[ISN] Windows Firewall flaw may hide open ports

From: InfoSec News (isn@private)
Date: Fri Sep 02 2005 - 03:49:35 PDT


http://news.com.com/Windows+Firewall+flaw+may+hide+open+ports/2100-7355_3-5845850.html

By Joris Evers 
Staff Writer, CNET News.com
September 1, 2005

A flaw in Windows Firewall may prevent users from seeing all the open
network ports on a Windows XP or Windows Server 2003 computer.

The flaw manifests itself in the way the security application handles
some entries in the Windows Registry, Microsoft said in a security
advisory published Wednesday. The Windows Registry stores PC settings
and is a core part of the operating system.

The bug could allow a firewall port to be open without the user being
informed through the standard Windows Firewall user interface,
according to the Microsoft advisory. The company has released a fix
that can be downloaded from Microsoft's Web site and will be part of a
future Windows service pack, the company said.

Microsoft said the firewall issue is not a security vulnerability but
said the flaw could be used by an attacker who already compromised a
system in an attempt to hide exceptions in the firewall.
 
Previous Next For example, miscreants who have penetrated a computer
could create and hide a firewall exception by inserting a malformed
Windows Firewall exception entry in the Windows Registry. "An attacker
who already compromised the system would create such malformed
registry entries with the intent to confuse a user," Microsoft said.

Like other firewall software, Windows Firewall is meant to block
incoming traffic to a computer. Users can allow incoming connections
by creating exceptions. Windows Firewall displays these exceptions in
the firewall UI, which can be reached by going to the Windows Control
Panel and selecting Windows Firewall.

PC users can view all firewall exceptions--including those the
unpatched Windows Firewall doesn't see--through other tools, Microsoft
notes. Typing "netsh firewall show state verbose = ENABLE" at a
command prompt will display all active exceptions, the company said in
its advisory.

Copyright ©1995-2005 CNET Networks, Inc.



_________________________________________
Attend ToorCon 
Sept 16-18th, 2005
Convention Center
San Diego, California
www.toorcon.org 



This archive was generated by hypermail 2.1.3 : Fri Sep 02 2005 - 03:58:18 PDT