Security software firm Finjan said its research lab has turned up 10 “serious” flaws in Microsoft’s Service Pack 2 for Windows XP, an upgrade that Microsoft is touting as a way to better secure its flagship platform.
The vulnerabilities allow a range of attacks to be successful, in some cases giving attackers access to a computer’s local files, or to command the computer to download files without any warning or notification to the user.
Finjan said its Malicious Code Research Center (MCRC) uncovered the flaws in the weeks after SP2 was made available. The company said it turned over technical details of what it found to the software giant and will withhold specific technical details so that patches can be developed.
A representative from Microsoft was not immediately available to comment for this story, but the company has reportedly said that it is not aware of the flaws Finjan is claiming to have found.
Finjan Chief Security Officer Gil Arditi told the E-Commerce Times the flaws were discovered in the normal course of evaluation that takes place for Finjan’s own proactive security products. He said the company followed its standard procedure of notifying the software vendor and providing both the problem code and proof of concept of exploits.
“We are always detailing, identifying and, first and foremost, finding ways of handling these kinds of attacks,” Arditi said. The company issued similar warnings about flaws in the active content code in Yahoo and Microsoft’s Web-based e-mail products last year. “We certainly don’t want to do anything that would cause the creation of malicious code based on what we found.”
Despite the claims from Microsoft that SP2 would significantly improve the security of machines running XP, it has not been smooth sailing. For instance, Microsoft first said some applications would not work smoothly with the SP2 and later took flack for including only recent versions of its Internet Explorer browser in many of the updates and patches.
And many have been slow to adopt the service pack. A recent study by SupportSoft found that half of IT managers believe implementing SP2 would create continuity issues or application problems.
Tim Warner, northern European regional sales manager at Finjan, said many large customers are still planning their implementations of SP2. “I don’t believe I’ve talked to a single large customer with 10,000 users or more that has already put SP2 in place,” Warner said. “Most are still laying the groundwork to do that. It’s still months away in some cases.”
Warner said the problem that Microsoft and other software makers face is that the same code that can be used maliciously, whether to spread Trojans or worms or as spyware, is also essential for dynamic Web content and other legitimate uses.
‘Something Good, Something Bad’
“The code is like any program — it can be used to do something good or something bad,” Warner said in an interview with the E-Commerce Times.
Meanwhile, Microsoft is still wrestling with making products safer without making them harder to deploy. “At the end of the day, Microsoft has a duty to its customer base to assure that their applications, the products they already bought, are going to work with SP2 and everything else that comes out in the future.”
Aditi said it’s no surprise that even a supposedly more secure version of Windows would have some flaws. “Any piece of software is going to have its bugs,” he said. “I’ve never seen code yet that wasn’t hacked, patched or attacked.”