XP SP2 Craters

So the newswires and forums are buzzing about this reported security flaw in XP SP2.   Essentially they are complaining that the security center in SP2 uses WMI to store its metadata and an administrator can modify the metadata to convince the user that they’re protected when they’re not.

In the original eWeek article, Microsoft’s response is quoted as:

In SP2, we added functionality to reduce the likelihood of unknown/devious applications running on a user’s system, including turning Windows Firewall on by default, data execution prevention, attachment execution services to name a few. To spoof the Windows Security Center WMI would require system-level access to a PC. If the user downloads and runs an application that would allow for spoofing of Windows Security Center, they have already opened the door for the hacker to do what they want. In addition, if malware is already on the system, it does not need to monitor WSC to determine a vulnerable point of attack, it can simply shut down any firewall or AV service then attack – no WSC is necessary.”

“Windows Security Center, found in the Windows XP Control panel, provides customers the ability and makes it easier to check the status of these essential security functionalities such as firewalls, automatic updates and antivirus. Windows Security Center will inform users whether key security capabilities are turned on and up to date and will notify users if it appears that updates need to be made or if additional action steps may need to be taken to help them get more secure.”

In other words, if you’re running as an administrator, you can run an application that can mess up your computer.  Yup, but if you’re running as an admin and you’re running untrusted code then IMHO, spoofing the security center is the LEAST of your problems – the application that spoofed the security center could also have installed a rootkit on your machine, and at that point, the bad guys own your computer.

Mike Dimmick also has an excellent rebuttal to the original eWeek article.


Comments (29)

  1. Jeff Parker says:

    Good Post Larry I do not get the point of the Supposed Security Flaw. I mean if someone gets into your computer at an admin level honestly security center is the least of your worries. My only complaint about security center is why didn’t they put it under Administrative Tools. Took me forever to find it the other day when looking for it. Went to Admin Tools First, Then went to Computer Management (Not there either) Started looking around my start bar (Too Many Microsoft folders there anymore) Then as a last resort before building a quick application that opened a socket up just to get the firewall approval thing to pop up I decided to check control panel. And Yes I seriously thought about writing a quick app to force that to pop up.

    Do people really go to control panel for anything these days? I havent really been in there in years, with all the right clicking I can do on My Computer and Network Hood and having Administrative tools added to my start bar. I guess I havent been in there in a while wasn’t expecting it there.

  2. foobar says:

    Yes, people use the Control Panel. Especially if they’re not running a server OS.

  3. Herb says:

    Yes, running as admin is a Bad Thing. And yes, spoofing the security center is probably the least of somebody’s problems at that point.

    The real problem with this "security flaw" is that people will trust whatever the security center tells them. So, somebody runs as admin (XP Home pretty well guarantees this), has their system compromised by something which spoofs the security center.

    Now, not only do the bad guys own your computer, but you have your only authoritative source telling you that everything is OK.

  4. Will says:

    Perhaps the security center should have a warning for when you’re logged in as a user who could spoof the data being shown? Specifically, in addition to automatic updates, the firewall and antivirus info, include a "bar" for the current user that’s colored red when logged in as an Administrator, and green when logged in as a regular User (or lower). Specifically checking to see if the logged in user can modify the Security Center WMI data would probably be more reliable, but you get the idea.

  5. Wmipy says:

    Why do you poo-poo this? Doesn’t *every* *single* user of XP home get created by default as an admin???

    You can imply that running as admin is something only a lamer would do, but the default behaviour of the OS practically begs the user to run as admin. Is that their fault? If you think it is, you have no business coding for a consumer OS. IMHO.

  6. Hey larry;

    Any chance that you can do a post or otherwise recommend how to set up a system in such a way that the average developer can use it without logging in with Admin rights all the time?

    The choice of Administrator or Limited Access accounts from the Control Panel "easy" security settings screen is a little too coarse grained.

  7. mschaef says:


    I’ve had good luck running as a User but adding Debugger rights. I had to modify my software to use HKEY_CURRENT_USER for the registry instead of HKEY_LOCAL_MACHINE, but I should have done that anyway.

  8. Wmipy,

    The reason I poo-poo it is because the issue is that running as admin is the problem, NOT WMI.

    Think of it this way:

    You left your house and left the door wide open. Someone came into your house and changed the sheets on your bed. You didn’t notice it because the bed was still made.

    Now then. Was there a vulnerability? Yes, someone was able to get into your house and change your sheets without letting you know about it. But the REAL problem wasn’t that the sheets were changed. Instead it was that the front door was left wide open. Once they got through the front door, changing the sheets was the least of what they could have done.

    This "vulnerabilty" report is the same thing. They’re reporting that if you’re running as an admin, you can change someones sheets. It’s true, but it’s the least of what you could do.

    Once you’re rooted, you don’t own your computer, the bad guy owns your computer. Not only could they convince the security center that you’re patched when you’re not, they could also completely replace the security center with their own version and you’d never know it.

    THAT’S why I’m poo-pooing this "vulnerability".

    Also, as far as running as a non admin, there have been a number of good posts on weblogs.asp.net, and Mike Dimmick’s post lists a couple of suggestions. I’m still trying to understand what works and doesn’t work so I’m not ready to give advice yet 🙁

  9. GoodLuck says:

    I like Microsoft technology and I am a happy Windows developer.

    When it comes to security, unfortunately Microsoft doesn’t get it. Security is not just a technlogy problem, it is a perception problem. Be fair or not, Microsoft is held to a very high standard. Even if a home Windows user lands in a security problem by his own ignorant mistake, it’s Microsoft’s problem. Microsoft can either accept it or live in denial forever.

    This would be my advice to Microsoft 🙂

    "Be Humble, You are that good"

    Good Luck!

  10. GoodLuck: You’re right, and you’re wrong. The only thing that can possibly counter the perception problem is execution.

    Win2K3 and SP2 are the first steps towards executing on changing the perception problem. It’ll be interesting to see if things change in the next six months or so.

    I don’t think Microsoft’s living in denial about the problem. On the other hand, if the press keeps on coming up with bogus vulnerabilities like this one, they don’t do ANYONE a service.

    There ARE real vulnerabilities out there, we’re human, and humans make mistakes. But XP SP2’s all about either cutting those vulnerabilities them off at the knees or limiting the damage that they can do.

    Articles like this one trumpeting made-up vulnerabilities can actually hurt people by convincing them that they shouldn’t upgrade because XP SP2’s no better than XP SP1. And that’s just flat-out not true.

  11. Mat Hall says:

    On the one hand I agree with Larry — if you log in as admin and run random software, you’ve got to take some responsibility for your problems, EXCEPT:

    Buy a PC from a store. Get home, turn it on, run through the welcome bit, create your user account, etc. Guess what? It’s an admin account. (The user is given no indication that there are even any different types of account unless they create new users afterwards, and if they get that far they’ll rapidly learn that sometimes stuff doesn’t work properly unless you’ve got an admin account.)

    Now download some software. Without you knowing, it spoofs the security center, kills the firewall, and opens a hole. However, Microsoft have been saying that SP2 is extra secure, XP is saying you’re protected, so how’s the average Joe going to know anything’s amiss?

    The Security Center is a good idea in theory, but if users come to rely on it and run as admin (which they will) it may end up doing more harm than good…

    [ I wish there was a preview button on this thing — it’s very hard to proofread large blocks of text in this little box, and I can’t be bothered with copying and pasting. I’m a busy man! 🙂 ]

  12. Serge Wautier says:


    > how to set up a system in such a way that the average developer can use

    > it without logging in with Admin rights all the time?


  13. Serge Wautier says:

    Foolow-up of my previous comment here above:

    I admit the article doesn’t quite answer Simon’s question. Though it is interesting, it’s not really an how-to 🙁

  14. Edward says:

    I think its especially difficult not to run as an Administrator on XP home. You havn’t got the local users and groups MMC snap-in so you can’t create new security policies or add yourself to the powerusers group or anything, the only choices you get are in the Users control panel applet, and that only gives you Limited and Administrator. Most people would find limited far to restrictive, while they could probably live with poweruser or something in between.

    Even if people are aware how to use RunAs to launch specific programs from thier Limited account you still run into problems. If you install the program as administrator but run it as another user you run in to problems since the setup has installed default configurations in the Administrators user profile and not yours. Some programs have to be run at least once as an admin in each user profile you want to use them from. Changeing the status of an account is messy since you have to log out and in again.

    More advanced users might be able to use Regmon and Filemon to identify where their programs are breaking, but XP Home doesn’t have the security properties page to lessen the restictions on specific files. The only option is to use cacls on the command line which is far from intuitive.

    Expecting Home users not to run as administrator when you have removed all the tools they might use to even make that a possibility, is a bit far fetched.

  15. Pam Verosky says:

    Um, this may seem like a stupid question for you pros, but I installed SP2 last night and now my optical mouse wont work….why??

  16. Wmipy says:

    >The reason I poo-poo it is because the

    >issue is that running as admin is the problem

    I’ll submit to that, but what’s the root cause of *that* problem???

    >Mat Hall says:

    >Buy a PC from a store. Get home,

    >turn it on, run through the welcome bit,

    >create your user account, etc. Guess what?

    >It’s an admin account.

    that’s exactly what I was talking about. Larry seems to want to blame the user. I was hoping this mindset was changing.

    It’s extremely disappointing, coming from a ‘softie.

  17. Jonathan says:

    In XP Home, Cacls.exe is your friend 🙂 You don’t get the Security property page to give limited users permissions to secured folders, but you can use this command line utility instead. Not good for the average joe, though.

  18. Mat Hall says:

    >Um, this may seem like a stupid question

    >for you pros, but I installed SP2 last night

    >and now my optical mouse wont work….why??

    There are no stupid questions. (There are, however, a lot of inquisitive idiots. 🙂 No idea why the mouse doesn’t work, although if you’re on an AMD64 machine it may be the DEP causing trouble, especially if you’re using the /PAE switch. Check the SP2 pages on microsoft.com for more details…

    One question I have about SP2 is why the boot logo now no longer says "Professional" (and presumably "Home" depending on the edition), and why the dates have gone on the copyright notice. It just looks weird…

  19. Wmipy, I’m not blaming the users. In MY opinion, the default user config for XP home shouldn’t be an admin.

    But the reason the default user for XP is admin is the same as the reason that the default user for Linspire is root. Too many things break if you’re not running as admin. It’s unpleasant, but it’s a legacy of Win9x.

    Hopefully we’ll be able to fix it for Longhorn. The good news is that more and more apps out there don’t require users to be admin so…

  20. ryan says:

    The ‘time to live’ for a new PC on the internet is down to 20 minutes. That’s right, you have 20 minutes from the time you plug your computer into a cable modem/DSL to make sure your system is brought up to speed on patches, elsewise a random worm probe will hit you and break your system. The url for that is: http://isc.sans.org/survivalhistory.php

    Larry’s statement that this is a non-bug reminds me of old-old mainframe systems which came with default usernames/passwords. Sure if you changed those the system would be quite a bit secure, but many sysadmins/installers did not, and thus discovering mainframes and hacking into them was as simple as wardialing and a default password list.

    The goal of security is to design a system with inherent security built in. Part of that means the system is secure out of the box with no user intervention.

    Mac OS X is much better in this regard, if a process wants root access, the OS pops up a dialog informing the user to enter their password and which app requests it.

    Consider corporate environments, the firewall model doesn’t work very well – if it did, we wouldn’t see the Bank of American ATM transaction network taken down by the SqlServer worm. Someone brought an infected laptop from the outside into the ‘protected’ network… clearly host security and OS vulnerabilities are more important than ever.

  21. Ryan, you’re right. Win9x, XP RTM, XP SP1 do have a short time to live on the internet.

    That’s why we did XP SP2 in the first place. The time to live for a new PC running XP SP2 is far higher than it was for any previous Microsoft OS, simply because of the built-in firewall, not to mention the other improvements.

    This is REGARDLESS of the privilege level of the user – the OS is secure.

    This non-vulnerability only serves to convince people that XP SP2 isn’t an order of magnitude better than previous releases. And it IS. Demonstrably so.

    Take an XP SP2 system, with no patches. Put it on the internet live. See how long it stays up without being infected. It’s a lot longer than 20 minutes 🙂

  22. Filip Maurits says:

    """But the reason the default user for XP is admin is the same as the reason that the default user for Linspire is root."""

    AFAIK the default user has been a normal user since the second release of Lindows…

  23. Norman Diamond says:

    I don’t feel a lot of confidence in that SANS report. I wonder what they measured. Maybe it’s 20 minutes from the time of connecting until the time that an ordinary console user would see that things aren’t running properly. And why would an ordinary console user become aware of it, maybe that’s because it’s 20 minutes on average until an old unsophisticated worm has its way. By that time, modern worms have already 0wned the machine for 19 minutes.

    Someone who buys a PC with XP SP1a preinstalled doesn’t have a 20-minute grace period in which to download SP2 and get it installed. There are two possibilities. One is to connect it to a hardware firewall and download SP2. One is to get SP2 on a CD and install it before connecting.

    (By the way, among the programs that don’t work when SP2 is installed is Windows Update. Fortunately WU V5 works for the local machine. But click the link for corporate WU and it’s still V4. It brings up a page saying Administrators Only, giving instructions on how to use RunAs to run as myself, and then it repeats the same bug. So we’re not only waiting and worrying during the time that it’s still too cumbersome to not run as local admins all the time, but sometimes it isn’t even enough when we do.)

  24. nobody says:

    Norman Diamond said "Someone who buys a PC with XP SP1a preinstalled doesn’t have a 20-minute grace period in which to download SP2 and get it installed. There are two possibilities. One is to connect it to a hardware firewall and download SP2. One is to get SP2 on a CD and install it before connecting."

    The correct thing for the user to do is to turn on the firewall that was built into XP from day 1.

  25. Rolando says:


    "Hopefully we’ll be able to *fix* it for Longhorn"

    So you agree that something is broken, Don’t you ?

  26. Something is broken? No, I don’t agree that something is broken. I DO believe that it’s too hard to run as a limited user. But there’s a big difference between "it’s too hard" and "it’s broken".

    It’s entirely possible to run as a limited user (I do it all the time). But it’s not without difficulties and it requires workarounds for several applications, so it’s not for the naive user. And that’s the key – right now, a naive user can’t run as a non admin.

    What will it take to change this? Developers need to start running as a limited user. All developers, not just those at Microsoft. That way they know what works and what doesn’t work.

    It turns out that probably 90% of the applications out there that "require" administrative rights really don’t – and if the developers working on them weren’t running as an admin, they would fix their bugs.