By Tom Espiner
Special to CNET News.com
January 16, 2006
A Windows feature that automatically searches for Wi-Fi connections
can be exploited by hackers, a security researcher has warned.
The feature is part of Windows XP and 2000 and was exposed as being
vulnerable at hacker conference ShmooCon on Saturday by vulnerability
researcher Mark Loveless.
Loveless claimed that hackers can take advantage of the feature to
include a user's PC in a peer-to-peer network, giving them access to
information on its hard drive.
When a PC running Windows XP or Windows 2000 boots up, it will
automatically try to connect to a wireless network. If the computer
can't set up a wireless connection, it will establish an ad hoc
connection to a local address. This is assigned with an IP address and
Windows associates this address with the SSID of the last wireless
network it connected to.
The machine will then broadcast this SSID, looking to connect with
other computers in the immediate area.
The danger arises if an attacker listens for computers that are
broadcasting in this way, and creates a network connection of their
own with that same SSID. This would allow the two machines to
associate together, potentially giving the attacker access to files on
the victim's PC.
Security experts contacted by ZDNet UK on Monday confirmed that the
flaw exists, but said that it should not be a problem for those using
Paul Wood, security analyst at MessageLabs indicated that users will
probably be unaware that their computers have connected to the
peer-to-peer network in such a way.
MessageLabs believes that users running Windows XP Service Pack 2
(SP2) are not at risk.
"This yet again is a wake-up call for those who haven't installed SP2.
Any machines running a copy of XP without SP2 are saying 'Come and get
me', as there are so many gaping threats," said Mark Sunner, chief
technology officer at MessageLabs.
Get some protection
Experts recommended companies deploy a security policy, if one isn't
already in place: "Any organization deploying a Wi-Fi network needs to
implement a company security policy," said Sunner. "The potential
victims are the road-warrior community. Does the in-house security
department have a mechanism to check the visibility of remote
MessageLabs also recommended that individual telecommuters be given
Individuals can also protect themselves by disabling Wi-Fi when not
using it, said Greg Day, security analyst at McAfee.
MessageLabs advised the following:
"Users with Wi-Fi can disable the peer-to-peer facility by going to
"Wireless Network Properties | Advanced | Network Access Point |
Choose Infrastructure Networks Only," said Wood. "We recommend people
only connect to infrastructure points, although some users may want to
use peer-to-peer for head-to-head gaming and file sharing."
MessageLabs pointed out that system administrators can also mitigate
the problem by blocking ports 135, 137, 138 and 139--which in Sunner's
words "should be nailed shut already"--from accepting NetBIOS
Day downplayed the potential of the attack: "Hackers are trying to
class this as virus-like. You become part of the problem because your
machine is now broadcasting on a peer-to-peer network. However, all
this gives hackers is the ability to see other machines--they still
have to write exploits. But if the user is patched or has a firewall,
they are protected."
Sunner echoed those feelings: "I'm a purist, and for me the (virus)
analogy is not rooted in reality. Could it be self-replicating? It's
not really within the realms of possibility," said Sunner.
Criminal gangs were unlikely to target this flaw as it would be too
labor-intensive to exploit, predicted MessageLabs, saying that it was
"really a threat from script kiddies".
Microsoft did not immediately respond to a request for comment.
InfoSec News v2.0 - Coming Soon!