Date: 16 Dec 2004 14:21:12 +0200
From: SecuriTeam <support@securiteam.com.>
To: [email protected]Subject: [NT] Microsoft Windows XP Firewall Default Configuration Vulnerability (SP2, Local Subnet)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Microsoft Windows XP Firewall Default Configuration Vulnerability (SP2,
Local Subnet)
------------------------------------------------------------------------
SUMMARY
After you set up Microsoft Windows Firewall in Microsoft Windows XP
Service Pack 2 (SP2), you may discover that your computer can be accessed
by anyone on the Internet when you use a dial-up connection to connect to
the Internet, this is due to a back in the way Microsoft's Firewall
handles local subnets.
DETAILS
This problem occurs because of the way that Windows Firewall interprets
local subnets when the "My network (subnet) only" option is used. Windows
Firewall is included with Windows XP SP2.
Because of the way that some dialing software configures routing tables,
Windows Firewall in Windows XP SP2 can sometimes interpret the whole
Internet to be a local subnet. This can let anyone on the Internet access
the Windows Firewall exceptions. When the "My network (subnet) only"
option is enabled, it is automatically selected for file and print
sharing. Therefore, your shared drives can be unexpectedly revealed on the
Internet when you use a dial-up connection.
Solution:
To resolve this problem, you must download and install the Critical Update
for Windows XP:
<http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=da66a0ac-55ca-4591-b3e6-d78695899141&displaylang=en> KB886185
After you install the Critical Update for Windows XP (KB886185), Windows
Firewall will no longer interpret a dial-up network connection to be on
your local subnet.
Specifically, any IP Route Table entry that has an IP address of 0.0.0.0
and has a mask of 0.0.0.0 will not be interpreted to be on the local
subnet. This means that any port exceptions or program exceptions that use
the "My network (subnet) only" option in Windows Firewall will not be
available over a dial-up connection. You will still be able to access
exceptions over a dial-up connection if you remove all scope restrictions,
or if you create a custom scope for exceptions.
Subnets can be highly variable, depending on the network that they are
connected to. Therefore, using the "My network" scope restriction does not
guarantee security. We strongly recommend that you use the custom scope
option when you want to make sure that no unwanted incoming traffic is
permitted to pass through your firewall exceptions.
For more information about configuring Windows Firewall, visit the
following Microsoft TechNet Web page:
<http://www.microsoft.com/technet/community/columns/cableguy/cg0204.mspx>;
http://www.microsoft.com/technet/community/columns/cableguy/cg0204.mspx
ADDITIONAL INFORMATION
The information has been provided by
<mailto:nathan.fowler@packetmail.net.> Nathan Fowler.
The original article can be found at:
<http://support.microsoft.com/kb/886185>;
http://support.microsoft.com/kb/886185
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
