Russians Say Windows XP SP2 Vulnerable - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News
News
1/31/2005
03:21 PM
50%
50%

Russians Say Windows XP SP2 Vulnerable

A Russian security firm spots vulnerabilities in Microsoft Windows XP SP2, and takes the unusual step of producing its own patch for the bug.

A little-known Russian security firm claimed Monday that it's spotted vulnerabilities in Microsoft Windows XP SP2, and has taken the unusual step of producing its own patch for the bug.

Researchers at Moscow-based Positive Technologies said that they uncovered the flaws in Windows XP SP2's DEP (Data Execution Mechanism) back in early October, and reported it to Microsoft more than a month ago.

When it didn't receive a response, Positive released details of the vulnerability on its Web site, and posted a patch that supposedly temporarily fixes the problem.

As implemented in SP2, DEP is a collection of hardware and software technologies that do additional checks on memory to protect against malicious code exploits like buffer overflows. While hardware DEP technologies -- such as those in some AMD processors and in upcoming CPUs from Intel -- can protect code throughout the system from such exploits, the software-only DEP that Positive claims is buggy only protects a specific number of Windows' system files.

The utility which can be downloaded from the Positive Web site sets a global flag on the system to block at least one possible exploit vector.

But analysts warn users to be wary of applying non-vendor patches.

"It's just too dangerous," said John Pescatore, a vice president at Gartner, and one of the research firm's security experts. "We tell clients 'never accept patches from anyone but the vendor.' There's no way a major firm -- like an Oracle or a SAP -- could do full regression testing on a patch for another vendor's product, much less a little company like [Positive]."

Recently, Microsoft has been vocal in its denunciations of security firms and researchers who publicize details of vulnerabilities before the Redmond, Wash.-based developer has a chance to create and release a patch.

Although Pescatore dismissed self-patching, he sympathized with the Positive Technologies of the world when it comes to releasing information.

"I don't believe disclosure should wait forever. We tried that a couple of years ago, and what happened was that vendors never released patches," he said. "You don't want a vulnerability disclosed the exact instant it's discovered, or even days later, but a month is right on that borderline of reasonableness.

"Even if [a vendor] doesn't have a patch, they usually have a workaround by then."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Commentary
Gartner Forecast Sees 7.3% Shrinkage in IT Spending for 2020
Joao-Pierre S. Ruth, Senior Writer,  7/15/2020
Slideshows
10 Ways AI Is Transforming Enterprise Software
Cynthia Harvey, Freelance Journalist, InformationWeek,  7/13/2020
Commentary
IT Career Paths You May Not Have Considered
Lisa Morgan, Freelance Writer,  6/30/2020
Register for InformationWeek Newsletters
Video
Current Issue
Special Report: Why Performance Testing is Crucial Today
This special report will help enterprises determine what they should expect from performance testing solutions and how to put them to work most efficiently. Get it today!
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll