Windows Firewall found defective

December 20, 2004

People who use shared network resources under Windows XP environment may surprisingly discover to have shared them with everyone on the Net.

Microsoft has released an update to Windows XP to fix a potentially serious configuration problem in the firewall that ships as part of Windows XP Service Pack 2 (SP2).

Users who installed SP2 on their Windows XP machines and also have file and printer sharing enabled run the risk of sharing their files and printers with entire Internet, according to Microsoft.

By default, file and printer sharing makes changes to the SP2 firewall to give computers on the local network access to shared resources. However, the definition of that local network is being mistakenly expanded to include the whole Internet, resulting in a situation where any Internet user can gain access to a shared resources stored locally on millions of home users' PCs.

The configuration problem only affects dial-up users: some dialing software mistakes the entire Internet as part of a local network, and if the user clicks the option to allow connections from within the local (subnet) network, the firewall will allow connections from any IP address out on the Web to shared resources on the machine, Microsoft indicated in a Knowledge Base article (KB886185) on its Web site.

"In the default configuration of Windows XP SP2, that firewall setting was probably a bit wider than it should have been," said Gary Schare, director of product management for Windows. "This update narrows the scope of what defines the local network."

Microsoft first discussed the firewall issue in an article on its website in September. A "critical" update for Windows XP SP2 was released on Tuesday. However, although issued on the same day, the update was not part of Microsoft's monthly security update because, according to Schare, security updates are only for software vulnerabilities.

"The changes we made in Service Pack 2 were better than before, but they could be narrowed even further," he said. "We told people that we would issue a software update and now we have."

Still, even with the update, a local network could extend beyond what users may consider a local network, Schare said. To cordon off a network and prevent unwanted access, users should place an additional firewall in front of the network, he said.

That firewall might be a third-party software product or a hardware-enabled firewall.

"We didn't do as good a job as we intended getting this out," Gary remarked. "This fell between the teeth. The security team said it wasn't a vulnerability, so we don't handle it, and the product people said they are not used to meeting the monthly update schedule."

"While Windows Firewall doesn't provide absolute protection against malicious hackers, it provides strong protection in most scenarios and was included in SP2 to provide a level of protection well beyond the common pre-SP2 configuration for most users - no personal firewall at all," said the company in a statement.

People who exclusively use Windows Firewall as a lone way of protecting their Windows-run systems are strongly advised to apply the critical patch. Those who have an autoupdate feature turned on will be protected automatically with the download of patch. For those who prefer to manually update their Windows XP system, the solution is available here.