A friend pointed me to a post of his on Slashdot (yes I do have friends that post there).  I find his post interesting.  If I were to write some sort of virus, and could easily check the system which it’s current running on and determine that it is in fact Windows XP SP2, why could I simply run a few commands, like:

"netsh firewall set allowedprogram program = c:\%programname% name = %friendlyname% mode = ENABLE scope = ALL profile = ALL"

or even

“netsh firewall set portopening TCP 666 ENABLE“

Of course since we are running a command line utility there is absolutely NO UI confirmation for this.  Any sort of malicious program can alter your firewall without anyone knowing jack, rendering your firewall useless.

Wouldnt it be nice to be able to set a default alert (email or whatever) that is sent whenever any sort of firewall changes are made?  Then again, there would probably be a simple command to turn that on and off. 

You might be thinking, what if I'm running in non-admin mode?  Well thats all fine, make sure you do that, and you most likely will not be effected by this.  But if your an XP Home user all users run as admin, consider that upgrade more sooner than later.

5 Comments

• Joshua Schwartzberg said Tuesday, July 6, 2004 11:00:00 AM

  Given any situation...you can only make it harder for hackers, never impossible. There is never a final solution to security.

• Rick David said Tuesday, July 6, 2004 12:19:00 PM

  A simple dialog that says "Your firewall settings have been changed" or "App.exe has been allowed internet access" would prevent the invisible firewall changes. True, many people will just blindly click "OK" but at least the user is shown that a change was made.

• - said Tuesday, July 6, 2004 12:50:00 PM

  But the user still sees:
  
  Make this box go away so
  you can get back to what
  you were doing?
  
  Yes No

• Paul Bartlett said Wednesday, July 7, 2004 12:20:00 AM

  It's been said many times before, and Pavel hinted at it, but if "a malicious program" can run such code it's already won the battle. The real focus of writing secure code must surely be making sure that it can't run it in the first place. And yes I do know about "defence in depth", but with only limited resources available on any coding project I know where I'd want the effort to be expended...

• xeno said Monday, July 30, 2007 7:52:35 PM

  add entr to regedit, or an existing server and ip like login.oscar.aol.com 5190 ;-) run dos there pages of IM data stcut