Microsoft: SP2 shimmy's not a flaw

-------------------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no
rights. You assume all risk for your use.
-------------------------------------------------------------------


Microsoft: SP2 shimmy's not a flaw
http://news.com.com/Microsoft+SP2+sh...3-5559369.html

Published: February 1, 2005, 3:24 PM PST
By Matt Hines
Staff Writer, CNET News.com


Microsoft downplayed the significance of a reported flaw in its latest
update to Windows XP.

Responding to a Russian security company's claim that it found a way
to beat a protective element of Microsoft's Windows XP Service Pack 2,
the software giant on Tuesday said it does not believe the issue
represents a vulnerability. In fact, the company said the technology
highlighted by Moscow-based Positive Technologies was never meant to
be "foolproof" and added that the reported flaw does not, by itself,
put consumers at risk.

"An attacker cannot use this method by itself to attempt to run
malicious code on a user's system," Microsoft said in a statement.
"There is no attack that utilizes this, and customers are not at risk
from the situation."

Last week, Positive reported that the Data Execution Protection tools
included in Service Pack 2--code intended to prevent would-be
attackers from inserting malicious programs into a PC's memory--opened
Windows XP systems up to additional threats. The security company said
that two minor mistakes in the implementation of the technology could
allow a knowledgeable programmer to sidestep the measures, known as
the Data Execution Protection and the Heap Overflow Protection.

But Microsoft representatives disagreed with Positive's interpretation
of Data Execution Protection, saying the technology was not created to
necessarily foil existing threats but to make developing attacks
against Service Pack 2 harder.

In an e-mail message to CNET News.com, Microsoft representatives said
the company would continue to modify the technology and would evaluate
ways to mitigate the reported method of bypass.

Those "security technologies in Windows XP Service Pack 2 are meant to
help make it more difficult for an attacker to run malicious software
on the computer as the result of a buffer-overrun vulnerability," the
representatives said in the statement. "Our early analysis indicates
that this attempt to bypass these features is not security
vulnerability."

Positive said that attack programs that use the exploit to get around
Windows XP Service Pack 2 protections work reliably, allowing
intruders to introduce malicious code onto machines using a second
vulnerability that would otherwise not work on Service Pack 2 because
of the protection mechanisms.

Yury Maksimov, chief technology officer at the security company, said
Positive only publicized the issue after Microsoft refused to act on
previous warnings of the flaw that it sent to the software giant. He
said he believes the Data Execution Protection does open up potential
vulnerabilities.

"In this situation, we decided it would be much safer for the industry
to be aware of the new, existing threat," Maksimov wrote in an e-mail.
"Such a vulnerability cannot cause a new worm or virus (to appear).
But that's exactly the situation when it is much better to know about
the problem, than not."

However, at least one industry expert said that Positive's report of
the threat may not be completely fair to Microsoft. Peter Lindstrom, a
research director at Spire Security, observed that the Data Execution
Protection vulnerability is unlikely to be seized upon by hackers. It
relates more to core security issues with the design of many different
kinds of software, not just tools made by Microsoft, he said.

"Maybe you could classify this problem as a lost opportunity on
Microsoft's part to protect Windows better, but that doesn't make it a
vulnerability," Lindstrom said.