[ISN] Hunt for XP SP2 flaws seen in full swing

InfoSec News isn at c4i.org
Fri Aug 13 13:02:54 EDT 2004


By Joris Evers
IDG News Service

While users are testing Service Pack 2 for Windows XP to prevent
compatibility problems, hackers are picking apart the security-focused
software update looking for vulnerabilities, security experts said.

"We will see new vulnerabilities discovered in SP2 over the next few
weeks. Give it a month or two and we will also see worms that affect
SP2," said Thor Larholm, senior security researcher at PivX Solutions
LLC, a security services company in Newport Beach, Calif.

SP2 represents real progress for Microsoft and underscores its
commitment to security, according to industry observers. The update
provides protection against most security exploits known today. For
example, the improved and automatically enabled Windows Firewall would
block attacks such as the Blaster worm that crippled the Internet a
year ago.

"A lot of the current attack vectors are blocked by SP2," Larholm
said. "Folks are now trying to find new ways to plant code on a
system. A lot of these new ways will use e-mail, instant messaging and
Web traffic - any kind of traffic that a PC requests from the outside
world - because that will go through the firewall without

Also, it appears Microsoft's new software-based memory protection
technology is vulnerable, according to Larholm. The data execution
prevention (DEP) is meant to protect users against buffer overruns,
but Microsoft appears to have implemented it poorly, providing an easy
way for attackers to circumvent the protection, Larholm said.

Although there undoubtedly will be vulnerabilities found in SP2, the
bar for Windows security has been raised and the operating system will
be tougher to attack, said Russ Cooper, a senior scientist at
TruSecure, in Herndon, Va.

"We will always see new attacks, but at least Microsoft has put a
stake in the ground and has said, 'Now this is enough.' The existing
attacks have been stopped," he said.

Because of the new Windows Firewall, Cooper predicts that future
attacks will target applications that require users to change their
firewall configurations, essentially opening a door to their systems.

"If you see anything, you will see attacks that are more targeted at
communities of users, such as (users of) Quake, Kazaa, BitTorrent,
anything that has a listening service and requires a user to create a
rule to bypass the firewall. That is where they are opening themselves
up to attack," Cooper said.

Microsoft is currently unaware of any vulnerability in SP2, a company
spokesman said. If a vulnerability is reported, the software maker
will investigate it and determine the appropriate response. This could
include providing an update as part of its monthly patch cycle or an
out-of-cycle update, the spokesman said.

More information about the ISN mailing list