Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Vulnerabilities Discovered in WinXP SP2

Posted by CowboyNeal on from the holes-in-the-dike dept.

SoTuA writes "Few months after SP2 hit windowsupdate.com, Finjan Software reports that security flaws have been found in WinXP SP2, including malicous code execution without user intervention. Finjian has turned over the findings, along with proof-of-concept, to Microsoft."

26 of 343 comments (clear)

  1. Well, users can... by Anonymous Coward · · Score: 5, Funny

    Just upgrade to Windows XP SP2.

    Oh... wait...

  2. Then Billy Gates.... by Anonymous Coward · · Score: 5, Funny

    waves his hand mysteriously and says "These are not the exploits you are looking for."

  3. Love the article by the_Bionic_lemming · · Score: 5, Funny

    "Browsing a web page" can cause you to lose the machine to a malicious hacker.

    What - they just discovered Gator?

    --
    _ _ _ Go for the eyes Boo! GO FOR THE EYES!
  4. Who'd have thought it by TykeClone · · Score: 5, Funny

    Security vulnerabilities in a 250MB update? Never would have guessed!

    --
    A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
  5. Hmm... by northcat · · Score: 5, Funny

    "Security vulnerability discovered in Windows" has become as common as "Britney Spears gets married".

    1. Re:Hmm... by The-Bus · · Score: 5, Funny

      I know. I'm getting tired of hearing about the same insecure, overrated, virus-filled, money-hungry useless piece of crap without any redeeming qualities.

      I'm sure I'll get tired of hearing about Microsoft too.

      --

      Small potatoes make the steak look bigger.

    2. Re:Hmm... by mormop · · Score: 2, Funny

      Yeah but Britney can still bring a marriage to an end in less time than it Microsoft to fix the vulnerability

      --
      Hmmmmmm..... Deep fried and look like Squirrel.
  6. ...and Clippy sez... by mangu · · Score: 5, Funny

    "I see you are looking for an exploit..."

    1. Re:...and Clippy sez... by Neil+Blender · · Score: 5, Funny

      ?"I see you are looking for an exploit..."

      And Open Office sez: Hey, hey, I'm a lightbulb!! Lower right hand corner? HELLO? LIGHTBULB HERE! That means I have an idea to make your life better...HEY LOOK AT ME! HAHA preferences - they mean nothing. Just try and turn me off! YOU CAN'T! Oh, let me capitalize that first letter for you in your spreadsheet. WHAT? You don't like that? Preferences you say? Perhaps you didn't hear me the first time.

    2. Re:...and Clippy sez... by Anonymous Coward · · Score: 3, Funny

      "I felt a great disturbance in the net, as if millions of PCs suddenly exploited in terror and were turned into spam spewing bots."

  7. Re:So surprising.... by RealProgrammer · · Score: 5, Funny
    • At what point does a story become so routine that it no longer counts as news?

    When it doesn't get any comments.

    --
    sigs, as if you care.
  8. What? by Lisandro · · Score: 5, Funny

    It's that time of the month already?

  9. Let me be the first... by tod_miller · · Score: 2, Funny

    ...to express my suprise and dismay at this unprecedented event.

    *re-reads story*

    Oh, *this* counts as news? :-)

    I say companies can make a good name for themselves dealing with M$ and patches, and then use his name to consult security to companies.

    but M$ will start thier own company, find thier own holes, and consult security out...

    erm... shiiiiiit you know they will do this, or already have!!!

    --
    #hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
  10. Exploit code sample by Ingolfke · · Score: 5, Funny
    This is another example of Microsoft offering too much in the WinAPI without doing adequate security checking. The exploit utilizes a function in VBScript, unique to IE, intended for system administration scripts. A sample is provided below.
    'Sample will provide a handle back to the local box. The object provides several methods for manipulating the box.
    <script language="vbscript">
    objMyBox = TakeOverXPBoxen(me)
    objMyBox.RunArbitraryCode("...")
    </script>
    What is really concerning is that the 'TakeOverXPBoxen' function accepts hostname or IP address strings.

    I hate to rant, but this type of poor security checking is pathetic. Surely they should have known that all they would have needed to do was check the evil bit on the remote transfers to see if the data was safe or not. Someone in the OS community would have done this.

    You do have to hand it to Microsoft though, the code is very easy to implement and quite elegant if you ask me.
  11. Re:So surprising.... by DocSnyder · · Score: 2, Funny

    "No security holes found in Windows XP SP2 for three months" would surely count as news.

  12. Well frankly I am shocked by GojiraDeMonstah · · Score: 1, Funny

    This is almost as surprising as the revelation that, in fact, combat operations do NOT seem to be over in Iraq. What gives???

    --
    "Stop throwing the Constitution in my face, it's just a goddamned piece of paper!" - George W. Bush Nov. 2005
  13. Good work by TheRealFixer · · Score: 4, Funny

    I have to hand it to Microsoft. I remember all those virus hoaxes I used to get in my email. "Don't even open this email or you'll get a virus!" Don't look at this image, or your machine will get hacked!" "Don't visit this web page, or your drive will get formatted!" And I used to think, "Gee, why *can't* I hose my machine by doing those things? That sounds like it would be so cool to see!"

    Well, thanks to Microsoft and their brilliant innovation, tireless effort, and boundless resources, they finally made all those mid-to-late-90s virus hoaxes a reality. I raise my glass to them.

  14. Re:Not supprising by irc.goatse.cx+troll · · Score: 3, Funny

    Yeah. Microsoft doesn't ship code it doesnt trust.

    --
    Pain lasts, kid. Its how you know you're alive. Sometimes I think this growing up thing is just pain management-TheMaxx
  15. It's all clear now by HangingChad · · Score: 4, Funny
    1. Sell buggy insecure software
    2. Sell still more software to make the original software marginally safe
    3. Profit!!!!
    --
    That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
  16. Re:So surprising.... by mr_snarf · · Score: 2, Funny
    At what point does a story become so routine that it no longer counts as news?
    When it gets put on the slashdot front page.
    --
    printf("Goodbye cruel world!\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b");
  17. Please don't post these stories on the weekend by Edmund+Blackadder · · Score: 5, Funny

    Dear slashdot.

    Why must you post these stories on the weekend? You have just ruined the saturday of the whole MS marketing department. Now everyone of them has to cancel their plans, log on slashdot and start making posts about how "no OS is secure" and "it is all the users' fault" and "these guys are just trying to scare up some business". And the ever favourite "if Linux was that popular it would have just as many security flaws".

    Well that is their job and they do it well, but why must you force them to do it on the weekend? Why can't they be with their families. Even marketoids have lives (I hear).

  18. Disable the light bulb. by gr3y · · Score: 2, Funny

    "Tools">""Options">"OpenOffice.org">"General">"H elp Agent">"Activate" (uncheck the little box)

    Simple, really.

    --
    Slashdot is my Mercer Box.
  19. Re:So surprising.... by Catiline · · Score: 3, Funny
    At what point does a story become so routine that it no longer counts as news?
    When it gets put on the slashdot front page.
    Only once.
    --
    Do you like Japanese imports?
  20. Re:OpenOffice.org: enhanced annoyances on par with by Taladar · · Score: 2, Funny
    What's the problem with Star/OpenOffice taking so long to load, anyhow? Is it Java, or is it just badly written software?
    It's a good (as in "few differences") copy of a badly designed program with a bloated feature list badly written in a badly designed, memory-hog of a language.
    --
    Linux is not Windows
  21. Re:OpenOffice.org: enhanced annoyances on par with by Anonymous Coward · · Score: 1, Funny

    Is it Java, or is it just badly written software?

    What's the difference?

    *ducks*

  22. IE makes it easy by rsilvergun · · Score: 2, Funny

    to install all those things. Just install Windows, surf around like you normally would, and by the end of the week you'll have IRC, web, proxy and all sorts of servers running, with little or no user intervention. With other solutions, it can take weeks to set all that up!

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/