Earlier this year Microsoft released a major security update for Windows XP, which was designed to strengthen the operating system’s defences against attack from viruses and hackers. One major part of the update was an improved version of its firewall software. Graham Cluley, senior technology consultant at antivirus firm Sophos, said the latest Bagle variants are designed to attack and disable Microsoft’s new firewall application.
“There is a window of opportunity when the system boots and loads the network and before the third party firewall becomes active. Windows firewall gives you good coverage during that time,” said Campbell.”
Simple question to all the skilled windows users out there:
Why can MS’ own product launch before the network interface comes up while the competetitors can not? Is there firewall so intergrated into the kernel that MS would loose Intellectual Property and give up trade secrets by revealing this information? Just curious? Am I missing something here?
Because most windows users run as root, the worm can do anything that the user can (for instance – disable the firewall). I use separate Limited/Admin accounts, but none of my tech-savy friends do this.
Sometimes it is a major pain to install an app for a limited user account – it seems that many developers don’t know what this is – the apps try to save/change files in the app directory (rather than doing this in the user Application Data directory) , mess with the system files after the install, etc.
We had this nasty critter get into some of our PC’s at work and it will disable older versions of AdAware among many other things.
I wonder how bagle would try to disable the integrated firewall on the gigabit ethernet controller with which comes with the nVidia nForce3 250 chipset based mobo’s.
Personally, I don’t trust the Windows firewall, so I rely on a third-party application to protect my machine. I’ve been using Norton Internet Security since I got this computer 10 months back. Never had it compromised, or caught a virus.
IMO, it’s an investment well worth the money. Info page @ http://www.symantec.com/sabu/nis/nis_pe/
@Anonymous
Yes – any third party firewall which replaces the IP stack of Windows can protect from the moment which Windows loads the network functionality.
Checkpoint Firewall-1 is an example of this.
I doubt many “home user” type firewalls actually do this though.
‘A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.’
Seems every week I get reminded how true this is.
I’ve always taken the quote above to mean that firewalls are helpful but are misused as the end-all-to-beat-all security tool. A better tactic is to run fewer services and apps lowering the number of things that require protection; less is more.
A firewall, after all, doesn’t protect a network connection. A firewall is there to allow ports to be opened and managed; it is designed to make holes. If you fear that a system is in danger simply by being on a network, disable the network!
Case in point: If your web server application (say, on the default port 80) is not secure, having a firewall to block all ports *except* port 80 doesn’t protect the web server.
Why the HELL are people still running these email attachments? I hope we don’t have to go the ‘Linux way’ and make all .exe files non-executable by default just to idiot-proof the OS.
I hope we don’t have to go the ‘Linux way’ and make all .exe files non-executable by default just to idiot-proof the OS.
—–
that doesnt really make any sense. Linux uses “executable attributes” instead of .exe extensions to denote that a file is supposed to be executed. Linux doesnt have any policy of “no executable” files by default. the OS wouldnt even run if this was the case.
that doesnt really make any sense. Linux uses “executable attributes” instead of .exe extensions to denote that a file is supposed to be executed. Linux doesnt have any policy of “no executable” files by default. the OS wouldnt even run if this was the case.
Right, but the point is that Linux will not let you run an executable file that you introduce to the system without first turning on the executable attribute, yes? That is always the reason given to me why Linux can never have security issues like Windows, because you can’t launch email attachments by default. (And of course, we all know that executing email attachments is the only way to infect a system.)
I personally don’t trust _any_ software firewalls…period. Hardware is the only way to go, and they are dirt cheap now, and much easier to use than they used to be.
Downloaded binaries must be set executable by the user to run, but scripts are free game. Simply run # source script.sh and the script can be run without executable premissions.
“Right, but the point is that Linux will not let you run an executable file that you introduce to the system without first turning on the executable attribute, yes? That is always the reason given to me why Linux can never have security issues like Windows, because you can’t launch email attachments by default. (And of course, we all know that executing email attachments is the only way to infect a system.)”
I think one reason Linux doesn’t have these… security problems regarding viruses from email attachments is that most Linux programs are distributed as source-code. For example, suppose I make not a virus, but a cute little stupid program. An animation maybe. If I wanted to send it to a friend, I would create a bzip2 tarball of the source-code and send it. Why? Because if I were to send an executable, it may not even run! On Linux, few libraries can be statically linked. So when Linux tried to run this executable, if the libraries aren’t in the system, then it won’t get very far. One of the benifits of sending source-code is, that you KNOWN what you’re running! Yes, there could be malicous code within the source-code that a quick glace could miss. But, only a stupid Linux user would run such code as root!
Yes it’s true a program needs the executable permission to run, but just because it’s Linux that is receving the executable doesn’t mean it won’t run automatically. You’re assuming all Linux users have an MS Outlook-type of email client. It’s up to the client to decide what to do with attachments. I could easy have a Linux client that automatically sets attachments (or specific ones) as executable. Or… NOT!
There is also a way to send a program and have it keep its executable attribute, although it won’t auto-launch itself. Simply set the executable attribute, then put it in a tarball.
Of course you can run a shell script if you chmod it or if you choose to run if from the command line. But that is the point, you first have to do something to allow the script to run. And even if ‘Joe User’ does allow the script to be run, it can only hurt Joe User’s personal files in the *nix world. You can get Windows XP to behave this way, if you set up users so that they are not ‘admin by default’. So, if you have a superuser/admin that does allow a script to be run, it can do the same damage as Joe User on XP home edition.
<p>
For the attacker, it really is a ‘Window Of Opportunity’. I suspect that MS will be rather effective at closing this these opportunities to trash Windows. But for now, the way Linux treats attachments is a great improvement over Windows.
Well you know as long as you don’t ‘idiot proof’ the system it’ll mean that tons of users will get rooted..
Not you’re problem, I hear? Well except when someone use those box as zombies for launching a DDOS against you: against a well-executed DDOS, there is little that you can do..
No, the problem is that I’m not sure that not having attachment as executable is enough to be ‘idiot proof’: I remember viruses who compress attachment as encrypted zip to be safe against virus-checkers, they provide the password in the mail to uncompress the attachment and people get rooted!!
Very few things are idiot-proof 🙁
I personally don’t trust _any_ software firewalls…period. Hardware is the only way to go, and they are dirt cheap now, and much easier to use than they used to be.
I don’t trust hardware firewalls. They’re difficult to configure and you always find out later that some ports have been opened or admin login has been exposed. Cheap hardware firewalls are extremely poor. Only when you get to the expensive stuff are they anywhere near good, but then it’s just less expensive to have a cheap Linux/BSD server doing the job.
Then there’s the question of what hardware firewall manufacturers have done to break your security…….
I wonder how bagle would try to disable the integrated firewall on the gigabit ethernet controller with which comes with the nVidia nForce3 250 chipset based mobo’s.
Well, the question of the in-built hardware firewall is how it is set up. I’m also assuming that it will have Windows-based software to configure it as well
.
If you are on an internal network you need the flexibility to turn this thing off – is it off or on by default? Then you need the flexibility to allow users to use certain services. Once you do this your firewall is already full of holes like swiss cheese.
A firewall guarantees you nothing apart from a line of defence.
Anyway, I’m really, really shocked that an anti-virus/security company like Sophos would be telling you that even if you have XP SP2 you’re still very much at risk. Which you are incidentally – nothing has changed in SP2 apart from the fact that your computer runs twice as slow.
“nothing has changed in SP2 apart from the fact that your computer runs twice as slow.”
Rubbish. SP2 is, as these things go, a very good update which should have no impact on performance and significantly increase security on most XP boxes.
“Very few things are idiot-proof :-(”
You made me think of this quote:
“A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools. (Douglas Adams)”
Probably one of my favourites. ^^
I hope we don’t have to go the ‘Linux way’ and make all .exe files non-executable by default just to idiot-proof the OS.
Too late. In the default installation of SP2, Outlook Express does not allow to run executable attachment, also does not allow to save it on disk.
“Downloaded binaries must be set executable by the user to run, but scripts are free game. Simply run # source script.sh and the script can be run without executable premissions.”
Actually, you can execute programs that aren’t marked executable in a similar fashion. Suppose we make a simple hello program:
$ echo “#include<iostream>
int main() { std::cout << “Hello World” << std::endl; }” > foo.cpp
$ make foo
g++ foo.cpp -o foo
$ ./foo
Hello World
Make the program non-executable with chmod, and try running it:
$ chmod a-x foo
$ ./foo
-bash: ./foo: Permission denied
Ok, so that’s what one would expect. But, similarly to the shell idea, you can still run the program using the linux loader itself:
$ /lib/ld-linux.so.2 ./foo
Hello World
So, just clearing the executable bit really doesn’t help things. If a worm could call a local program somehow, then it can run arbitrary code, whether or not the code has been marked as executable. Just thought people might be interested…
Go a step further, if you don’t want any programs to execute in $HOME period just mount /home with noexec, that eliminates much of everything
(If you really want to be paranoid)
-ShawnX
I wonder how bagle would try to disable the integrated firewall on the gigabit ethernet controller with which comes with the nVidia nForce3 250 chipset based mobo’s.
Same way the user can (I assume there’s some form of software control tool for it).
that doesnt really make any sense. Linux uses “executable attributes” instead of .exe extensions to denote that a file is supposed to be executed. Linux doesnt have any policy of “no executable” files by default. the OS wouldnt even run if this was the case.
It’s worth pointing out that NTFS (and, by extension, NT) also has an “executable” file attribute and that removing it does, in fact, stop things from being executable in Windows.
Out of the box, my linksys router scores a perfect ten on port scan tests via dslreports.com. I didn’t have to configure anything, and remote admin access is disabled by default. Even with port forwarding turned on for basic services (20,21,80…), i still get a clean scan. My point is that hardware > software…especially MS software. I feel much safer behind a hardware firewall, regardless of price. Of course, this only holds water for run of the mill home networks, I would never safeguard a large network w/ just a linksys…but I would still have a hardware solution in place over a software one.
… if Microsoft were in fact to develop a totally secure system, think of how many people in the anti-virus industry would not be needed any more. As was just noted earlier people rather invest in something that actually does what need to be done, thus keep Symantec in the anti-virus business.
I for one think we should cut Microsoft some slack. They are in fact helping our economy by providing for some many industries. If Microsoft ever got their act together and did things right what would all those MCSE guys do; why would we need all these other people to get paid to clean up afterwards?
As some people who do it claim (me not being one of them) I leave this mess in the hall ’cause that’s what the janitor gets paid to deal with.