So the newswires and forums are buzzing about this reported security flaw in XP SP2. Essentially they are complaining that the security center in SP2 uses WMI to store its metadata and an administrator can modify the metadata to convince the user that they’re protected when they’re not.
In the original eWeek article, Microsoft’s response is quoted as:
In SP2, we added functionality to reduce the likelihood of unknown/devious applications running on a user’s system, including turning Windows Firewall on by default, data execution prevention, attachment execution services to name a few. To spoof the Windows Security Center WMI would require system-level access to a PC. If the user downloads and runs an application that would allow for spoofing of Windows Security Center, they have already opened the door for the hacker to do what they want. In addition, if malware is already on the system, it does not need to monitor WSC to determine a vulnerable point of attack, it can simply shut down any firewall or AV service then attack – no WSC is necessary.”
“Windows Security Center, found in the Windows XP Control panel, provides customers the ability and makes it easier to check the status of these essential security functionalities such as firewalls, automatic updates and antivirus. Windows Security Center will inform users whether key security capabilities are turned on and up to date and will notify users if it appears that updates need to be made or if additional action steps may need to be taken to help them get more secure.”
In other words, if you’re running as an administrator, you can run an application that can mess up your computer. Yup, but if you’re running as an admin and you’re running untrusted code then IMHO, spoofing the security center is the LEAST of your problems – the application that spoofed the security center could also have installed a rootkit on your machine, and at that point, the bad guys own your computer.
Mike Dimmick also has an excellent rebuttal to the original eWeek article.