More Security Issues concerning the new Windows Firewall

Recall --

Yesterday, I posted a comment on the fact that the new Windows Firewall (present in XP Service Pack 2) does not monitor outgoing traffic. As we discovered, this is especially problematic for Spyware attacks, as it may be possible for a Spyware program to extract personal information from your computer and relay it to a third party -- all without you knowing about it.

Infopackets Reader Tom M. writes:

" Dennis: [in reference to your original article], you mused as to why Microsoft hasn't followed the ideology of full firewall protection. Might I cynically speculate that it may be a perceived legal matter? By this I mean they may be trying to fend off claims of having a monopoly by not putting everything into their operating system. Appearing to have a firewall, albeit half of one, is good marketing directed at those who would prefer one-stop shopping and/or are ill-informed.

Those who realize they need something better, including those who learn it from useful newsletters such as yours, will go out and download a free or purchased copy of a 'real' firewall. One-stop shopping would be a great boon to customers, only if the included functions were 'top of the line'. But it could put a lot of serious smaller companies, which provide good products, out of business and draw too much negative attention. Mind you, putting in a half-baked firewall draws negative attention too. Perhaps its a matter of choosing the lesser of two evils. Of course I could be full of it, but.... "

Interesting (and amusing) comments. In terms of security, Infopackets Reader 'Alias Zero' pointed out some very interesting facts about the new Windows Firewall that comes standard with Windows XP Service Pack 2:

" In fact, the new XP Firewall does little to stop anything. Microsoft has created an API which allows programs to add a Firewall rules at whim. Although administrator access level is required to change the rule set, I'm speculating that someone (at some point) will find a way to exploit the API to allow for further exploitation of the operating system. " (Paraphrased)

Side note: API stands for "Application Program Interface". In short, APIs are used as plug-ins for existing programs. In "operating systems that support a graphical user interface, the API also defines functions to support windows, icons, pull-down menus, and other components of the interface. In network operating systems, an API defines a standard method application programs can use to take advantage of all the network features." (Source: angelFire.com)

My response:

I did a bit of research on this using Google and found a post via securityFocus.com which essentially underscores what Alias Zero has pointed out:

" Besides manual configuration of the rule set, [the Windows Internet Connection Firewall, or 'ICF'] contains an API that allows applications to temporarily modify the [firewall] rule set. In the screenshot below, Windows messenger automatically opened up TCP port 12212 and UDP port 13037 for its own use.

This is both a good and scary feature. It's good because it allows applications like Windows messenger the ability to interoperate with [the Windows Firewall]. This is especially useful for applications that open up dynamic ports [random communication ports used on the Internet]. With applications that open up dynamic ports, you can’t specify a rule that would allow the traffic through, since the port could change. This is great for people who play games that support DirectPlay 8. At the same time, most security professionals get a little wary when applications can change firewall rule sets willy nilly. A big complaint people have about the [Windows Firewall] API is that it requires administrative privileges. If your Windows XP account is a 'limited' account, applications you run can’t manipulate the ICF rule set using the [Windows Firewall] API. " (Source: securityFocus.com)

Indeed, a scary thought; and again, I recommend scrapping the SP2's Windows Firewall in favor of Zone Alarm -- a much better firewall which has the ability to notify you of all incoming *and* outgoing communication (something that the Windows Firewall doesn't do).

And as I mentioned yesterday, the Zone Alarm Firewall (free) will be covered explicitly in my new Service Pack 2 fail-safe installation guide, which will be released very shortly.