Re: Windows Firewall Has A Backdoor

[Chris Wysopal <weld () vulnwatch org>]

On Sat, 19 Feb 2005, Jay Calvert wrote:

> By adding a new key to the registry in
> HKEY_LOCAL_MACHINE/SYSTEM/Services/SharedAccess/Parameters/FirewallPolicy/StandardProfile/AuthorizedApplications/List
> you can circumvent the whole purpose of the firewall with out the users
> interaction or knowledge.  Spyware / Adware manufacturer's are already
> do this.

This is not a backdoor or vulnerability. The default permissions on this
key are Full Control for SYSTEM and Administrators and Read for Users.
The Administrator should be able to configure the firewall to allow
programs to connect outbound.

The security problem that has created the spyware malaise on Windows is
the default Windows installation for home users, which creates the user's
named account in the Administrators group.  When this account is used to
browse the internet there is no protection to prevent spyware/malware from
bypassing security mechanisms, such as the XP SP2 firewall, by exploiting
vulnerabilities or tricking the user.

The advent of spyware/malware using NT rootkit technology to hide from AV
and Anti-spyware programs will force Microsoft to change to an
installation where there are 2 accounts, one for administration and a
low permission one for browsing the internet. This has been the standard
for Linux and OS X for years.

-Chris