Microsoft: SP2 shimmy's not a flaw
Company downplays a method for intruders to bypass defenses in its Service Pack 2 update for Windows XP.
Responding to a Russian security company's claim that it found a way to beat a protective element of Microsoft's Windows XP Service Pack 2, the software giant on Tuesday said it does not believe the issue represents a vulnerability. In fact, the company said the technology highlighted by Moscow-based Positive Technologies was never meant to be "foolproof" and added that the reported flaw does not, by itself, put consumers at risk.
"An attacker cannot use this method by itself to attempt to run malicious code on a user's system," Microsoft said in a statement. "There is no attack that utilizes this, and customers are not at risk from the situation."
Last week, Positive reported that the Data Execution Protection tools included in Service Pack 2--code intended to prevent would-be attackers from inserting malicious programs into a PC's memory--opened Windows XP systems up to additional threats. The security company said that two minor mistakes in the implementation of the technology could allow a knowledgeable programmer to sidestep the measures, known as the Data Execution Protection and the Heap Overflow Protection.
But Microsoft representatives disagreed with Positive's interpretation of Data Execution Protection, saying the technology was not created to necessarily foil existing threats but to make developing attacks against Service Pack 2 harder.
In an e-mail message to CNET News.com, Microsoft representatives said the company would continue to modify the technology and would evaluate ways to mitigate the reported method of bypass.
Those "security technologies in Windows XP Service Pack 2 are meant to help make it more difficult for an attacker to run malicious software on the computer as the result of a buffer-overrun vulnerability," the representatives said in the statement. "Our early analysis indicates that this attempt to bypass these features is not security vulnerability."
Positive said that attack programs that use the exploit to get around Windows XP Service Pack 2 protections work reliably, allowing intruders to introduce malicious code onto machines using a second vulnerability that would otherwise not work on Service Pack 2 because of the protection mechanisms.
Yury Maksimov, chief technology officer at the security company, said Positive only publicized the issue after Microsoft refused to act on previous warnings of the flaw that it sent to the software giant. He said he believes the Data Execution Protection does open up potential vulnerabilities.
"In this situation, we decided it would be much safer for the industry to be aware of the new, existing threat," Maksimov wrote in an e-mail. "Such a vulnerability cannot cause a new worm or virus (to appear). But that's exactly the situation when it is much better to know about the problem, than not."
However, at least one industry expert said that Positive's report of the threat may not be completely fair to Microsoft. Peter Lindstrom, a research director at Spire Security, observed that the Data Execution Protection vulnerability is unlikely to be seized upon by hackers. It relates more to core security issues with the design of many different kinds of software, not just tools made by Microsoft, he said.
"Maybe you could classify this problem as a lost opportunity on Microsoft's part to protect Windows better, but that doesn't make it a vulnerability," Lindstrom said.