Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Vulnerabilities Discovered in WinXP SP2

Posted by CowboyNeal on from the holes-in-the-dike dept.

SoTuA writes "Few months after SP2 hit windowsupdate.com, Finjan Software reports that security flaws have been found in WinXP SP2, including malicous code execution without user intervention. Finjian has turned over the findings, along with proof-of-concept, to Microsoft."

7 of 343 comments (clear)

  1. Finjan scaring up some buisness by smashin234 · · Score: 3, Informative

    I did some searching and discovered this:
    http://news.com.com/Finjan+Warning+users+or +scarin g+up+business/2100-1002_3-5449269.html

    And this quote by the Finjan CEO pretty much sums up what I thought this was:
    "By using Finjan's proactive security solutions...users can enjoy a secure environment that protects them from such vulnerabilities."

    Its just a ploy to scare up buisness for this security company. But lets not jump to conclusions, those 10 errors may exist, but the truth is that this security company may not have followed the industry guidelines.

    That is the key question, did Finjan give MS these errors 30 days ago like traditionally is done? If they did, then they have every right to publicize the problem, but if not, they are engaging in questionable buisness practices.

  2. Exploits work as limited users? With firewall on? by gfecyk · · Score: 2, Informative

    "By exploiting all vulnerabilities discovered in SP2 by Finjan, attackers can silently and remotely take over an SP2 machine when the user simply browses a Web page..."

    So if you're silly enough to surf with will administrator access, you can let someone else take over your machine. No mention if the exploits work as limited users... probably because they don't.

    No mention of flaws in background services, but even if there were, what effect would they have with the firewall turned on?

    Sounds like a simple enough fix to me: Create a limited user account for yourself and do your work there.

    --
    Use Evolution instead of Outlook? Bewa
  3. Re:expected by Waffle+Iron · · Score: 5, Informative
    The difference of course is that most of those retailers and manufacturers are primarilly conduits of capital. They may collect a lot of revenue, but the vast majority of that is immediately transferred back out to their suppliers. They just retain a modest profit margin and operating expenses.

    Microsoft, OTOH, is more like an economic black hole. Huge chunks of the revenue they collect just accumulates in their bank account. They don't seem to be able to figure out what to do with it, even though it's obvious that over the years they should have been investing more of it in improving the quality of their software.

  4. Re:Not supprising by NemoX · · Score: 3, Informative

    The bundle comes with multiple alternatives to each of the packages listed. I have > 7 desktops to choose from not just KDE. I have > 4 printer services to choose from, not just CUPS. I have >3 SQL servers, not just MySQL.... They do not package it because they support it, per se, they package it because the believe in end-user education and freedom of choice.

    Everytime I have to reinstall windows, I spend about a day going out to get the latest software from the internet to install...Newsreader, IRC, WebBrowser, Image viewer, etc. I don't have to do this with my LInux installs since it is already provided for me. With your logic, then windows shouldn't come with an internet connection, since they don't support what you could potentially download and install. Distros provide this as a very helpful option package(s). One reason I started buying Linux instead of downloading it, is because I loved the multiple cd/dvd's that had everything I could possibly want on it (re: SuSE distro).

    And if you want to talk about not having the resources to check things before they include it, then Windows should come without anything, just an empty box, because...

    My Windows' uptime 36 hours
    My shortest of 6 Linux' uptime = 8 months 2 weeks and 3 days (had to change UPS battery, heh).

    Last Windows reformat due to system file corruption: 3 months; average 1 time per year.
    Last Linux reformat due to system file corruption: NEVER; average 0 times in 7 years.

    Last Windows breach: 3 months ago, between install and d/l of SP4 (yeah, I couldn't even download the service pack before getting hit, I had to get the redistributable package via my Linux box and burn it to CD!)
    Last Linux breach: NEVER

  5. Re:Exploits work as limited users? With firewall o by heybo · · Score: 3, Informative

    One big problem with running under a limited user account is that a lot of common Windows programs will not run under a limited users account. One such program is QuickBooks. This is even true with W2K.

  6. Re:Not supprising by Anonymous Coward · · Score: 1, Informative
    one of its applications, not it's.

    your Linux bashing, not you're (inless you meant "you are Linux bashing").

  7. Re:Well, users can... by Junichiro+Koizumi · · Score: 0, Informative

    I work with the LogicWave as well, and did some research after I found the same problem after upgrading to SP2. Turns out the LogicWave relies on a bug in XP's slab allocator which was fixed in SP2. Although it has been standard MS practice to include code in workarounds for specific software in situations like this, I don't think the LogicWave merits it.