Security Vulnerabilities Discovered in WinXP SP2

SoTuA writes "Few months after SP2 hit windowsupdate.com, Finjan Software reports that security flaws have been found in WinXP SP2, including malicous code execution without user intervention. Finjian has turned over the findings, along with proof-of-concept, to Microsoft."

Not supprising

[lightdarkness]

It was only a matter of time until a major vuneribility was found in SP2. I'm sure there will be others, but at least they are being found before they are taken advantage of.

Re:Not supprising

[BeerAndLoathing]

Security holes being found isn't usually the issue with microsoft though, it's how long it takes for fixes to arrive.

Re:Not supprising

XP does not come with an SQL server. XP does not come with a PDF viewer. XP does not come with an IRC client. XP does not come with a proxy server. Seeing a pattern here?

Re:Not supprising

[NemoX]

Windows in an O/S. You just listed 14 vulnerabilities for Applications that just happen to be packaged with RH O/S. Only ONE of above HAVE to be installed to run RH. Whereas, Windows and it's packaged applications, you have no choice but to suck it up when one of it's applications has a flaw, as you cannot uninstall them if something is a serious security threat. I am not saying that any Linux distro, or any O/S for that matter, doesn't have security issues, because they all do, but get better educated before spewing forth you're Linux bashing.

"Please step away from the gun, you are not authorized to use it."

Re:Not supprising

[jav1231]

This is an important point. M$ bundles and intertwines so much into the OS that you really are a slave to the system. You can't compare a vulneraiblity in say Apache or Samba or WuFTP to a vulnerability in SP2 for XP or even IE. I can't help but install IE in XP. I CAN, however, choose not to run Apache, Samba, Mozilla, or just about anything in Linux. These apps are not bundled the same way similar apps are in Windows. I wonder how many "studies" are skewed because they ignore this point?

Re:Not supprising

[Taladar]

An interesting question would be how many of these exploits are remote exploits and how many are "just" local user. With most Windows machines running as Admin per default local exploits seem to be ignored there most of the time.

Re:Not supprising

[doorbot.com]

Last Windows breach: 3 months ago, between install and d/l of SP4 (yeah, I couldn't even download the service pack before getting hit, I had to get the redistributable package via my Linux box and burn it to CD!)
Last Linux breach: NEVER

SP4 has been out for a long, long time. I'm assuming you ran into the "breach" because you were reinstalling Windows 2000 which was not firewalled but was connected to the Internet prior to the install of the appropriate patches.

The same thing could happen to your Linux box. The fact that your virgin Windows system was unpatched isn't Microsoft's fault or even your fault, but you could have taken extra steps to protect what you admit is an inherently less secure system.

Your example that a Windows system was exploited isn't a fair claim; if you secure Linux and Windows fully, and Windows still gets owned, then we might have a story (as might be the case with the article linked in this story).

I'm not saying Windows is perfect either; my point is your example is flawed. By your own admission it needed SP4 (and subsequent patches I assume) and thus suggests to me that the system was not ready for use. It's like crash testing a car where you hadn't gotten around to installing the airbags yet -- of course it will fail safety tests. Is it fair to then say, "Look it failed the test!" when any reasonable (computer-literate) person would expect that outcome?

Re:Not supprising

[Foolhardy]

My Windows' uptime 36 hours
My shortest of 6 Linux' uptime = 8 months 2 weeks and 3 days (had to change UPS battery, heh).

Last Windows reformat due to system file corruption: 3 months; average 1 time per year.
Last Linux reformat due to system file corruption: NEVER; average 0 times in 7 years.

Last Windows breach: 3 months ago, between install and d/l of SP4 (yeah, I couldn't even download the service pack before getting hit, I had to get the redistributable package via my Linux box and burn it to CD!)
Last Linux breach: NEVER

So you know how to run a Linux machine correctly, but are not competent to run a Windows machine? What result did you expect?
I have never, ever reinstalled Windows, and I've had about 10 installtions.
I've had zero viruses, worms or breaches.
The uptime on this computer is 29 days, last restarted when I upgraded the video driver since nVidia can't afford to make an unloadable driver.
In the year I've had this computer, I've had 3 crashes, all due to an expiremental IDE driver (for nForce2). Once I replaced it with the generic driver, it hasn't crashed since. (about 6 months ago)

Since I don't have the gross problems you report, I can only conclude that the user is at fault.

Last Windows breach: 3 months ago, between install and d/l of SP4 (yeah, I couldn't even download the service pack before getting hit, I had to get the redistributable package via my Linux box and burn it to CD!)

See Installing Windows 2000 integrated with the service pack (AKA slipstreaming). All the patches are applied to the installation files before actual installation. The command line arguments for the service pack exe to integrate them also apply to all recent patches.

Re:Not supprising

[jdhutchins]

It'd be nice if you could use WinXP without administrator privledges. But there are many programs that simply don't run without Administrator privledges (MusicMatch comes to mind). If people could run without administrator privledges, they might, but if it's a lot of trouble, they won't. Unix users don't run as root if a program doesn't need root privledges, it will run as a non-root user, unlike most XP programs. I know it isn't completely Microsoft's fault, but they need to work with software companies to fix the problem.

So surprising....

[SlayerofGods]

At what point does a story become so routine that it no longer counts as news?

As usual, working and playing well with others....

[originalhack]

Step 1: Be polite to Microsoft:

Finjan has notified Microsoft of the vulnerabilities and has shared all relevant technical details with the company.

Step 2: Be polite to Microsoft:

Per its usual policy, Finjan has no plans to go public with details of the flaws until Microsoft has patches available for them.

Step 3: Reap benefits of being polite to Microsoft:

"Our early analysis indicates that Finjan's claims are potentially misleading and possibly erroneous regarding the breadth and severity of the alleged vulnerabilities in Windows XP SP2," the Microsoft statement said.

Does this apply to firefox?

[broothal]

What they said: By exploiting all vulnerabilities discovered in SP2 by Finjan, attackers can silently and remotely take over an SP2 machine when the user simply browses a Web page"

What they meant: By exploiting all vulnerabilities discovered in SP2 by Finjan, attackers can silently and remotely take over an SP2 machine when the user simply browses a Web page with Internet Explorer

You missed the part about Finjan

[LO0G]

Using these vulnerabilities to shill it's products.

This isn't to say that the vulnerabilities aren't real, they might be.

But this is a marketing ploy for Finjan

Re:Supprise supprise

[Peaker]

I tend to find that extremely competent programmers, with a lot of experience, tend to make nearly bug-free software...

Unfortunatly (or fortunatly for some of us :), the vast majority of programmers out there simply suck, bad. Judging by most faults I've seen, and despite what so many people say: MS programmers suck.

Re:expected

[fwitness]

Yeah, and of course we all criticize MS for releasing buggy software. The counter-argument always that of course MS can't fix every single bug. Supporting that, people point to vulnerabilities in apache, mysql, etc.

The problem with the latter is that most Linux-based software is open-source, nonfunded. Whereas Microsoft is the largest business this side of Alpha Centauri.

I'd like to say pshaw, no big deal, but the amount and severity of MS bugs/exploits is deplorable considering that Windows is the flagship product of one the largest corporations in the world. Stop entering new markets and release a stable, secure product in the next millenium please.

Flame on.

P.S. I'm going to establish a charity for those who believe using a dollar sign in Microsofts name does anything other than diminish one's argument.

Quote from Scotty on Star Trek 3:

[earthforce_1]

The more complex the plumbing, the easier it is to stop up the works!

Windows needs a rewrite

[linguae]

I believe that with Linux's usability improving each and every year, and Mac OS X's increasing appeal to computer users, sooner or later, Microsoft will be in deep trouble. No OS is completely secure, but Linux and Mac OS X doesn't suffer from the one main problem that faces Windows security: the integration of web browsers (Internet Exploder), media players (Windows Media Player), and e-mail clients (Outlook Express). Windows has a lot of other security issues too, due to huge amounts of legacy code, a horrible system of user management (why must a user be logged in as Administrator to play a game?), insecure services running, and more.

Windows needs a rewrite. The kernel is fine, but there should be a new set of APIs (get rid of legacy stuff), a better command line (with the option of booting into it), disintegration of IE, WMA, and OE (make them separate programs that can be uninstalled), better user management (similar to Unix's user management), and finally, a secure "blue box" that runs "classic" Win32 and Win16 programs (similar to Mac OS X's classic mode). If Microsoft does this, they'll finally have a secure and stable OS, and who knows, I might even recommend Windows to users. But until then, I'm sticking with FreeBSD.

Leave some holes, charge cash to plug 'em

[Japong]

I find it disgusting that Microsoft has plans to sell anti-virus software to plug up the holes they stupidly left in their OS. Shouldn't developers be forced to make secure products?

If it's discovered my model of car has a set of brakes that have a chance of not working after a certain gear shift combination, the car company issues a recall - they don't tell everyone "oh it's not a big deal, if you want go to a mechanic and buy a new set of brakes."

We get patches for free (well kinda...after paying for the software) but they only seem to fix one problem *at best) for a hole found in the wild by people outside MS anyway. That doesn't even begin to cover spyware and viruses.

Found Before Exploited?

[nurb432]

As far as you know.. We really wont know if somone has taken advantage of something 'secret', unless they either get caught, or boast about it..

THOSE are the scary ones..

Re:expected

[jrexilius]

Its an interseting dillema, because they very likely would _not_ be a $40bil if they didt release awfull software .

If they were to follow a very strict engineering process similar to what defense, nasa, and energy depts follow, their software would cost more then it already does, be years behind on "features", and make it very difficult to have the knee-jerk reactions to market desires it currently does.

I would argue that their success, aside from their edgy, sometimes illegal business practices, came from focussing more on UI and integration (or lock in depending on perspective) then on things people didnt understand at the time (security, stability, standards, interoperability, etc.).

Software has thus far been treated and behaved very differently from traditional engineering and manufacturing as there is no entity like UL (Underwriters Lab), FDA, FCC, DOT, etc. enforcing standrds of safety and allowing users to sue them for selling sub-par products. MS could move quick with a shoddy product and say they clicked "agree" on the EULA, security or stability be damned.

Re:expected

[Froze]

I was just wondering if you saw the implicit contradiction in your statements.
...Microsoft is the largest business this side of Alpha Centauri.
and
I'm going to establish a charity for those who believe using a dollar sign in Microsofts name does anything other than diminish one's argument.

Your whole post drives at the point that Microsoft is in the business of making money and not making good software, yet you come along and decry those who would say the same thing in a much more concise form, "M$".
< Mode flaming = "off" >

Re:Well, users can...

[JustOK]

...and its not the fault of Agilent LogicWave logic analyser because?????

Microsoft's gratitude

[iamacat]

Per its usual policy, Finjan has no plans to go public with details of the flaws until Microsoft has patches available for them

and

Our early analysis indicates that Finjan's claims are potentially misleading and possibly erroneous regarding the breadth and severity of the alleged vulnerabilities in Windows XP SP2

Why should people who are trying to help just get insulated? It's time to release the exploits to all of us after all, so that we can decide for ourselves who is making erroneous statements.

Re:Microsoft's gratitude

[koniosis]

Because Finjan is a company that would make a mountain out of a mole hill if it sold their software, if they were to do this properly they could have just told Microsoft about the problem and kept quite about it. But that doesn't sell their products, they sell security prodcuts, which rely on exploits. The chances are that this isn't really a major issue, and probably relies on some obscure system setup which could only be achieved on purpose and for the sake of introducing a hole, which no user would ever have in reality.

Re:Well, users can...

[vstanescu]

If this software is some expensive corporate software and you are paying big licensing money for it, you should just request an update from Agilent. If this is not an option, just isolate the systems running this software from the net, in a secured area. A lot of systems in the world are unpatched and old for various reasons, but they do their job without being breaked, just because they are isolated well enough. If you require internet access, just put a second PC on your desk, with SP2 and no Agilent.

Re:Who'd have thought it

[rseuhs]

Yeah, that's exactly the problem with Windows.

With all the service packs you have to do an "all or nothing" approach, which causes lots of wasted time and money because you have to test, test, test before deploying a SP.

On Linux, when there is a problem with package X version y, I can just upgrade to version y+1.

I also don't need to set up a test machine because I can go back to version y if version y+1 doesn't work for some reason. (ha, try to go back a service pack. You can't, it's reinstall-time)

Re:Disable the light bulb.

[Neil+Blender]

"Tools">""Options">"OpenOffice.org">"General">" H elp Agent">"Activate" (uncheck the little box)

You got me there. Honestly, I never tried to turn of the lightbulb. But could you inform me on the following: How to not not capitalize the first letter of an entry in a spreadsheet field AND default .txt files to open as csv in spreadsheets AND set default delimiter to tab AND default text entries to not be delimited with quotes? I'd be happy solving just the first two.

Aside from that, I love OO and linux, I use them near 100% of the time. My comment was really more a jab at people who love to hate Microsoft but are blind to obvious faults and failures in OSS.

Re:No Security Issues in Win XP SP1 for me!

[smeenz]

You don't play multiplayer PC games, do you ?

If you must run unpatched and connected...

[leonbrooks]

...then carefully remove as much Microsoft software from your machine as possible.

Start with MSIE and MS Outlook, then MS-Office (replace them with FireFox, ThunderBird and OpenOffice, respectively). Really dig in and make sure every trace of them has been removed, don't stop at believing what the MS uninstaller tells you about MS Outlook.

Don't offer any shares, even to the LAN (get people to dump stuff elsewhere on the LAN and you pick it up from there), connect to the minimum number of shares (zero if possible) and for the shortest reasonable time.

Run a good firewall.

Pray a lot.

One more option: if you have a modern Linux box around, throw LogicWave at WINE on that and see how far it gets. If it doesn't work outright, maybe you can hack up an interface to the actual analyser in WINE. That'd be a lot of effort for one workstation, but if you have 20 or so it might be worthwhile.