crapola.
  • mancat, on 10/12/2007, -1/+4Can you explain why Zone Alarm is so incredibly better? The Windows firewall is fairly well configurable and there are a multitude of log viewers and analyzers available for it. On the other hand, I've always found Zone Alarm to be a very clunky and intrusive package.
  • zerobubble, on 10/12/2007, -0/+3I beat them to it, our Group Policy disables the damn thing already.

    Clickety-click.
  • tito13kfm, on 10/12/2007, -0/+3I really have to start reading the entire headline... New Windows Attack Can Kill is alot more interesting than New Windows Attack Can Kill Firewall though....
  • donte, on 10/12/2007, -0/+3famous last words ;)
  • inactive, on 10/12/2007, -0/+2Hey we all are working on bringing you apple slime into the anti virus market, now where did I put my copy of assembly language for dummy's?
  • inactive, on 10/12/2007, -1/+3Ok no one with half a brain is using the windows firewall!
    Download the zone alarm firewall it's free works great!
    Get avg anti virus and your good to go.
    Oh for the apple people I guess your on your own!
  • WarpFox, on 10/12/2007, -1/+3@msgyrd

    lets see some of your code.
  • havaloc, on 10/12/2007, -0/+2http://www.personalfirewall.comodo.com/

    Comodo free Personal Firewall. It's quite good.
  • JQP123, on 10/12/2007, -0/+1"I would be using either a switch or router."

    A switch only implements local connections, a router is what you need. ICS is effectively a software router, for those who don't own a hardware based one.

    Also, regarding this attack, lots of things are vulnerable from *inside* the LAN. From *inside* the LAN, the biggest security hole is a keyboard and monitor.
  • inactive, on 10/12/2007, -0/+1where can I find this code? Yes it can be used only on a Lan but it would be nice to lear about it. You would be surprised how many windows users have ICS turned on.
  • AntiMe, on 10/12/2007, -0/+1Not only that, it might be a little noticeable as when that service gets killed, everyone sharing the net thru that link drops off the net too.
  • porkstacker, on 10/12/2007, -0/+1Coolness!
  • Skullpop, on 10/12/2007, -0/+1Third party firewalls are infinitely more secure. The built in windows firewall is a very basic one, and most basic intrusions are orchestrated with bypassing the windows firewall in mind.

    Third party firewalls are free, there's no reason not to use one!
  • Boondoggle, on 10/12/2007, -0/+1I'm not clear (haven't RTFA) on if the exploit is only available on the ICS side or not. I bet you're right about non-NAT protected users though. At least at home.
  • Skullpop, on 10/12/2007, -0/+1Ok.. I generalized. You're absolutely right that commercial ones aren't automatically better, but many commercial firewalls are more effective in preventing malicious attacks. Windows firewall, for one, only scans incoming traffic.. And it's not like any firewall can stop every piece of incoming spyware or malware, so you need to be able to scan outgoing traffic too.

    In my experience when I was running the (relatively weak) windows firewall firewall, I found that when I did get spyware on my computer, it spread fast and was near-impossible to remove. It just seems unnecessary.

    As for the firewall bypass thing.. About.com (last link on the list) agreed with you and said that windows firewall might be no more venerable to attacks than other commercial firewalls, so my argument here is.. Why not have a second, more effective incoming and outgoing traffic scanning firewall, that's NOT targeted as the first one to go by viruses, if it's free?


    "while the firewall is an improvement, it falls short of the standard of protection expected of commercial firewalls, according to some industry observers.
    ...
    More seriously, rival firewall makers claim that the API used to manage the Windows Firewall could also be used by attackers to modify the software or turn it off. Microsoft admits that, in some cases, malicious code could indeed switch the firewall off."
    -http://www.pcworld.com/article/id,117380-page,1/article.html

    "It should be noted that Windows Firewall is not as secure as MS would want you to believe since it does half the job a commercial firewall would do; which is to block both incoming and outgoing traffic. Windows Firewall only blocks or patrols incoming traffic and it can be easily turned off by another application, possibly a worm." -http://www.flexbeta.net/main/articles.php?action=show&id=76

    "The design of Windows Firewall has also been criticized in another respect. Some feel that it is too easy for Windows Firewall to be switched off by malicious applications..." -http://compnetworking.about.com/od/windowsxpnetworking/a/windowsfirewall.htm


    Phew! Hope this makes sense.
  • Boondoggle, on 10/12/2007, -0/+1""Always install a third party firewall.""

    Actually, if you're going to always do something, it should be to use a HARDWARE firewall.

    Either an appliance solution or a dedicated PC running Smoothwall or IPCop, etc.
  • Boondoggle, on 10/12/2007, -0/+1I use IPCop for my internet firewall. It is running on it's own dedicated (486) box though. A hardware firewall/NAT router is always a better bet than any software only solution, even Smoothwall/IPCop.

    Just about any off the shelf wireless / wired router appliance with NAT will do the trick if configured properly.

    At that point a software firewall on hosts is pretty optional. I think the windows FW is fine in that scenario. ipfw on Mac/Linux is more than fine.


  • cfish, on 10/12/2007, -1/+2Who really uses ICS anyways?? I mean really, if your going to have Internet connection and want to use more than one computer on your network, I would be using either a switch or router.
  • Skullpop, on 10/12/2007, -1/+1Once the windows firewall is up, what's your line of defense anyway? It's basically a 'Please go away' sign.. Always install a third party firewall.
  • cfish, on 10/12/2007, -1/+1okay, but to reiterate my point you would NOT be using ICS if you were utilizing switch or a router to share your network connection in most case scenarios. Yes I agree there are still many vulnerabilities *inside* the LAN and I would have to add your NIC card is a big security hole as well:)
  • inactive, on 10/12/2007, -2/+2Smoothwall and IPcop are far better alternatives to ICS.
  • Boondoggle, on 10/12/2007, -2/+2"OS X wouldn't be needing a firewall though, would it?"

    Or the anti-virus.
  • Skullpop, on 10/12/2007, -2/+2Dupswap.. OS X wouldn't be needing a firewall though, would it? -Apple's built in firewall is capable of protecting a system, you see.
  • Nexus7, on 10/12/2007, -1/+0Way to hype an inconsequential bug...

    http://sunbeltblog.blogspot.com/2006/10/perhaps-sadly-for-some-its-not-really_31.html
  • fronkman, on 10/12/2007, -2/+1"yeah, i mean who cares if it has a security hole? i mean, it's not like anyone ever uses that feature."

    lowball standards like that are what keep microsoft in the business of providing poorly written software. i just don't get why people put up with windows. i truly believe the worst argument is that they have proprietary software that "depends" on windows.

    i am borrowing an argument i read elsewhere, but if you have to use windows because you company depends on an 8 year old program that was hacked together, you absolutely can not claim that the major advantage of windows is the great "software selection."

    i know it is just a philosphy difference, but it seems to me that it would make more sense to just bite the bullet and rewrite software. honestly, i have seen this firsthand. companys balk at the one-time cost of paying for the development of software, but don't realize they are slowly hemmoraghing a far greater amount of money by continuing to support that ancient crap.

    i used to work for a place where we had to figure out how to get a 16-bit program written in the early days of win95 which wanted to communicate via token link to talk to out gigabit ethernet network. the solution was to slowly purchase token link cards (which are damn-near impossible to get anymore) for each machine that needed to use the program. we then had to get token link switches (on ebay, nonetheless) to support these connections. however, since the other apps were on the ethernet network we had to have a second ethernet NIC in the machines. this means we had to add to the total cost of the project a budget for maintaining TWO corporate networks. sure it cost less initially. i mean the token ring cards were 60 bucks each, for about 200 computers. much cheaper than the $50,000 we were quoted for the rewrite. however, over the last two years the equipment and personel costs associated with the double network have far outstripped the costs of just rewriting the program.

    on the other hand, i am more personally responsible for the macs here. (which oddly run on a THIRD network, but that is another story). we moved all 75 machines over to the intel based machines over the summer. before that move, we talked with the managers and told them that any program that was not a universal binary would have to either be updated or a different software package needed to be put into place. two months later, the whole shop was running UB and we made the move. cost more upfront, but will save big bucks later.

    point is, i just dont get the windows guys.
  • tavisjohn, on 10/12/2007, -4/+3Simple solution, Everyone get ZoneAlarmFREE and dissable the Windows Firewall!

    Problem Solved!
  • chubbymidget, on 10/12/2007, -3/+2Wouldn't this impact true users that have cable and dsl modems connected directly to their computer and not using any router or NAT'ing?
    I'm sure there are as many users not using routers as there are using them.
  • msgyrd, on 10/12/2007, -9/+5But it doesn't bother you that it exists? Windows users are so plagued by security problems that I guess "small" threats just get glossed over.

    I guess it's also acceptable that my car will suddenly catch on fire and kill me, but only if I drive down my town's Main St. in reverse on a Tuesday. Is it likely? No, but it doesn't mean I should accept it.
  • ajhaji, on 10/12/2007, -28/+12I think the credibility of this article can be questioned solely on the fact that it's called "Internet Connection Sharing" and not "Internet Connection Service".

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.