By Jo Best, 12 November 2004 13:00
NEWS Security firm Finjan has found 10 flaws in Windows XP SP2 - while Microsoft is saying the warnings are over the top.
According to the security company, the flaws mean that "attackers can silently and remotely take over an SP2 machine when the user simply browses a web page".
Finjan has informed Microsoft of the flaws and is working with the Redmond, Washington-based giant to sew them up. The company won't provide any details about the flaws, which have yet to be patched, in case it helps hackers and virus writers start work on exploiting the vulnerabilities before Microsoft issues any potential fix.
However, Finjan did give details of what kind of attack the flaws could be used to launch.
One, according to the company, would allow hackers to remotely access users' local files, by compromising a feature that disallows remote web pages access to local file apart from by downloading a file.
Another flaw could let hackers bypass XP SP2's notification mechanism about downloading and execution of .exe, which could let them download files without warning the user.
Microsoft, however, isn't hitting the panic button just yet.
A Microsoft spokeswoman said "Microsoft is aware of the claims by Finjan Software of possible vulnerabilities in Windows XP SP2. At this time, Microsoft cannot confirm Finjans claims of 'ten new vulnerabilities' in Windows XP SP2. Moreover, Microsoft is currently unaware of active attacks against customers attempting to utilise the alleged vulnerabilities as reported by Finjan."
"Our early analysis indicates that Finjans claims are potentially misleading and possibly erroneous regarding the breadth and severity of the alleged vulnerabilities in Windows XP SP2," she added.
Microsoft is investigating the claims and will issue a fix if necessary.
Comments
There are 3 comments. Join the discussion
1. anonymous
Finjan researchers have acted appropriately: they've told Microsoft about some vulnerabilities in the much vaunted Windows XP SP2. What is Microsoft answer? "Finjan is exaggerating. Nobody has already found a way to exploit the so-called flaws. We'll look into it when we have nothing better to do."
That is not the kind of answer customers would expect from a corporation that pretends to care about security. If Finjan had disclosed all the details of the vulnerabilities, then Ballmer would have cried wolf.
2. anonymous
Just curious why this journalist would fail to give attribution to the "Microsoft spokeswoman" who purportely "scoffs" at these findings? Come on Jo...how about some basic journalism skills and accuracy. Who made this "official sounding" edict?
(Ed note: Your curiosity is unecessary and slightly ill-conceived. Why would you need a name? How would it change the sense of the story? Generally the term 'spokesman' or '-woman' is used to denote somebody from within the press office or agency-side PR who issued a statement or response on behalf of the company - not on behalf of themselves. As such there is no relevance in naming them. Unlike when we quote a CEO or similar exec the words in such cases are often not their own - they are simply giving the company's position. As such it would be unnecessary to name them in the article as their name is not relevant. I suspect you'll find therefore we are displaying more "journalism skills" than you credit us with in your comment - sticking to the facts rather than just naming and shaming somebody with no direct responsibility to effect change on the stated problem, simply for the hell of it. Interesting that you ask us to withold your name from this comment... "pot", "kettle", "black" anybody?)
3. anonymous
Time will tell!!!
Once Microsoft have decided whether to, and fix if necessary, it will be interesting if Finjan could then release details of the vulnerabilities. We will then be made apparent if Microsoft are more serious about securing their OS or simply trying to prevent more PR blunders.