XP Hole Plagues All Similar Apps

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/infostructure/0,1377,57739,00.html

By Michelle Delio
Feb. 20, 2003 

A significant security flaw was discovered in Microsoft software this
week, but this time Microsoft isn't to blame. Well, not completely.

The most recent security problem uncovered in a Microsoft product is a
genuine threat, security experts say, but it isn't a problem
particular to the Windows XP operating system.

The producers of Brian's Buzz on Windows newsletter discovered that
booting an XP system off a Windows 2000 CD allows the user to start
the Windows 2000 Recovery Console, a troubleshooting program. Once
Recovery is active, the computer's uninvited guest has complete access
to the contents of the computer without ever having to enter a
password.

The intruder can also gain access to any other user accounts present
on the XP machine, again sans password, and can copy files from the
hard drive onto removable media, an activity that is not allowed under
Windows 2000, even when a presumably valid administrator is using the
recovery console.

But this same basic problem applies to many operating systems,
including non-Microsoft systems. Once someone with bad intentions gets
his hands on a computer, precious few technical safeguards will keep
him from having his way with that machine.

"People assume that logging in with a password protects the contents
of their computer," said network security consultant Mike Sweeny of
PacketAttack. "Good passwords are important, but they are not a
complete defense, especially when someone can get his hands on your
machine. An operating system password, at least on most systems, can
be reset in about five minutes."

Jim Cullinan, lead product manager for Microsoft Windows Desktop,
agreed that the most technically guarded computer is at risk if a
would-be attacker can physically tap its keyboard.

"The problem (with the XP/2000 boot issue) is that an attacker has
gained complete physical control of a machine, and then booted that
machine using an operating system other than the one that is
controlling access to the files on the system," Cullinan said.

"In this case the attacker used a Windows 2000 recovery console disk,
but the attack could as easily have been accomplished with a disk that
contained another operating system. As long as the attacker has
physical control of the machine, he or she has the power to launch any
operating system of his or her choice."

Still, said security experts, the access afforded to attackers or
snoops who manage to boot up a Windows XP system with a Windows 2000
CD is troubling.

"Any way you slice it, if you're smart enough and have physical access
to the system you can bypass most types of security," said Ken Pfeil,
a security consultant at Avaya. "But a slip-up like this just makes it
all the more trivial to completely circumvent XP's existing security
mechanisms."

In addition to taking obvious physical security measures -- such as
not leaving computers unsupervised or unprotected -- Microsoft's
Cullinan recommended using BIOS passwords, which can prevent an
unauthorized person from booting a system.

Cullinan also suggested disabling the ability to boot from a CD or
floppy at the BIOS level.

But some systems administrators, faced with ever-dwindling staffs, are
loath to take this step. Many rely on being able to quickly fix, or at
least start up, ailing machines by booting off a system disk.

"I just messenger over a boot disk to executives who have messed up
their machines by downloading yet another cute desktop add-on," said
Vince Puliafico, a systems manager for a Manhattan advertising firm.  
"Now that the word is out, I'll have to disable diskette boot, which
sucks because it made my life easier."

Cullinan also advised using Syskey (a Windows utility that encrypts
stored passwords) with an offline password to prevent the Windows
operating system from being launched by an unauthorized person.

And XP's encrypting file system can prevent unauthorized access to
file contents even if an attacker gains unrestricted access to the
machine and disk drives, Cullinan said.

But, Pfeil warned, "under the right circumstances even the encrypting
file system won't help you."

"If the system is a member of a workgroup and not a domain, you can
just change the user's password that the file was encrypted under,"  
Pfeil said. "Then you can log on as that user having access to the
encrypted file."

Pfeil said disabling a computer's ability to boot from other media and
password-protecting the BIOS are the only ways to mitigate the
problem.

Sweeny also advised encoding the entire hard drive with a strong
encryption utility.

"My XP laptop has a 1,024-bit-level encryption," he said. "It's the
very first thing that boots and requires a password to decrypt it on
the fly. If you try to boot off a CD all you get is gibberish."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.