[isalist] BITS - is it malware-friendly?
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Sat, 12 May 2007 10:01:58 -0700
http://www.ISAserver.org
-------------------------------------------------------
(retitled)
Bad Tom - you kicked of a "Jim Tech-talk" - now what will I do at Tech
Ed? :-p
This individual seems to believe that "because it's BITS, it has special
permissions through firewalls".
This is nothing more than yet another case of "too ill-informed to speak
about the technology or 'issue', so I'll publicize that fact". Sound
like anyone we know?
The point he makes regarding BITS having free access through a firewall
(or having the ability to "poke through" is based on the assumption that
the "firewall" in question:
1. is configured to apply policies based on the process making the
request. What's interesting in this statement is that "BITS" is never
the process name; it's "svchost". How many of you allow "svchost"
requests to exit your firewall? If you raised your hand, use it to slap
yourself (or each other). Continue doing that until my grandson reaches
the age of majority (he's three weeks old this past Wed). If you said
"I dunno - how do I tell?", then that's a different (and more
responsible) answer which we'll deal with in the second installment of
this diatribe.
2. is UPnP-enabled. ISA ain't. PIX, Juniper, Checkpoint ain't.
Starting to see the trend? "Real" firewalls eschew "firewall UPnP" like
the malware it is. Before you go down the road of "you said
<PickYourIsaCompetitor>!", remember; these are what ISA was built to
compete against and the fact is, they still outnumber ISA in the
firewall marketplace and go a long way in setting customer expectations
for firewalls. Reality hurts; deal with it and move on.
3. allows requests to anywhere based on the HTTP User-Agent data that
identifies itself as a BITS request. ISA doesn't provide such a
mechanism (although I'm sure many proxies do), and so offers you better
protection against this technique. You can see this in your ISA logs if
you filter for "Client-Agent contains bits" in the web proxy log.
To the remaining issue of "vulnerable component in Windows"...
-- What exactly is "BITS"? Contrary to the author's assertion that this
is specific to the AU/WU/MU process (although it is certainly used by
them as well as WSUS), the acronym refers to "Background Intelligent
Transfer Service" and has been a client/server HTTP component since
Windows 2003 shipped (XP included the client side in preparation for
WS03). If you look in your services, you'll find it there; set to
"Automatic" and may or may not be running (it only runs when
downloading). If you examine your WS03 Add/Remove Windows Components,
Application Server, IIS "Details", you'll find it as an add-on (not
installed by default).
-- How does BITS operate? As of WS00, there are two HTTP libraries
provided by Windows; WinInet (IE, XMLHTTP use this) and WinHTTP (BITS,
ServerXMLHTTP, RPC/HTTP use this). What BITS provides that you don't
get easily with direct access to WinInet or WinHTTP is the ability to
handle data in smaller pieces over time to limit immediate bandwidth
consumption. This is accomplished through an HTTP/1.1 feature called
"range requests". If you're having trouble sleeping, it's described in
RFC 2616
(http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.35).
Basically, range requests are used by the client to request the resource
in pieces (not "chunks"; this is a different HTTP/1.1 mechanism)
described in byte-ranges. If the server (and intermediate proxies)
supports range requests, the content is served as requested. ISA 2004
SP2+ and 2006 include limited support for range requests.
So instead of tying up your bandwidth by downloading the data *right
now*, components using BITS can do it over an extended time using range
requests and reassemble the data as it's received. Again; this is also
possible via WinInet and WinHTTP, but the range request / receipt /
reassembly process is managed for you in BITS. This is exactly how WSUS
and Automatic Updates download 300MB service packs without tying up your
ISP bandwidth - by requesting and reassembling small pieces of it over
time.
Three very import points that place this article firmly into the FUD
category are:
1. You *must* have malware on your box that calls into BITS. If you
have this malware, you probably have much worse, and thus BITS abuse is
the least of your worries.
2. While BITS *is* the component being abused for the purpose of making
these requests, WinInet and WinHTTP are just as "vulnerable" <gag>. The
process may be more difficult, but no less "secure".
3. Your firewall / proxy has to allow the request made by the
BITS-abusing malware. If you operate with an "allow-all" policy, then
what can I say?
HTH,
JimmyJoeBobAlooba
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Saturday, May 12, 2007 7:57 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Computerworld writer gets high at work
http://www.ISAserver.org
-------------------------------------------------------
What exactly is the feature that allows it to "get past" firewalls?
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Saturday, May 12, 2007 9:27 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Computerworld writer gets high at work
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
>
> http://www.computerworld.com/action/article.do?command=viewArt
> icleBasic&
> articleId=9019118
>
> it's actually pretty encouraging when the pickin's are this slim...
>
> All mail to and from this domain is GFI-scanned.
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
