Windows XP SP2 Full Of Holes, Security Vendor Says

Finjan Software said its Malicious Code Research Center had spent the last several months analyzing Windows XP SP2, the massive refresh that Microsoft touted as its most secure desktop operating system ever, and found 10 bugs that could be used by hackers to hijack systems when users simply view malicious Web pages.

The San Jose, Calif.-based company said it has provided Microsoft with technical details on the vulnerabilities and with proof-of-concept code that demonstrates how the bugs could be turned into full-fledged security attacks.

"We'll not disclose details of any of these vulnerabilities until patches are ready," said Gil Aditi, Finjan's chief security officer, "so that attackers can't create worms or viruses with this information."

Although Microsoft has said several times that SP2 is its most secure OS, Finjan's spotting of 10 vulnerabilities didn't come as a surprise to Aditi. "Any operating system has its holes, and SP2 is no exception. It's not bulletproof."

When used singly or in combination, the vulnerabilities would let a dedicated hacker surreptitiously gain control of a PC when the user browses a malicious Web site, Aditi said.

Such tactics aren't new. The Scob outbreak of June and the JPEG vulnerability of September both relied only on users viewing sites, not opening e-mail attachments or downloading files.

"Put together, these vulnerabilities could be used by an exploit that would download malicious mobile code, such as Javascript or ActiveX," said Aditi. "That code would be automatically executed, and other malicious software then loaded to compromise SP2's security features.

"Just by browsing a site, one could be infected," he added.

Several of SP2's touted security features can easily by circumvented, Aditi said, thanks to the vulnerabilities.

SP2, for instance, is designed to protect users from potentially dangerous content downloaded from the Web. It blocks unauthorized operations performed by Web sites, makes the user confirm that he wants to save a downloaded file, and requires verification before it will run a downloaded file. According to Finjan, these tools are meant to protect users against silent "drive-by" installation of malicious software.

"All three can be bypassed by exploits," said Aditi.

A Microsoft spokesperson rebutted Finjan's claims in an e-mail to TechWeb.

"Microsoft is actively investigating these issues through our security response process and is determining the validity and accuracy of the reported issues," the spokesperson said.

"Our early analysis indicates that Finjan's claims are potentially misleading and possibly erroneous regarding the breadth and severity of the alleged vulnerabilities," continued the spokesperson.

"Once Microsoft concludes investigating Finjan's claims and if Microsoft finds any valid vulnerability in Windows XP SP2, Microsoft will take immediate and appropriate action to help protect customers," the spokesperson added. Microsoft is unaware of any current attacks exploiting the vulnerabilities spotted by Finjan, said the company.

Microsoft took Finjan to task for publicizing the vulnerabilities, even if Finjan didn't lay out specifics. "We encourages Finjan to abide by the principles of responsible disclosure and to decline to provide further comment or details on the alleged vulnerabilities until Microsoft is able to complete its investigation and can respond," the Redmond, Wash.-based developer said.

Finjan's Aditi countered. "Microsoft has been aware of some of these flaws for months, some for weeks," he said. "SP2 is a big step forward in security," concluded Aditi, "but I'm sure there will be many more vulnerabilities in the future. Even with the changes in the kernel, it's not perfect."