Microsoft: SP2 shimmy's not a flaw

Microsoft downplayed the significance of a reported flaw in its latest update to Windows XP.

Responding to a Russian security company's claim that it found a way to beat a protective element of Microsoft's Windows XP Service Pack 2, the software giant on Tuesday said it does not believe the issue represents a vulnerability. In fact, the company said the technology highlighted by Moscow-based Positive Technologies was never meant to be "foolproof" and added that the reported flaw does not, by itself, put consumers at risk.

"An attacker cannot use this method by itself to attempt to run malicious code on a user's system," Microsoft said in a statement. "There is no attack that utilizes this, and customers are not at risk from the situation."

Last week, Positive reported that the Data Execution Protection tools included in Service Pack 2--code intended to prevent would-be attackers from inserting malicious programs into a PC's memory--opened Windows XP systems up to additional threats. The security company said that two minor mistakes in the implementation of the technology could allow a knowledgeable programmer to sidestep the measures, known as the Data Execution Protection and the Heap Overflow Protection.

But Microsoft representatives disagreed with Positive's interpretation of Data Execution Protection, saying the technology was not created to necessarily foil existing threats but to make developing attacks against Service Pack 2 harder.

In an e-mail message to CNET News.com, Microsoft representatives said the company would continue to modify the technology and would evaluate ways to mitigate the reported method of bypass.

Those "security technologies in Windows XP Service Pack 2 are meant to help make it more difficult for an attacker to run malicious software on the computer as the result of a buffer-overrun vulnerability," the representatives said in the statement. "Our early analysis indicates that this attempt to bypass these features is not security vulnerability."

"I truly believe that the only way Microsoft is ever going to get security fix right is by rewriting most if not all of the code for Windows." --Matthew Good

Positive said that attack programs that use the exploit to get around Windows XP Service Pack 2 protections work reliably, allowing intruders to introduce malicious code onto machines using a second vulnerability that would otherwise not work on Service Pack 2 because of the protection mechanisms.

Yury Maksimov, chief technology officer at the security company, said Positive only publicized the issue after Microsoft refused to act on previous warnings of the flaw that it sent to the software giant. He said he believes the Data Execution Protection does open up potential vulnerabilities.

"In this situation, we decided it would be much safer for the industry to be aware of the new, existing threat," Maksimov wrote in an e-mail. "Such a vulnerability cannot cause a new worm or virus (to appear). But that's exactly the situation when it is much better to know about the problem, than not."

However, at least one industry expert said that Positive's report of the threat may not be completely fair to Microsoft. Peter Lindstrom, a research director at Spire Security, observed that the Data Execution Protection vulnerability is unlikely to be seized upon by hackers. It relates more to core security issues with the design of many different kinds of software, not just tools made by Microsoft, he said.

"Maybe you could classify this problem as a lost opportunity on Microsoft's part to protect Windows better, but that doesn't make it a vulnerability," Lindstrom said.

flawed till death do us part

microsoft doesn't produce flaws or allow buggy software out the
gate[s]; their called features, right?

[Steven N]

Bugger...

That is probably how M$ must feel when seeing that all their (marketing) efforts to prove that they are serious about security are slowly eroding away.

Can't say I feel sorry for them. They choose to create a bloated OS. The more you integrate into your OS, the more vulnerabilities you introduce into it.

The next years will be interesting...

[Earl Benser]

Bloat and then some...

M$'s basic approach of integrating the universe (as created by
others) into Windows is more than just bloat, it;s malicious
marketing. Yet, to some degree, OSX and Linux do similar
things, eg., Spotlight as an integrated feature in Tiger and used
by any othe application.

Maybe that's the point. Internet Explorer never had to be part of
Windows. M$ claims that you have to have IE to get all the
WIndows functions, but that's becvause they left needed core
programming out of the basic Windows OS, and made it
available only if you installed IE. Now, just try to uninstall IE, OE,
or any other M$ 'application' in Windows. Delete the shortcut?,
sure.... eliminate the application?, no way! Because Windows
can't run without the application code.

Well, it was a choice, and M$ took it. Now they are beginning to
find out that there is a hidden cost they forgot to consider, a
major hidden cost. Short sighted, limited capability, market
driven software development - M$ has taken this approach to
new depths.

And yet, they continously hold the market control. Maybe that
says less about M$ than the people who who buy M$.

Pay no attention to the man behind the curtain.

If MS wants us to continue to trust them on security, they should not downplay every problem that arrises. It seems to be fashionable now-a-days to just deny that the problem is a problem. We are used to this in Phoenix. We just had a problem with the water, we were all told to boil our water before use. "There is no crisis." We had a gas leak in part of the city. "There is no crisis" We had a gasoline pipeline break and lines several blocks long to buy gas. "There is no crisis." Just say that and keep believing it . . .

[Not Bugged]

Still making a mountain of a molehill

Why have these stories never mentioned the fact that you don't get this data protection unless you have a processor that supports it? Only the latest Intel chips and the more recent AMD chips even support this particular technology in the first place. For the vast majority of users out there, this new protection (compromised or not) doesn't even exist.

Yes it's important to dicuss the problem but lets get a perspective on it's scope too.

[Fray9]

So what your saying is

So what your saying is that it only effects new computers, so Microsoft is correct in ignoring the fact that they built a huge steel door to protect you and left the hinges on the outside?

In a very short time those new processors will be standard.. should Microsoft wait till then to panic and react with another knee-jerk style patch that wasnt completely thought through and introduces more bugs?

If Microsoft wants to convice anyone they care at all about security they need to show that they care about the fact that the new security features are easily circumvented. Telling us its not a problem just shows they dont want to make their software any more secure than it already is.