Windows 2000/XP Wi-Fi flaw

By Derek Sooman on January 16, 2006, 12:47 PM
Details of a previously undocumented flaw in Microsoft's handling of Wi-Fi which affects users of Windows 2000 and XP have been made public by Hackers.

The vulnerability was detailed at the Shmoocon hackers conference in Washington DC by self-confessed hacker Mark Loveless, (aka Simple Nomad), a senior security researcher for Vernier Threat Labs.
Seemingly, the issue concerns the way in which the operating systems look for wireless networks during start-up. When a Windows 2000 or XP machine with Wi-Fi starts up, it immediately starts scanning for wireless networks, and if none is found it sets up an ad hoc link using the name of the last wireless network accessed.

If a hacker was aware of the last used network ID, for example knowing the name of a corporate Wi-Fi network address, it could be used to establish a direct local link with the Windows PC offering access to all local drives.

However, the problem only arises if the target machine is not running a firewall. One of the changes in Windows XP SP2 turns the built-in firewall on by default.




User Comments: 18

Got something to say? Post a comment
barfarf said:
With a flaw-flaw here,And a flaw-flaw there,Here a flaw, there a flawEverywhere a flaw-flawOld MacGates had a farmEe i ee i o
MonkeyMan said:
Well, the only thing I can say to this, is that you should always keep your firewall on. Turning it off, for things such like playing PC games and things, are cool, but you run the risk of being hacked. This is just one of many flaws that we should all watch out for. Microsoft will find a fix for this, just be patient, and I'm sure everything will be okay. Love ya Microsoft!!!!!
PanicX said:
[quote]it could be used to establish a direct local link with the Windows PC offering access to all local drives. [/quote]I'm not sure what that's supposed to mean. You can access the drives as if they're local to your machine? Or they're simply avaliable to connect to if you have the proper credentials, like on a normal network connection? At first while reading this I thought it very unlikely that this could be exploited. But if you think about it, really all you need is to do hang out at a starbucks thats near a large corporation with wireless access (that you sniff the SSID and encryption keys from). Then set your laptop to adhoc with the same connection settings, and wait as employees drop by before or after work. When one comes by with Windows 2000 and no third party firewall, you're in.
nathanskywalker said:
[b]Originally posted by MonkeyMan:[/b][quote]Well, the only thing I can say to this, is that you should always keep your firewall on. Turning it off, for things such like playing PC games and things, are cool, but you run the risk of being hacked. This is just one of many flaws that we should all watch out for. Microsoft will find a fix for this, just be patient, and I'm sure everything will be okay. Love ya Microsoft!!!!![/quote]Mabye, but it's not like windows firewall is unbreakable... Wow, though, such a simple mistake.
zachig said:
I'm reading on too many flaws recently in Microsoft products. What happened to them? Not that they were so secured, but still, too many flaws. At least they do release patches pretty fast.
PanicX said:
[b]Originally posted by zachig:[/b][quote] At least they do release patches pretty fast.[/quote][b]Quoted from the article:[/b][quote]Microsoft is aware of the problem, according to a report in the Washington Post, and has promised a fix in the next Windows service pack.[/quote]I don't know about you, but I haven't even seen a projected date for the next service pack for either operating system. I would definitely not consider this a fast fix.
Per Hansson said:
The projected date for Service Pack 3 for Windows XP is 2007. For Windows 2000 there is none afaik
Cartz said:
[b]Originally posted by PanicX:[/b][quote][b]Originally posted by zachig:[/b][quote] At least they do release patches pretty fast.[/quote][b]Quoted from the article:[/b][quote]Microsoft is aware of the problem, according to a report in the Washington Post, and has promised a fix in the next Windows service pack.[/quote]I don't know about you, but I haven't even seen a projected date for the next service pack for either operating system. I would definitely not consider this a fast fix.[/quote]Blah lets all rag on Microsoft some more because they can't release patches for the O/S within a day of a bug being found. People need to be PATIENT, bugs needs to be sought out in the source code (not neccesairily easy) they need to be fixed, and fixed in a way that does not effect any other part of the O/S. The only way for them to determine if it effects the rest of the O/S is to run a wide series of tests. Then it needs to be put in a deliverable and documented, before it can finally be put to the update service. This cannot be done in a day, nor in most cases, a week.I really get tired of hearing people say things along the lines of "I took a programming course in university, fixing bugs wasn't that hard, why can't MS do it?" Developing on a large pre-exisiting code base is incredibly difficult, the one I work on is likely 1/20th the size of MS's, and its overwhelming. This is low priority anyways, if you have a firewall up, you're safe.Realistically, all this is, is someone with an Anti-MS agenda waving a flag about yet another minor bug, and making it out to be another huge deal breaking thing. If the same bug was found in say, Linux, we wouldn't ever hear anything about it. It would be fixed quietly and that would be that.It's not a big deal, put a firewall up, they're essential anyways.
exscind said:
[b]Originally posted by PanicX:[/b][quote]But if you think about it, really all you need is to do hang out at a starbucks thats near a large corporation with wireless access (that you sniff the SSID and encryption keys from). Then set your laptop to adhoc with the same connection settings, and wait as employees drop by before or after work. When one comes by with Windows 2000 and no third party firewall, you're in.[/quote]Why Starbucks? Every time I let a laptop scan for available Wi-Fi networks, I get at least 2 networks with no protection whatsoever. I don't have any knowledge about hacking, but when they're practically giving me full access, it doesn't take any knowledge. It is also a reassurance that if my connection ever goes down, I can just borrow a neighbor's until my connection is restored.And yes, people need to calm the expletive down. This flaw is recognized, but the solution (albeit temporary) is already built into Service Pack 2. I'm not sure why people are panicking that hackers will jump into their systems. Have Windows firewall turned on, which it should be by default, and wait patiently for Microsoft to fix the problem. Not that there really needs to be one as long as the firewall stays on, which it should be.
PanicX said:
[b]Originally posted by Cartz:[/b][quote]Blah lets all rag on Microsoft some more because they can't release patches for the O/S within a day of a bug being found. People need to be PATIENT, bugs needs to be sought out in the source code (not neccesairily easy) they need to be fixed, and fixed in a way that does not effect any other part of the O/S. The only way for them to determine if it effects the rest of the O/S is to run a wide series of tests. Then it needs to be put in a deliverable and documented, before it can finally be put to the update service. This cannot be done in a day, nor in most cases, a week.I really get tired of hearing people say things along the lines of "I took a programming course in university, fixing bugs wasn't that hard, why can't MS do it?" Developing on a large pre-exisiting code base is incredibly difficult, the one I work on is likely 1/20th the size of MS's, and its overwhelming. This is low priority anyways, if you have a firewall up, you're safe.Realistically, all this is, is someone with an Anti-MS agenda waving a flag about yet another minor bug, and making it out to be another huge deal breaking thing. If the same bug was found in say, Linux, we wouldn't ever hear anything about it. It would be fixed quietly and that would be that.It's not a big deal, put a firewall up, they're essential anyways.[/quote][b]Quote from Mark Cox, Consulting Software Engineer for Redhat[/b][quote]"There is also the issue of timing," he said. "With Linux products, critical updates are available within a day. If you look at Red Hat Enterprise Linux 3, the average patch time is under a day. With the recent critical WMF (Windows Meta File) vulnerability, it took Microsoft seven days," he said[/quote]I have never claimed to being a software debugging expert with a university education. Don't put words in my mouth. My question is if RedHat, a major OS vendor, can produce a patch within 1 day, why can't MS?It's really quite amazing though that you tolerate such patterns of behavior from a company that for the last year has been tooting their own security horn. Perhaps my convictions to you are considered Anti-MS, but I view myself as Pro-Consumer. If linux pulls the same stunt, I'd be just as quick to show my dissappointment. If Mac had huge flaws found in it every day that don't get corrected for months, I'd be sure to let others know before buying a Mac. The [b]fact[/b] is that Microsoft is the only OS at this moment with these issues and therefore, I point them out. Try to open your tunnel vision to see whats really the case instead of stereotyping posts on a news article.
PanicX said:
[b]Originally posted by exscind:[/b][quote]Why Starbucks? Every time I let a laptop scan for available Wi-Fi networks, I get at least 2 networks with no protection whatsoever.[/quote]The point of the vulnerability is to grab the initial wi-fi access of a laptop thats starting up. This way you can "establish a direct local link with the Windows PC offering access to all local drives". I'm not sure of the implications of how much access you gain from this vulnerability, but should you be interested in accessing corporate files, this presents a window of oppertunity. I said starbucks, because I notice quite a few Starbucks that have patrons with laptops on and think its a likely spot for employees to perhaps stop at on the way to or from work.
mastronaut said:
This is all so much CRAP! We all pay good money for our computers only to have hackers scrape the proverbial key across the paint. It really ticks me off!
chickenroyal said:
MAC filtering FTW!
Need_a_Dell said:
Wow! That's a bit of a major flaw! Hopefully there is an update in the works for this. Also, here's hoping that Windows Longhorn (Last I checked, this is what it was called! Correct me if I'm wrong!) is a little more stable/secure than XP.
vigilante said:
Keep your firewall on, and don't even USE XPs built-in wireless handling, the service should be off.Instead always use the configuration utiltiy of the wireless adapter itself.I agree with most that MS takes some time for bug fixes, but I also have to understand that they have to create a fix for EVERY versions of Windows with the bug. MAC or Linux has maybe one distro to work with? MS has to deal with Home and Pro and MS, and Server editions and so on. Testing patches on every platform and on different hardware bases. Even MORE detrimental to a company then having a late bug fix, is to have an early bug fix that screws up their PCs because it wasn't fully tested.In this case, however, a "bug fix" to simply remove the auto-ad-hoc function would suffice. And I would imagine that could be a fast fix.
yoyomama said:
;-) ;-) ;-) Boy, I sure am glad to be dual-booting Kubuntu (www.kubuntu.org) on my Windows XP box. In case of password loss or to recover data from an XP system that just hangs and hangs and hangs once you log in, download the LiveCD of Knoppix (www.knoppix.org). Oh yeah, and make some copies of it (it's legal - Knoppix is open source) in case your friends' computers die. LOLEdit: added LOL ;-)
Cy6erpuke said:
Really you guys. Common knowledge that WinXP has its short falls, but loading SP2 goes without saying. Just one problem. File and printer sharing issues usually leads to firewall being switched off.... win some, loose some?
mentaljedi said:
[b]Originally posted by barfarf:[/b][quote]With a flaw-flaw here,And a flaw-flaw there,Here a flaw, there a flawEverywhere a flaw-flawOld MacGates had a farmEe i ee i o[/quote]And on that farm he had xp,Ee i ee i o.With a virus here,and a flaw over there,here a vunerability,there a melicious file,everywhere a crash-crash,old MacGates had a farm,Ee i ee i o!
Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.