A significant new SP2 security flaw has emerged that could affect Windows XP machines where the user logs in with administrator privileges.
The problem relates to the Windows Security Center (WSC) feature of SP2 that displays the status of installed firewalls, anti-virus programs and Windows updates. According to a report in the US PC Magazine, this indicator could be "spoofed" in such a way that it appeared to the user that updates had been applied or that security software was working when it was in fact turned off.
The key element needed would be the rights to access a critical system database via Microsoft's Enterprise Management (WBEM) API using ActiveX or web-based scripting. This requires admin rights.
An intruder program could then monitor for the point at which the protection was temporarily turned off - such as when updates have been applied but no reboot effected - turning off the protection while making it appear that things were normal.
The number of users at risk of this hack is hard to estimate, but administrator rights are granted as a default on many unconfigured Windows XP systems.
A number of fixes suggest themselves, not least making it harder for malicious programs to monitor the status of the installed firewall and anti-virus protection. According to PC Magazine, although this is normally detected and blocked, it is possible for "casual" check to gain access to this information.
No programs are known to exploit this flaw but the fact that it has emerged on the basis of a tip-off suggests it is more widely known about.
Microsoft's unofficial response to PC Magazine's highlighting of the issue can be read here.
Security company Secunia warned that sysadmins should take some heed of the warning. "Secunia's advice is to give all users "Limited" privileges and ONLY log in as Administrator when you need to perform extensive Administrative tasks and install programs that originate from trusted sources, otherwise use 'Run as...' when needed," said Thomas Kristensen of Secunia, which confirmed it knew of the issue.
Find your next job with techworld jobs