SecuriTeam - Microsoft Windows XP Firewall Default Configuration Vulnerability (SP2, Local Subnet)

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

After you set up Microsoft Windows Firewall in Microsoft Windows XP Service Pack 2 (SP2), you may discover that your computer can be accessed by anyone on the Internet when you use a dial-up connection to connect to the Internet, this is due to a back in the way Microsoft's Firewall handles local subnets.

Credit:
The information has been provided by Nathan Fowler.
The original article can be found at: http://support.microsoft.com/kb/886185

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

This problem occurs because of the way that Windows Firewall interprets local subnets when the "My network (subnet) only" option is used. Windows Firewall is included with Windows XP SP2.

Because of the way that some dialing software configures routing tables, Windows Firewall in Windows XP SP2 can sometimes interpret the whole Internet to be a local subnet. This can let anyone on the Internet access the Windows Firewall exceptions. When the "My network (subnet) only" option is enabled, it is automatically selected for file and print sharing. Therefore, your shared drives can be unexpectedly revealed on the Internet when you use a dial-up connection.

Solution:
To resolve this problem, you must download and install the Critical Update for Windows XP: KB886185

After you install the Critical Update for Windows XP (KB886185), Windows Firewall will no longer interpret a dial-up network connection to be on your local subnet.

Specifically, any IP Route Table entry that has an IP address of 0.0.0.0 and has a mask of 0.0.0.0 will not be interpreted to be on the local subnet. This means that any port exceptions or program exceptions that use the "My network (subnet) only" option in Windows Firewall will not be available over a dial-up connection. You will still be able to access exceptions over a dial-up connection if you remove all scope restrictions, or if you create a custom scope for exceptions.

Subnets can be highly variable, depending on the network that they are connected to. Therefore, using the "My network" scope restriction does not guarantee security. We strongly recommend that you use the custom scope option when you want to make sure that no unwanted incoming traffic is permitted to pass through your firewall exceptions.

For more information about configuring Windows Firewall, visit the following Microsoft TechNet Web page: http://www.microsoft.com/technet/community/columns/cableguy/cg0204.mspx

	SAP MaxDB Malformed Handshake Request Remote Code Execution Vulnerability
	Dojo Toolkit SDK Multiple DOM-Based XSS Vulnerabilities
	Microsoft Indeo Codec Memory Corruption Vulnerability
	HP DDMI Execution of Arbitrary Code
	Microsoft Windows License Logging Service Heap Corruption Vulnerability
	Microsoft Office Excel Code Execution Vulnerabilities
	Microsoft SharePoint 2007 ASP.NET Source Code Disclosure
	Microsoft Windows Local Security Authority Integer Overflow Vulnerability
	Windows Kernel Multiple Vulnerabilities
	Microsoft Windows ActiveX Indexing Service Memory Corruption Vulnerability
	Microsoft IIS FTP Service Code Execution and DoS Vulnerability
	Microsoft GDI+ Multiple Vulnerabilities
	Microsoft .NET Common Language Runtime Multiple Vulnereabilities
	Microsoft Active Template Library ActiveX Controls Multiple Vulnerabilities
	ActiveX Active Template Library Initialization Vulnerability