Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Vulnerabilities Discovered in WinXP SP2

Posted by CowboyNeal on from the holes-in-the-dike dept.

SoTuA writes "Few months after SP2 hit windowsupdate.com, Finjan Software reports that security flaws have been found in WinXP SP2, including malicous code execution without user intervention. Finjian has turned over the findings, along with proof-of-concept, to Microsoft."

22 of 343 comments (clear)

  1. Well, users can... by Anonymous Coward · · Score: 5, Funny

    Just upgrade to Windows XP SP2.

    Oh... wait...

  2. Then Billy Gates.... by Anonymous Coward · · Score: 5, Funny

    waves his hand mysteriously and says "These are not the exploits you are looking for."

  3. Love the article by the_Bionic_lemming · · Score: 5, Funny

    "Browsing a web page" can cause you to lose the machine to a malicious hacker.

    What - they just discovered Gator?

    --
    _ _ _ Go for the eyes Boo! GO FOR THE EYES!
  4. Who'd have thought it by TykeClone · · Score: 5, Funny

    Security vulnerabilities in a 250MB update? Never would have guessed!

    --
    A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
  5. Hmm... by northcat · · Score: 5, Funny

    "Security vulnerability discovered in Windows" has become as common as "Britney Spears gets married".

    1. Re:Hmm... by The-Bus · · Score: 5, Funny

      I know. I'm getting tired of hearing about the same insecure, overrated, virus-filled, money-hungry useless piece of crap without any redeeming qualities.

      I'm sure I'll get tired of hearing about Microsoft too.

      --

      Small potatoes make the steak look bigger.

  6. So surprising.... by SlayerofGods · · Score: 5, Insightful

    At what point does a story become so routine that it no longer counts as news?

    --

    Technology, the cause of and solution to all of life's problems.
    1. Re:So surprising.... by RealProgrammer · · Score: 5, Funny
      • At what point does a story become so routine that it no longer counts as news?

      When it doesn't get any comments.

      --
      sigs, as if you care.
  7. As usual, working and playing well with others.... by originalhack · · Score: 5, Insightful
    Step 1: Be polite to Microsoft:
    Finjan has notified Microsoft of the vulnerabilities and has shared all relevant technical details with the company.
    Step 2: Be polite to Microsoft:
    Per its usual policy, Finjan has no plans to go public with details of the flaws until Microsoft has patches available for them.
    Step 3: Reap benefits of being polite to Microsoft:
    "Our early analysis indicates that Finjan's claims are potentially misleading and possibly erroneous regarding the breadth and severity of the alleged vulnerabilities in Windows XP SP2," the Microsoft statement said.
  8. ...and Clippy sez... by mangu · · Score: 5, Funny

    "I see you are looking for an exploit..."

    1. Re:...and Clippy sez... by Neil+Blender · · Score: 5, Funny

      ?"I see you are looking for an exploit..."

      And Open Office sez: Hey, hey, I'm a lightbulb!! Lower right hand corner? HELLO? LIGHTBULB HERE! That means I have an idea to make your life better...HEY LOOK AT ME! HAHA preferences - they mean nothing. Just try and turn me off! YOU CAN'T! Oh, let me capitalize that first letter for you in your spreadsheet. WHAT? You don't like that? Preferences you say? Perhaps you didn't hear me the first time.

  9. Internet Explorer Again? by ralinx · · Score: 5, Interesting

    from the article:
    "By exploiting all vulnerabilities discovered in SP2 by Finjan, attackers can silently and remotely take over an SP2 machine when the user simply browses a Web page,"

    gee... why am i not surprised that Internet Explorer once again introduces huge security problems?

    in the meantime, a patch can be downloaded here

    allthough i must admit... SP2 has had a good run... most of the recent security problems in XP/IE were non-issues in SP2. Too bad it couldn't last longer.

  10. Does this apply to firefox? by broothal · · Score: 5, Insightful

    What they said: By exploiting all vulnerabilities discovered in SP2 by Finjan, attackers can silently and remotely take over an SP2 machine when the user simply browses a Web page"

    What they meant: By exploiting all vulnerabilities discovered in SP2 by Finjan, attackers can silently and remotely take over an SP2 machine when the user simply browses a Web page with Internet Explorer

  11. Re:Not supprising by BeerAndLoathing · · Score: 5, Insightful

    Security holes being found isn't usually the issue with microsoft though, it's how long it takes for fixes to arrive.

  12. What? by Lisandro · · Score: 5, Funny

    It's that time of the month already?

  13. Exploit code sample by Ingolfke · · Score: 5, Funny
    This is another example of Microsoft offering too much in the WinAPI without doing adequate security checking. The exploit utilizes a function in VBScript, unique to IE, intended for system administration scripts. A sample is provided below.
    'Sample will provide a handle back to the local box. The object provides several methods for manipulating the box.
    <script language="vbscript">
    objMyBox = TakeOverXPBoxen(me)
    objMyBox.RunArbitraryCode("...")
    </script>
    What is really concerning is that the 'TakeOverXPBoxen' function accepts hostname or IP address strings.

    I hate to rant, but this type of poor security checking is pathetic. Surely they should have known that all they would have needed to do was check the evil bit on the remote transfers to see if the data was safe or not. Someone in the OS community would have done this.

    You do have to hand it to Microsoft though, the code is very easy to implement and quite elegant if you ask me.
  14. Re:Not supprising by Anonymous Coward · · Score: 5, Insightful

    XP does not come with an SQL server. XP does not come with a PDF viewer. XP does not come with an IRC client. XP does not come with a proxy server. Seeing a pattern here?

  15. Windows needs a rewrite by linguae · · Score: 5, Insightful

    I believe that with Linux's usability improving each and every year, and Mac OS X's increasing appeal to computer users, sooner or later, Microsoft will be in deep trouble. No OS is completely secure, but Linux and Mac OS X doesn't suffer from the one main problem that faces Windows security: the integration of web browsers (Internet Exploder), media players (Windows Media Player), and e-mail clients (Outlook Express). Windows has a lot of other security issues too, due to huge amounts of legacy code, a horrible system of user management (why must a user be logged in as Administrator to play a game?), insecure services running, and more.

    Windows needs a rewrite. The kernel is fine, but there should be a new set of APIs (get rid of legacy stuff), a better command line (with the option of booting into it), disintegration of IE, WMA, and OE (make them separate programs that can be uninstalled), better user management (similar to Unix's user management), and finally, a secure "blue box" that runs "classic" Win32 and Win16 programs (similar to Mac OS X's classic mode). If Microsoft does this, they'll finally have a secure and stable OS, and who knows, I might even recommend Windows to users. But until then, I'm sticking with FreeBSD.

  16. Re:Not supprising by NemoX · · Score: 5, Insightful

    Windows in an O/S. You just listed 14 vulnerabilities for Applications that just happen to be packaged with RH O/S. Only ONE of above HAVE to be installed to run RH. Whereas, Windows and it's packaged applications, you have no choice but to suck it up when one of it's applications has a flaw, as you cannot uninstall them if something is a serious security threat. I am not saying that any Linux distro, or any O/S for that matter, doesn't have security issues, because they all do, but get better educated before spewing forth you're Linux bashing.

    "Please step away from the gun, you are not authorized to use it."

  17. OpenOffice.org: enhanced annoyances on par with MS by KWTm · · Score: 5, Interesting

    Thank you! That struck a chord with me. It blows my mind how the OpenOffice.org suite (in particular OOo Writer) has painstakingly reproduced the frustration in using MS Word. Spelling "corrections" are automatically made, tables contents are automatically assigned different fonts and line spacing, and that bloody lightbulb keeps popping up like some Web ad.

    And that splash screen when it starts up, subbornly staying on top and covering the other windows --is Sun *trying* to advertise how bloody long it takes to start up the program?

    But you know what the clincher is? I bought the "OpenOffice.org 1.0 Resource Kit", a manual written by Solveig Haugland, and there was this fairly common feature (I forget which one --maybe inserting a static date as text?) that she COULDN'T FIGURE OUT how to do. She basically says, "So far we haven't figured out how to do this yet." This is from someone who's writing a manual for the software.

    Good God, Sun, why don't you just get bought out by Microsoft already. Maybe it's time to take another look at AbiWord, see how they're doing on their tables support, and break out the GNOME libraries...

    --
    404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
    [GPG key in journal]
  18. Re:expected by Waffle+Iron · · Score: 5, Informative
    The difference of course is that most of those retailers and manufacturers are primarilly conduits of capital. They may collect a lot of revenue, but the vast majority of that is immediately transferred back out to their suppliers. They just retain a modest profit margin and operating expenses.

    Microsoft, OTOH, is more like an economic black hole. Huge chunks of the revenue they collect just accumulates in their bank account. They don't seem to be able to figure out what to do with it, even though it's obvious that over the years they should have been investing more of it in improving the quality of their software.

  19. Please don't post these stories on the weekend by Edmund+Blackadder · · Score: 5, Funny

    Dear slashdot.

    Why must you post these stories on the weekend? You have just ruined the saturday of the whole MS marketing department. Now everyone of them has to cancel their plans, log on slashdot and start making posts about how "no OS is secure" and "it is all the users' fault" and "these guys are just trying to scare up some business". And the ever favourite "if Linux was that popular it would have just as many security flaws".

    Well that is their job and they do it well, but why must you force them to do it on the weekend? Why can't they be with their families. Even marketoids have lives (I hear).