Vista firewall easily tricked, says Symantec

Symantec researcher claims that Microsoft's design decisions could lead to vulnerabilities

Windows Vista's firewall can easily be subverted because of design decisions made by Microsoft, a researcher at Symantec said Friday.

Orlando Padilla, a Symantec security response team member who authored a study released this week on how well Vista stands up to current malware, took the new operating system's firewall to task in a blog.

"[The firewall] poses a great limitation for malicious code looking to backdoor a host," said Padilla in the entry. "Unfortunately, the Unblock button may be accessed with the same privilege level as a standard user. This configuration of privileges creates a point of vulnerability that undermines the effectiveness of the firewall's policy in Windows Vista."

Padilla was unavailable for comment, but Javier Santoyo, manager of development in Symantec's research group, explained. "Subverting a firewall is nothing new, but Microsoft, with Vista and User Account Control [UAC], had the ability to strengthen the firewall." The company didn't take that opportunity, he said.

The problem, according to Santoyo, is that while Vista's firewall blocks all third-party and untrusted network traffic unless the user clicks the Unblock button, it's not hard for attackers to code their malware so that the software surreptitiously clicks the button. The SendMessage API call can be used to automate that function, said Padilla.

Microsoft could have guaranteed that only a click by a real live user would unblock the firewall for an application requesting Internet access. "They could have coded it so only an interactive user could click the button," he said. It's possible that rival firewall vendors may take up the approach, Santoyo said.

The motivation for tricking Vista into allowing malware access to the Internet is plain: "They could then download other malicious code" or hide the command-and-control traffic between an infected PC and the hacker using the machine as a spam zombie or denial-of-service attacker, said Santoyo.

"Assuming an attacker can perform the firewall unblock attack, most of the functionality commonly present in a bot is available," wrote Padilla in his research paper (download PDF).

"Yes, I think attackers will try this," said Santoyo. "It's not hard to do."

Microsoft officials could not be reached for comment.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?