[ISN] XP Hole Plagues All Similar Apps

From: InfoSec News (isnat_private)
Date: Fri Feb 21 2003 - 02:57:04 PST

  • Next message: InfoSec News: "[ISN] Preventing Syslog Denial of Service attacks."

    By Michelle Delio
    Feb. 20, 2003 
    A significant security flaw was discovered in Microsoft software this
    week, but this time Microsoft isn't to blame. Well, not completely.
    The most recent security problem uncovered in a Microsoft product is a
    genuine threat, security experts say, but it isn't a problem
    particular to the Windows XP operating system.
    The producers of Brian's Buzz on Windows newsletter discovered that
    booting an XP system off a Windows 2000 CD allows the user to start
    the Windows 2000 Recovery Console, a troubleshooting program. Once
    Recovery is active, the computer's uninvited guest has complete access
    to the contents of the computer without ever having to enter a
    The intruder can also gain access to any other user accounts present
    on the XP machine, again sans password, and can copy files from the
    hard drive onto removable media, an activity that is not allowed under
    Windows 2000, even when a presumably valid administrator is using the
    recovery console.
    But this same basic problem applies to many operating systems,
    including non-Microsoft systems. Once someone with bad intentions gets
    his hands on a computer, precious few technical safeguards will keep
    him from having his way with that machine.
    "People assume that logging in with a password protects the contents
    of their computer," said network security consultant Mike Sweeny of
    PacketAttack. "Good passwords are important, but they are not a
    complete defense, especially when someone can get his hands on your
    machine. An operating system password, at least on most systems, can
    be reset in about five minutes."
    Jim Cullinan, lead product manager for Microsoft Windows Desktop,
    agreed that the most technically guarded computer is at risk if a
    would-be attacker can physically tap its keyboard.
    "The problem (with the XP/2000 boot issue) is that an attacker has
    gained complete physical control of a machine, and then booted that
    machine using an operating system other than the one that is
    controlling access to the files on the system," Cullinan said.
    "In this case the attacker used a Windows 2000 recovery console disk,
    but the attack could as easily have been accomplished with a disk that
    contained another operating system. As long as the attacker has
    physical control of the machine, he or she has the power to launch any
    operating system of his or her choice."
    Still, said security experts, the access afforded to attackers or
    snoops who manage to boot up a Windows XP system with a Windows 2000
    CD is troubling.
    "Any way you slice it, if you're smart enough and have physical access
    to the system you can bypass most types of security," said Ken Pfeil,
    a security consultant at Avaya. "But a slip-up like this just makes it
    all the more trivial to completely circumvent XP's existing security
    In addition to taking obvious physical security measures -- such as
    not leaving computers unsupervised or unprotected -- Microsoft's
    Cullinan recommended using BIOS passwords, which can prevent an
    unauthorized person from booting a system.
    Cullinan also suggested disabling the ability to boot from a CD or
    floppy at the BIOS level.
    But some systems administrators, faced with ever-dwindling staffs, are
    loath to take this step. Many rely on being able to quickly fix, or at
    least start up, ailing machines by booting off a system disk.
    "I just messenger over a boot disk to executives who have messed up
    their machines by downloading yet another cute desktop add-on," said
    Vince Puliafico, a systems manager for a Manhattan advertising firm.  
    "Now that the word is out, I'll have to disable diskette boot, which
    sucks because it made my life easier."
    Cullinan also advised using Syskey (a Windows utility that encrypts
    stored passwords) with an offline password to prevent the Windows
    operating system from being launched by an unauthorized person.
    And XP's encrypting file system can prevent unauthorized access to
    file contents even if an attacker gains unrestricted access to the
    machine and disk drives, Cullinan said.
    But, Pfeil warned, "under the right circumstances even the encrypting
    file system won't help you."
    "If the system is a member of a workgroup and not a domain, you can
    just change the user's password that the file was encrypted under,"  
    Pfeil said. "Then you can log on as that user having access to the
    encrypted file."
    Pfeil said disabling a computer's ability to boot from other media and
    password-protecting the BIOS are the only ways to mitigate the
    Sweeny also advised encoding the entire hard drive with a strong
    encryption utility.
    "My XP laptop has a 1,024-bit-level encryption," he said. "It's the
    very first thing that boots and requires a password to decrypt it on
    the fly. If you try to boot off a CD all you get is gibberish."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Feb 21 2003 - 05:18:10 PST