Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Vulnerabilities Discovered in WinXP SP2

Posted by CowboyNeal on from the holes-in-the-dike dept.

SoTuA writes "Few months after SP2 hit windowsupdate.com, Finjan Software reports that security flaws have been found in WinXP SP2, including malicous code execution without user intervention. Finjian has turned over the findings, along with proof-of-concept, to Microsoft."

8 of 343 comments (clear)

  1. Internet Explorer Again? by ralinx · · Score: 5, Interesting

    from the article:
    "By exploiting all vulnerabilities discovered in SP2 by Finjan, attackers can silently and remotely take over an SP2 machine when the user simply browses a Web page,"

    gee... why am i not surprised that Internet Explorer once again introduces huge security problems?

    in the meantime, a patch can be downloaded here

    allthough i must admit... SP2 has had a good run... most of the recent security problems in XP/IE were non-issues in SP2. Too bad it couldn't last longer.

  2. Re:As usual, working and playing well with others. by westlake · · Score: 4, Interesting

    Finjan is not a disinterested party, since it is selling security solutions to the home and enterprise markets, and it profits by being the first --- and so far --- only source to make the claim.

  3. Re:expected by Nutria · · Score: 4, Interesting

    Whereas Microsoft is the largest business this side of Alpha Centauri.

    Hardly. Walgreens is "bigger" than MSFT, based on year 2003 revenue.

    http://www.usatoday.com/money/companies/2004-03-22 -fortune-500-list_x.htm

    Wal-Mart's revenue is 8x larger than MSFT's.
    IBM's is 2.75x larger, HP's is 2.24x larger. AT&T's revenue is US$2.4B larger than MSFT's.

    --
    "I don't know, therefore Aliens" Wafflebox1
  4. Re:Not supprising by igrp · · Score: 4, Interesting
    Of course it was a matter of time - as it's a matter of time with any OS. Like there could be an OS which is absolutely secure and then we wouldn't have to read stupid articles like these.

    Well, in a way, you're absolutely right. The very first thing you have to realize before you even do a preliminary security screening/threat assement is that security is always a trade-off. That's the major point that most managers fail to understand.

    Basically, there are three elements that you need to balance: security, usability and costs (there a re also lot of other relevant factors like existing infrastructre, resistance to change, scalability, etc. that make real security work, ie. more breaking out the pen test kit and print a report, so damn expensive).

    There is no such thing as a 100% secure system. That's the common wisdom and that's true. But you can design a 98% secure system. The only problem is that this system will require a huge overhead and be so cumbersome that your employees will spend most of their time doing anything but actual work. That way they'll either avoid it and use something else (ie. something less secure and more usuable), if given the choice. Or they'll be largely unproductive, which in turn means you'll have to spend a lot of money to even keep things running. Which of course means you'll not be able to compete (that's one of the reasons a lot of secure systems are designed for government use only because they government doesn't really have to compete or be efficient).

    Multics implemented usuable security exceptionally well. You could get the job done in a timely but relatively secure manner. For some more information about user centered security check out this paper or "Multics Security Evaluation: Vulnerability Analysis" by Karger & Schell (1974). The latter is available online too.

    It's really a shame there's no "Open Multics". I wouldn't really run it in a secure production envionment but I'd sure like to have my own Multics machine.

  5. Re:Not supprising by sumdumass · · Score: 4, Interesting

    Not only is it "the matter of time to get the fix", it is if the fix will be held for no other reason then to include it into some package that has somethign to disable pirated copies of thier software. It is unbelivable that a couple of severe threats that could have been Patched before was held over 11 weeks for a service pack release durring SP1 erra.

  6. Re:expected by Not_Wiggins · · Score: 4, Interesting

    ...but the amount and severity of MS bugs/exploits is deplorable considering that Windows is the flagship product of one the largest corporations in the world.

    I'm not a fan nor a hater of Microsoft products (just hate their business practices), but for anyone to be surprised that an OS designed to be run for a single user in a non-networked environment loaded with legacy code to fully (and successfully) port to a multi-user, networked environment shows a lack of understanding about the increasing inertia software products have as they age. (That's not a swipe at the parent, but a comment about the public at large).

    The point is, Microsoft is actually trapped by how large they are (!). To "fix" all these issues would require a complete re-write of Windows. But then if they re-write Windows, what they'd be selling the public is not the product that helped make them a mega-corp, but a new and untested one that is only trying to leverage the brand name. Ironically, there's a significant chance that if Microsoft wandered too far from their "flagship" product too quickly, they'd both alienate and lose their customers.

    Hate to say it, but they need to take the slow, steady approach to these updates/repairs.

    The real question is, will they still be able to change fast enough to stay viable.

    --
    Diplomacy is the art of saying, "Nice doggie!" until you can find a rock.
  7. Re:You missed the part about Finjan by (H)elix1 · · Score: 4, Interesting

    Using these vulnerabilities to shill it's products.

    This isn't to say that the vulnerabilities aren't real, they might be.

    But this is a marketing ploy for Finjan

    Back in the NT4 days I happened on a major IIS exploit. I did what I could for our code, then reported it to Microsoft. A few email exchanges - reported the bug, gave a few code examples to show the remote privilege escalation (guest to admin), then silence. Noticed the issue was fixed two service packs later.

    Not so much as an email saying thank you after providing drivers to demonstrate the issue, much less any type of 'reward'. For those who wear a white hat (even accidentally) I have no problems with these guys showing how clever they are and using it for marketing purposes. That is about all the payback you get when you find something that does not behave like it should.

    --
    +++ UGUCAUCGUAUUUCU
  8. OpenOffice.org: enhanced annoyances on par with MS by KWTm · · Score: 5, Interesting

    Thank you! That struck a chord with me. It blows my mind how the OpenOffice.org suite (in particular OOo Writer) has painstakingly reproduced the frustration in using MS Word. Spelling "corrections" are automatically made, tables contents are automatically assigned different fonts and line spacing, and that bloody lightbulb keeps popping up like some Web ad.

    And that splash screen when it starts up, subbornly staying on top and covering the other windows --is Sun *trying* to advertise how bloody long it takes to start up the program?

    But you know what the clincher is? I bought the "OpenOffice.org 1.0 Resource Kit", a manual written by Solveig Haugland, and there was this fairly common feature (I forget which one --maybe inserting a static date as text?) that she COULDN'T FIGURE OUT how to do. She basically says, "So far we haven't figured out how to do this yet." This is from someone who's writing a manual for the software.

    Good God, Sun, why don't you just get bought out by Microsoft already. Maybe it's time to take another look at AbiWord, see how they're doing on their tables support, and break out the GNOME libraries...

    --
    404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
    [GPG key in journal]