News Major Windows security update foiled

the aptly named news.com has news (shock! ) of an aledged hole in SP2. The Russian outfit that found it claims that it can circumvent the Data Execution Protection safeguards that are part of SP2:

A Russian security company claims it found a way to beat a security measure in Microsoft's Windows XP Service Pack 2, a major update aimed at securing customers' PCs.

The SP2 measure, known as Data Execution Protection, is intended to prevent would-be attackers from inserting rogue code into a PC's memory and tricking Windows into running the program. However, in a paper published Friday, Moscow-based Positive Technologies said two minor mistakes in the implementation of the technology allow a knowledgeable programmer to sidestep the protection.

The company notified Microsoft of the problem Dec. 22, but it apparently decided not to wait for the software giant to patch the flaws.

Neither Microsoft nor Positive Technologies immediately responded to requests for comment Friday.

After several delays, Microsoft began rolling out SP2 in August of last year, at which time company Chairman Bill Gates called the update "a significant step in delivering on our goal to help customers make their PCs better isolated and more resilient in the face of increasingly sophisticated attacks."

There's no point following this link, Unless you want to read the article again.

 

Just confirms we are all better off without SP2.

 

Does it? Note that this security problem would require a "knowledgeable programmer to sidestep the protection". How is that less secure than something which any programmer can sidestep?

Anyway, I don't understand what the article's point is. Is there an update or not? How exactly was the update foiled?

 

The point is that SP2 has vulnerabilities, regardless of how knowledgeable a programmer is required to get round the safeguards. No, there is no update as yet.

 

but if you dont have sp2 you r sussepable to the numerious giant flaws in sp1, than novis hackers can exploit. With sp2 you have to be a "knowableable programmer" so ill stick with sp2

 

personally, i'm not a big MS fan, but even so, any operating system is always going to have it's vulnerabilities. as linux and osx gain popularity, you will see more exploits on those operating systems as well.

 

Nope. Can't see the logic there. Are you saying that no holes should be fixed until MS can somehow prevent all future hacks? Does this prescription extend to all software houses?

 

Im using sp1 and have only had one virus via msn
I never use IE
I have a hardware firewall
I have never done windows update

 

MSN is a network security hole waiting to be ass-****ed by anyone with a small amount of knowledge (or google, for chrissakes). Not using IE is good. Hardware firewall is good. Not doing windows update is stupid.

I'm assuming from your post one of three possibilities: 1) you actually removed the IE component, 2) you have a stolen copy of Windows and don't want to risk the potential detection of that fact, or 3) you are too lazy to be arsed (as our British compatriots here are fond of saying) with typing "http://windowsupdate.microsoft.com" in your IE window. One of them is a good reason for not going to the Windows Update site... you can't do so with Firefox or Opera. But two of the reasons can be circumvented by using automatic update (at possible expense of your bandwidth). If you did indeed purchase the software, why in the world would you not update it and "upgrade" it to its furthest potential?


On topic: As far as this news-flash goes, these white-hat security companies are stupid. They say to everyone that they're about promoting security, but instead of that, they give MS, a slow and partially retarded behemouth at the best of times, a one week lead-time for releasing ideas to virus-writers on how to hack SP2. Wait a second, did I say "ideas"? They released code-samples on their website. Is this really a white-hat company, or a bunch of virus-writers trying to look legit while arming every script kiddie in the world with the means to wreak havoc. Assholes.

 

in their defense though, if they gave MS 6 months to fix it before they released the code, it would take MS 6 months and 3 days to come up with a resolution to the problem.

as far as them posting it on their site, i personally don't see a problem with it. they found it, and imo, have a right to publish it. if the script kiddies get ahold of it, then fine, that's merely job security for me.

 

anyone with the money to spend on a proper hardware firewall (rather than just port blockers, and yes i know i rant about software firewalls) who dosen't run windows update has some strange security money ideas.

what make model is it, and i really hope you use updates on that!

 

I'm not so concerned about one person deciding to avoid SP2 or windows update, but more about it being recommended as a course of action to other PC users who don't appreciate the risks.

 

No you fool, it proves that SP2 isn't as secure as we thought. You're still a thousand times better off with it.

 

eh, na!

if your saying that if an OS has 1 bug, then it might as well have a million then your pretty short sighted. This took a tech firm a long time to find (how long has sp2 been out?) and i expect MS will fix it pretty soon!

 

I'll give you that, on the time limit portion. But still, what's a reasonable time to fix this kind of problem? A week? Probably not. A month? Maybe. 3 months? Probably perfect. Given the obscurity of this issue, and the calibre of black-hat programmer needed to find such a bug, no one would have noticed the issue before MS published a fix. Now that code samples are out on the web, what's the likelihood of systems being comprimised because of this bug: near 100%.

As far as your opinion on them posting it, you're right, they do have a legal right to publish it. But their stated goal is belied by their actions: they say they are for security, but do something which overtly puts at risk the entire SP2 user base. Doesn't sound like the right thing to do. And yeah, it's job security for me too, but I'd much rather have a nice placid day than have to worry about silly people getting their identities stolen. Just my 2cents.

 

Also doesn't the article say it's with the application protection thing? I have that off anyway.