Windows XP Service Pack 2 Security Problems

Michael Schwarz on Wednesday, August 18, 2004

I read on the heise c't magazine security list some security issues with the Service Pack 2 for Windows XP. The article talks about the zone identifier in the NTFS file. If you download a file from the internet the file will be marked with a ZoneIdentifier in a NTFS stream. This stream will be used to decide to show a warning dialog. The warning dialog will allow you to decide wether you want to start this file or not.

Now, if you start the file indirectly with the Windows command shell you will not be asked:

cmd /c evil.exe

The second problem will occur because of the internal file cache. If you copy a safety file (f.e. notepad.exe) to a new destionation, start this "new" notepad, copy a new file to the same location,... then the warning dialog will not appear:

copy c:\windows\notepad.exe c:\test.exe call c:\test.exe copy evil.exe c:\test.exe call c:\test.exe

If you restart your explorer.exe (kill process in task manager) then the correct ZoneIdentifier will be used and you will see the warning dialog.

To check a ZoneIdentifier from a NTFS file you can use notepad evil.exe:Zone.Identifier.

For more details: http://www.heise.de/security/artikel/50046/1 [1]