Security Vendor Reports XP SP2 Holes; Microsoft Disputes Claims

Windows XP Service Pack 2 (SP2) has 10 unpatched vulnerabilities, a U.S. security firm says. Microsoft, however, ardently disputed the claims, calling them "potentially misleading and possibly erroneous."
Windows XP Service Pack 2 (SP2) has 10 unpatched vulnerabilities, a security firm said Thursday. Microsoft, however, ardently disputed the claims and said that they were "potentially misleading and possibly erroneous."

Finjan Software said its Malicious Code Research Center had spent the last several months analyzing Windows XP SP2, the massive refresh that Microsoft touted as its most secure desktop operating system ever, and found 10 bugs that could be used by hackers to hijack systems when users simply view malicious Web pages.

The San Jose, Calif.-based company said it has provided Microsoft with technical details on the vulnerabilities and with proof-of-concept code that demonstrates how the bugs could be turned into full-fledged security attacks.

"We'll not disclose details of any of these vulnerabilities until patches are ready," said Gil Aditi, Finjan's chief security officer, "so that attackers can't create worms or viruses with this information."

Although Microsoft has said several times that SP2 is its most secure OS, Finjan's spotting of 10 vulnerabilities didn't come as a surprise to Aditi. "Any operating system has its holes, and SP2 is no exception. It's not bulletproof."

When used singly or in combination, the vulnerabilities would let a dedicated hacker surreptitiously gain control of a PC when the user browses a malicious Web site, Aditi said.

Such tactics aren't new. The Scob outbreak of June and the JPEG vulnerability of September both relied only on users viewing sites, not opening e-mail attachments or downloading files.

"Put together, these vulnerabilities could be used by an exploit that would download malicious mobile code, such as JavaScript or ActiveX," said Aditi. "That code would be automatically executed, and other malicious software then loaded to compromise SP2's security features.

"Just by browsing a site, one could be infected," he added.

Several of SP2's touted security features can easily by circumvented, Aditi said, thanks to the vulnerabilities.

SP2, for instance, is designed to protect users from potentially dangerous content downloaded from the Web. It blocks unauthorized operations performed by Web sites, makes the user confirm that he wants to save a downloaded file, and requires verification before it will run a downloaded file. According to Finjan, these tools are meant to protect users against silent "drive-by" installation of malicious software.

"All three can be bypassed by exploits," said Aditi.

A Microsoft spokesperson rebutted Finjan's claims in an e-mail to TechWeb.

"Microsoft is actively investigating these issues through our security response process and is determining the validity and accuracy of the reported issues," the spokesperson said.

"Our early analysis indicates that Finjan's claims are potentially misleading and possibly erroneous regarding the breadth and severity of the alleged vulnerabilities," continued the spokesperson.

"Once Microsoft concludes investigating Finjan's claims and if Microsoft finds any valid vulnerability in Windows XP SP2, Microsoft will take immediate and appropriate action to help protect customers," the spokesperson added. Microsoft is unaware of any current attacks exploiting the vulnerabilities spotted by Finjan, said the company.

Microsoft took Finjan to task for publicizing the vulnerabilities, even if Finjan didn't lay out specifics. "We encourages Finjan to abide by the principles of responsible disclosure and to decline to provide further comment or details on the alleged vulnerabilities until Microsoft is able to complete its investigation and can respond," the Redmond, Wash.-based developer said.

Finjan's Aditi countered. "Microsoft has been aware of some of these flaws for months, some for weeks," he said. "SP2 is a big step forward in security," concluded Aditi, "but I'm sure there will be many more vulnerabilities in the future. Even with the changes in the kernel, it's not perfect."

Editor's Choice
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Terry White, Associate Chief Analyst, Omdia
John Abel, Technical Director, Google Cloud
Richard Pallardy, Freelance Writer
Cynthia Harvey, Freelance Journalist, InformationWeek
Pam Baker, Contributing Writer