Bugtraq mailing list archives
Re: Windows Firewall Has A Backdoor
From: Chris Wysopal <weld () vulnwatch org>
Date: Mon, 21 Feb 2005 15:42:08 -0500 (EST)
On Sat, 19 Feb 2005, Jay Calvert wrote:
By adding a new key to the registry in HKEY_LOCAL_MACHINE/SYSTEM/Services/SharedAccess/Parameters/FirewallPolicy/StandardProfile/AuthorizedApplications/List you can circumvent the whole purpose of the firewall with out the users interaction or knowledge. Spyware / Adware manufacturer's are already do this.
This is not a backdoor or vulnerability. The default permissions on this key are Full Control for SYSTEM and Administrators and Read for Users. The Administrator should be able to configure the firewall to allow programs to connect outbound. The security problem that has created the spyware malaise on Windows is the default Windows installation for home users, which creates the user's named account in the Administrators group. When this account is used to browse the internet there is no protection to prevent spyware/malware from bypassing security mechanisms, such as the XP SP2 firewall, by exploiting vulnerabilities or tricking the user. The advent of spyware/malware using NT rootkit technology to hide from AV and Anti-spyware programs will force Microsoft to change to an installation where there are 2 accounts, one for administration and a low permission one for browsing the internet. This has been the standard for Linux and OS X for years. -Chris
Current thread:
- Windows Firewall Has A Backdoor Jay Calvert (Feb 21)
- Re: Windows Firewall Has A Backdoor Chris Wysopal (Feb 21)
- RE: Windows Firewall Has A Backdoor Chris Goodwin (Feb 21)
- Re: Windows Firewall Has A Backdoor Thor (Hammer of God) (Feb 22)
- <Possible follow-ups>
- RE: Windows Firewall Has A Backdoor Thor Larholm (Feb 22)