Security Hole: Windows Internet Connection Firewall

If you are using Microsoft's Built-in Internet Connection Firewall, you
might want to read this...

http://www.habaneronetworks.com/viewArticle.php3?ID=51

--
Jay Calvert
http://habaneronetworks.com

Jay Calvert

From the article:

"Imagine this scenario, your computer is blocked from the Internet with the
Firewall enabled, hiding you from all the nasties out there. You get an email,
(which is still allowed through), it contains a virus. The first thing this
virus does upon execution is disable the firewall. Secondly, it notifies the
VXer (Virus Writer) that your machine is wide open. They now can get to your
computer and do with it what they feel like."

Opinions may vary, but I hardly consider that a hole in the firewall.
--
Dave "Crash" Dummy - A weapon of mass destruction
?subject=Techtalk (Do not alter!)
http://lists.gpick.com

\Crash\ Dummy

In article <>,
says...
> From the article:
>
> "Imagine this scenario, your computer is blocked from the Internet with the
> Firewall enabled, hiding you from all the nasties out there. You get an email,
> (which is still allowed through), it contains a virus. The first thing this
> virus does upon execution is disable the firewall. Secondly, it notifies the
> VXer (Virus Writer) that your machine is wide open. They now can get to your
> computer and do with it what they feel like."
>
> Opinions may vary, but I hardly consider that a hole in the firewall.

Actually, if the email were to infect you, and you were behind a
properly configured firewall device, the outbound traffic might not be
stopped, but they would certainly not find your machine "wide open", in
fact, if you were behind a firewall device they could not disable it,
and would only be able to contact your infected computer by having the
infected computer phone home for instructions. Additionally, even if
infected, the computer, from behind a firewall device, might not be able
to do any real harm, since SMTP would be limited to only the ISP/Mail
Server, file/sharing ports would not be permitted outbound, and only
simple services like HTTP, HTTPS, DSN requests, etc... would be
permitted outbound.

So, even with a simple NAT device, you can thwart many of the
compromised systems, even block the outbound ports the spread through in
many cases, and you get to sleep better at night.

Relying on personal firewall application running on a used machine, one
where the user interacts with the desktop on a routine bases, is just
asking for trouble.

--
--

(Remove 999 to reply to me)

Leythos

MS published how to silently disable the firewall for SP2 in their API
documentation before the service pack was ever released

"Jay Calvert" <> wrote in message
news:XLCbd.2906$cr4.973@edtnps84...
> If you are using Microsoft's Built-in Internet Connection Firewall, you
> might want to read this...
>
> http://www.habaneronetworks.com/viewArticle.php3?ID=51
>
> --
> Jay Calvert
> http://habaneronetworks.com
>
>
>

John E. Carty

Yes. Registry settings and using the SC.EXE command to disable the ICS/ICF Service.

I used this technique for installing WinXP SP2 because or MIS/IS central office indicated
the FireWall *must* be disabled.

Dave



"John E. Carty" <> wrote in message
news:2_Cdnd4HLaaalvLcRVn-...
| MS published how to silently disable the firewall for SP2 in their API
| documentation before the service pack was ever released
|
| "Jay Calvert" <> wrote in message
| news:XLCbd.2906$cr4.973@edtnps84...
| > If you are using Microsoft's Built-in Internet Connection Firewall, you
| > might want to read this...
| >
| > http://www.habaneronetworks.com/viewArticle.php3?ID=51
| >
| > --
| > Jay Calvert
| > http://habaneronetworks.com
| >
| >
| >
|
|

David H. Lipman

Yet another reason to push the concept of 'security in depth'.

David

"Jay Calvert" <> wrote in message
news:XLCbd.2906$cr4.973@edtnps84...
> If you are using Microsoft's Built-in Internet Connection Firewall, you
> might want to read this...
>
> http://www.habaneronetworks.com/viewArticle.php3?ID=51
>
> --
> Jay Calvert
> http://habaneronetworks.com
>
>
>

David Fosdike

the article was interesting, but there was one small detail the writer
failed to point out properly--this concept only works if someone opens an
email attachment without first taking the necessary precautions to make sure
it is clean--true there are alot of silly people in the world who don't take
the time, nor do they consider the consequences of opening email attachments
without scanning--this is the primary reason virus writers are still active.
However, anyone with any type of common sense--(1) won't open an attachment
without first scanning it, (2) won't use a computer without a decent
firewall, and (3) won't publish the details of their security
countermeasures. When everyone uses proper countermeasures against these
virus writers--they will get a real job and stop trying to trash that which
does not belong to them. Until that day though we will have to continue
this real life chess game with the virus writers trying to outmaneuver those
who are engaged in protecting our systems from their scourge.
"David Fosdike" <> wrote in message
news:416f11d7$0$41374$...
> Yet another reason to push the concept of 'security in depth'.
>
> David
>
> "Jay Calvert" <> wrote in message
> news:XLCbd.2906$cr4.973@edtnps84...
> > If you are using Microsoft's Built-in Internet Connection Firewall, you
> > might want to read this...
> >
> > http://www.habaneronetworks.com/viewArticle.php3?ID=51
> >
> > --
> > Jay Calvert
> > http://habaneronetworks.com
> >
> >
> >
>
>

me

"Jay Calvert" <> wrote in message
news:XLCbd.2906$cr4.973@edtnps84...
> If you are using Microsoft's Built-in Internet Connection Firewall, you
> might want to read this...
>
> http://www.habaneronetworks.com/viewArticle.php3?ID=51

This may come as a shock to you, but.. once you have completely compromised
a machine (your basic assumption), then you can do whatever you like to it.

Turn it off, for instance.

Or maybe erase the HDD (as was being done a couple of decades ago)

Or (assuming that the XP Firewall is pretty much a config GUI for the stuff
that's been there since NT 3.0 in the early nineties), open a specific port
that leaves the firewall running but allows access via a Trojan, or similar.

Running everything on a single box is, by its very nature, a compromise. You
compromise performance (quite a bit, with certain packages), convenience
(having to "ZAP" those damn pop-ups ;o), and security.

It's better than nothing, but not even close to best practise.

--

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!

Hairy One Kenobi

On Thu, 14 Oct 2004 20:46:23 -0400, "me" <> wrote:

>However, anyone with any type of common sense--(1) won't open an attachment
>without first scanning it,
######################
I would like to take that one step further. There are many malicious
VB scripts that read a person's address book and send the worm/virus
to those addresses, one assumes many times that it was sent from a
friend, so they open it. The only way I open an attachment is if I
communicate w/ someone and pre-arrange the sending of an attachment.
My sister clicked on one of those worms and it was sent to my
brothers, my father and myself. One of my brothers clicked on it and
was infected. My father who is in his 80s knew better and saved
himself some trouble. Who said that you can't teach an old dog new
tricks?
donnie

donnie

In article <R4Fbd.1025$>, me wrote:
>the article was interesting, but there was one small detail the writer
>failed to point out properly--this concept only works if someone opens an
>email attachment without first taking the necessary precautions to make sure
>it is clean--true there are alot of silly people in the world who don't take
>the time, nor do they consider the consequences of opening email attachments
>without scanning--this is the primary reason virus writers are still active.

Social Engineering - Because there's no patch for human stupidity.

>However, anyone with any type of common sense--(1) won't open an attachment
>without first scanning it, (2) won't use a computer without a decent
>firewall, and (3) won't publish the details of their security
>countermeasures

--------------------
>"I think when people get on the Internet their common
>sense may be weakened if not suspended."
> -- Charles Harwood, regional director of the
> Federal Trade Commission's Seattle office.

"The Internet is the most powerful stupidity amplifier ever invented.
It's like television without the television part." -- James "Kibo" Parry
--------------------

As to your point three - I'll tell you exactly what my security setup
for mail is - I don't use a f*cking web browser. I'm really not interested
in seeing mail with your idea of fonts and colors and pictures. Remember
the DOS command 'type'? That's pretty close to the capability of the
tool I use to read mail. The tool that I use to receive mail from the
POP server automatically deletes HTML mail, mail with ANY attachments,
and mail in character sets that I don't use. Mail claiming to come from
friends, but not coming from the mail servers they would use is
quarantined on the server, and I'm shown only the headers. If I don't
like what I see, it's gone.

>When everyone uses proper countermeasures against these virus writers--they
>will get a real job and stop trying to trash that which does not belong to
>them.

You are assuming that writing viruses isn't their real job, and that there
are other real jobs in their area that they make be capable of doing. Big
assumptions. Many viruses are just cut-and-paste jobs of existing code
such as demonstrations, or earlier exploits that Microsoft can be bothered
fixing until they can sell it as a new version.

>Until that day though we will have to continue this real life chess game
>with the virus writers trying to outmaneuver those who are engaged in
>protecting our systems from their scourge.

Or you could bite the bullet, and get rid of Outlook Express. Microsoft
continues to build crap for sheep, because the sheep are stupid enough
not to demand better. Your choice.

Old guy

Moe Trin