Re: RE: [Security] Fun with Windows all over again

From: Erik Klavon (erik_at_ack.berkeley.edu)
Date: Mon Sep 15 2003 - 11:17:45 PDT

• Next message: Aron Roberts: "Re: RE: [Security] Fun with Windows all over again"
• Previous message: ken lindahl: "Re: Windows RPC DCOM Dos exploit"
• Maybe in reply to: Greg Merritt: "RE: [Security] Fun with Windows all over again"
• Next in thread: Aron Roberts: "Re: RE: [Security] Fun with Windows all over again"
• Reply: Aron Roberts: "Re: RE: [Security] Fun with Windows all over again"

On Fri, Sep 12, 2003 at 12:49:21PM -0700, Alexander Brown wrote:
> "Kevin D. Burney" wrote:
> >
> > I have had success using XP and 2003 by simply enabling the built-in
> > personal firewall before connecting to the network. Then you will be safe
> > to download your patches.
>
> I would be cautious with this approach; we have had multiple reports in
> EECS of compromised XP systems that were unpatched, but "running the
> firewall since before they were ever put on the network". I cannot
> attest to the accuracy of the reports, but the fact that there have been
> multiple reports makes me nervous about recommending this as a solution.

I recently enabled the firewall in XP on a relative's computer. I
found many open ports for the Windows Messenger service. I disabled
all of them and upon rebooting the computer found that they had all
been re-enabled. A quick search on the web gives me the impression that
messenger isn't easy to disable (you have to disable it both in the
control panel and in applications that use it).

Perhaps I wasn't doing something right, or I didn't know the proper
way use this firewall. But it seems to me that if I am given a list of
open ports in a control panel which says that I can disable them, I do
so according to the instructions and save the config, those ports
should remain closed even after a reboot, regardless of what any other
application would like to do.

Needless to say, after this encounter I don't feel I can trust the XP
firewall. Hopefully Microsoft will make/has already made plans to
change this behavior.

Erik

(all opinions expressed are my own, of course)

------------------------------------------------------------------------
The following was automatically added to this message by the list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.

• Next message: Aron Roberts: "Re: RE: [Security] Fun with Windows all over again"
• Previous message: ken lindahl: "Re: Windows RPC DCOM Dos exploit"
• Maybe in reply to: Greg Merritt: "RE: [Security] Fun with Windows all over again"
• Next in thread: Aron Roberts: "Re: RE: [Security] Fun with Windows all over again"
• Reply: Aron Roberts: "Re: RE: [Security] Fun with Windows all over again"

This archive was generated by hypermail 2.1.5 : Mon Sep 15 2003 - 11:24:07 PDT