January 16, 2006 1:55 PM PST

Windows Wi-Fi vulnerability discovered

A Windows feature that automatically searches for Wi-Fi connections can be exploited by hackers, a security researcher has warned.

The feature is part of Windows XP and 2000 and was exposed as being vulnerable at hacker conference ShmooCon on Saturday by vulnerability researcher Mark Loveless.

Loveless claimed that hackers can take advantage of the feature to include a user's PC in a peer-to-peer network, giving them access to information on its hard drive.

When a PC running Windows XP or Windows 2000 boots up, it will automatically try to connect to a wireless network. If the computer can't set up a wireless connection, it will establish an ad hoc connection to a local address. This is assigned with an IP address and Windows associates this address with the SSID of the last wireless network it connected to.

The machine will then broadcast this SSID, looking to connect with other computers in the immediate area.

The danger arises if an attacker listens for computers that are broadcasting in this way, and creates a network connection of their own with that same SSID. This would allow the two machines to associate together, potentially giving the attacker access to files on the victim's PC.

Security experts contacted by ZDNet UK on Monday confirmed that the flaw exists, but said that it should not be a problem for those using firewalls.

Paul Wood, security analyst at MessageLabs indicated that users will probably be unaware that their computers have connected to the peer-to-peer network in such a way.

MessageLabs believes that users running Windows XP Service Pack 2 (SP2) are not at risk.

"This yet again is a wake-up call for those who haven't installed SP2. Any machines running a copy of XP without SP2 are saying 'Come and get me', as there are so many gaping threats," said Mark Sunner, chief technology officer at MessageLabs.

Get some protection
Experts recommended companies deploy a security policy, if one isn't already in place: "Any organization deploying a Wi-Fi network needs to implement a company security policy," said Sunner. "The potential victims are the road-warrior community. Does the in-house security department have a mechanism to check the visibility of remote machines?"

MessageLabs also recommended that individual telecommuters be given personal firewalls.

Individuals can also protect themselves by disabling Wi-Fi when not using it, said Greg Day, security analyst at McAfee.

MessageLabs advised the following:

"Users with Wi-Fi can disable the peer-to-peer facility by going to "Wireless Network Properties | Advanced | Network Access Point | Choose Infrastructure Networks Only," said Wood. "We recommend people only connect to infrastructure points, although some users may want to use peer-to-peer for head-to-head gaming and file sharing."

MessageLabs pointed out that system administrators can also mitigate the problem by blocking ports 135, 137, 138 and 139--which in Sunner's words "should be nailed shut already"--from accepting NetBIOS connections.

Day downplayed the potential of the attack: "Hackers are trying to class this as virus-like. You become part of the problem because your machine is now broadcasting on a peer-to-peer network. However, all this gives hackers is the ability to see other machines--they still have to write exploits. But if the user is patched or has a firewall, they are protected."

Sunner echoed those feelings: "I'm a purist, and for me the (virus) analogy is not rooted in reality. Could it be self-replicating? It's not really within the realms of possibility," said Sunner.

Criminal gangs were unlikely to target this flaw as it would be too labor-intensive to exploit, predicted MessageLabs, saying that it was "really a threat from script kiddies".

Microsoft did not immediately respond to a request for comment.

Tom Espiner of ZDNet UK reported from London.


Join the conversation!
Add your comment
Another day, another serious, Windows-only security issue.

Windows apologists, you may now insert your explanations of how
market share created this flaw too.
Posted by Macsaresafer (802 comments )
Reply Link Flag
this is not a flaw.
you have to explicitly authorize your computer to connect in an ad hoc mode. Also you're always warned before getting connected to an unprotected infracstructure access point. I don't know what this article is talking about.
Posted by Pascoli (74 comments )
Link Flag
Are you serious?
So it goes into a default connection mode. How is this a vulnerability? This is no different then the fact that out of 5 access points I can connect to from my house 3 are SSID:Linksys Default Channel:6
DHCP:Enabled and Router IP:

How is this any different from having an ethernet cable connected? Aren't ethernet ports set default to on by plugging in a cable, so isn't this a vulnerability?

The connection is Peer to Peer(not like they are pretending to be a server in a client/server environ.), so with no other exploit, this is nothing. Even with an exploit is isn't anything more dangerous than being connected by ethernet.
Posted by schubb (202 comments )
Link Flag
Like people that believe in evolution...
Windows users will soon be extinct...

It is survival of the fittest after-all, correct??!!
Posted by CentrOS (126 comments )
Reply Link Flag
Not really.
Evolution isn't that simple. There is natural selection, or survival of
the fittest. Then there's sexual selection, in which the prettiest of
the fittest get to reproduce.

In the case of computers, IT types prefer to create reverse sexual
selection. That's because the uglier the system, the more problems
it creates, the more secure their jobs are. Because of this, Windows
won't go away. At least not easily.
Posted by Macsaresafer (802 comments )
Link Flag
An article for every bug in Windows!
It seems to me that CNET and host of other publications devote an entire article for every bug people discover in Windows!

This is not vulnerability; it is just a plain old bug! Even if you exploit this vulnerability and establish an 'association', you cannot do any damage to the users PC.
Posted by pdude (65 comments )
Reply Link Flag
Propaganda, not news.
First of all, this isn't news, I've known about this 'vulnerability' for the past 2 years.

Second, this 'report' is BS. The author not only neglected to mention certain pre-set requirements, he also incorrectly stated how Windows handles infrastructure vs ad-hoc mode.
Windows does NOT automatically go into ad-hoc after failing to discover an access point. It will only do so if the user has set an ad-hoc connection in his system. 99% of all Windows users will never do this. The few that do, actually know what they're doing.

You would need to set MULTIPLE things in order for someone to actually access your computer. These are...
1- You would need to be using Windows XP SP1 or lower (or SP2 with wide-open file sharing).
2- The administrator account would need to be enabled without a password.
3- You would need to MANUALLY set ad-hoc mode. Most users will NEVER even know how to do this (even though it's not hard, most people don't understand what it does, so they'll never enable it).
4- Someone else would need to be in the room with this knowledge and the will to hack your computer.

Point is, you'd need to go WAY out of your way to set yourself up for a 'hacker' to reach your box through ad-hoc. But the linux people eat this garbage up daily, and they love it. Reason is they're as ignorant as the average Windows user.

It's so easy to avoid these 'vulnerabilities', even my 80 year old dad knows better. The non-windows users stray away from this OS because they don't know how to reach a porn site without overloading Internet Explorer with spyware and viruses.

I haven't had a virus, OR spyware in over 3 years! I don't need to use a crippled version of Windows (aka Linux) to avoid these problems.
Posted by Hazardsyd (1 comment )
Reply Link Flag
Angry much?
Proclaiming you haven't had a problem in 3 years doesn't obviate the fact that millions of windows users are having horrible problems every day.

Not even arrogant Microsoft has your (bad) attitude.

Linux users are still part of the customer base and Microsoft would be "ecstatic" to have highly educated nerds who work for free fixing their problems.

Smug people such as yourself trash Linux/Macintosh without logical provocation. I tend to believe it's small man's syndrome but no one outside of your psychologist knows for certain.

So cheer up, your downer attitude is raining on my sunshine.
Posted by UntoldDreams (91 comments )
Link Flag
Nothing to see . . . Move along . . .
Does anyone ever do their research?

If you configure your wireless networking wrong, you might have a problem.

In Linux, and about every other OS you _can_ configure it wrong as well. And, you can have some of the same issues. But, because MS Windows users are oblivious to what their computer is doing, they might be offended if they were actually allowed to shoot themselves in the foot.

Microsoft encourages ignorance. In their ignorance, users can make themselves vulnerable. Nothing new here. Nothing to see . . . Move along . . .
Posted by 48911984 (10 comments )
Reply Link Flag
Another day, another M$ vulnerability...
...they never end.
Posted by aabcdefghij987654321 (1721 comments )
Reply Link Flag
no, this is known functionality
That is how ad-hoc networking and peer to peer file sharing work when you enable them together. Windows warns you repeatedly about what you are doing if you do so. It's like they are reporting a security flaw where people's keypads type numbers when the numlock is on.
Posted by Bob Brinkman (556 comments )
Link Flag
How can this be called a vulnerability...
...when the article [i]itself[/i] states that if you've updated XP to SP2, your Windows computer ISN'T vulnerable? Was it a vulnerability in Win XP prior to SP2? Yes. Is this a vulnerability now? Apparently not. It may remain a vulnerability to those who have yet to update Win XP since 2004, but to those who've been responsibly maintaining their computers, this is a non-issue. Thus to bad-mouth Microsoft about a problem they took care of years ago, which this article does tacitly and folks in this talkback have done explicity, is disingenuous at best.
Posted by DarkHawke (999 comments )
Link Flag
Hyped up
This artical seems to apply to only those Windows XP and 2000
computers without SP2. If you have not downloaded this (or let
Windows automatically update itself) than you are either naive or
arrogant -- probably the latter because automatic update should
have been telling you for the past year or so that there are updates
available. I would have to consider myself a Mac fan (I even made
the switch) but even I have to agree that this artical is picking on
Posted by vpign001 (2 comments )
Reply Link Flag
Why does Windows think for you?
"When a PC running Windows XP or Windows 2000 boots up, it will automatically try to connect to a wireless network." -- Um, WHY? This is the major problem with Windows: doing things FOR you instead of waiting for YOU to initiate them.
Posted by Anonymous1234567890 (53 comments )
Reply Link Flag
See Scott's, Pascoli's and my coments
end of message
Posted by Bob Brinkman (556 comments )
Link Flag
The average user ...
wants things done for them. The type of individual who would read or post messages on this board probably knows how to do it themselves, but the average user does not. Windows is an operating system targeted at the masses. If it waited for users to initiate things, they often would never happen. Not only do they not know how to do these things manually, they don't want to know how to do them manually. They want a system that is smart and lets them get right to the things they care about, like checking their email. You say this is a major problem with Windows. I say its a major reason that Windows has 90+ percent market share.
Posted by someguy389 (102 comments )
Link Flag
Slow News day, eh?
There's certain headlines that are essentially generic filler. They could be inserted any one day.

When they show up, you know that the editors had nothing real to report.

"Trouble brewing in the middle east". "Congress split over tax issue". "Windows security flaw discovered". "Kennedy dies tragically".

Yawn. All this really just means "Nothing worth reporting happened today".
Posted by MarylinMonroe (7 comments )
Reply Link Flag
stop trying to explain this
The linux/mac users wont care that this is not a flaw. They look at a pro MS message as a troll or an idiot who doesn't know what he/she is talking about and completely disregard any pertinent info.

Such as the fact that a user has to manually set himself up for this flaw to be pertinent to his/her system.

Besides, 99% of the time, if you are a broadband user, and windows cant find your server, you get the auto config ip of 169 and go nowhere, except maybe to a few cache pages.
Posted by techguy83 (295 comments )
Reply Link Flag
Not a real flaw...
I second the "slow news day" notion.
Posted by mgreere (332 comments )
Reply Link Flag
Not a real threat?
This issue is obviously not a problem for sophisticated users and as usual, we hear the familiar refrain: "anyone with half a brain knows how to ..." from the computer literati; but therein lies the problem. Take a drive around any neighborhood or business park with a wireless laptop and you will see numerous access points set to the default settings and many without even basic WEP turned on. This means that many laptops are, in all likelihood, set up to automatically connect to those networks (either accidentally or on purpose). It is these laptops that present the problem, not just for their users, but more so for the employers of these users. Just sit outside any office building with a WiFi router or access point with its SSID set to Linksys, and see how many laptops connect to it. This is a very easy way for hackers to gain access to those laptops and also potentially to the office wired network that they may be simultaneously connected to. If anyone is in any doubt, check out this link (shameless self promotion!): <a class="jive-link-external" href="http://cf.nbc5i.com/dfw/sh/videoplayer/video.cfm?id=4459208&#38;owner=dfw" target="_newWindow">http://cf.nbc5i.com/dfw/sh/videoplayer/video.cfm?id=4459208&#38;owner=dfw</a>
Some say XP SP2 and Windows firewall solves the problem; apparently Microsoft disagrees. But even if Microsoft is mistaken, hands up all who are prepared to bet the security of their entire corporate network on Windows Firewall, assuming of course that it is turned on. Even if Windows firewall has been turned on and locked by the employees' network administrators, users can easily turn it off (so they can play their favourite MPORG) by downloading software readily available on the Internet for this specific purpose. This is a real problem, not just for users who do not know enough to secure their laptops properly, but more importantly for their employers. For this and other reasons, it is essential that organizations define wireless connectivity policies and have the means to enforce compliance with those policies on all laptops used for and at work. Before anyone points out that my company "conveniently" offers a solution to this problem, I would like to offer that this is the case for every vendor of any security solution, and that this in no way diminishes the extent or veracity of the threat.
Posted by nicholasmiller (3 comments )
Reply Link Flag
go wi-fi!
<a class="jive-link-external" href="http://www.analogstereo.com/chevrolet_tracker_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/chevrolet_tracker_owners_manual.htm</a>
Posted by 208774626618253979477959487856 (176 comments )
Reply Link Flag
XP sp2 not affected!
SP2 has been out for years. You can't buy XP sp1 CDs anymore. This is like reporting that an old MAC OS is vulnerable for something. Stop wasting eveyones time and report on such a non issue.
Posted by RTFM (148 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.