A
anonymous
-------------------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no
rights. You assume all risk for your use.
-------------------------------------------------------------------
Russian company finds, patches hole in XP
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,99406,00.html?source=x10
Positive Technologies has released a patch for the flaw
News Story by Laura Rohde
JANUARY 31, 2005 (IDG NEWS SERVICE) - Russian security company
Positive Technologies has released a patch to a security hole it said
it discovered in Microsoft Corp.'s Windows XP Service Pack 2 last
year.
"We found two small flaws that a programmer could use to go around the
SP2 mechanism Data Execution Protection," Positive Technologies' chief
technology officer, Yury Maximov, said today.
As Microsoft explains on its Web site, DEP is a set of hardware and
software technologies that perform additional checks on memory to help
prevent malicious code from running on a system. According to Maximov,
Positive Technologies informed the software maker on Dec. 22 about a
problem with DEP and was told to wait for a response from the company.
"It has been over one month, and we have not heard from Microsoft, so
we decided to issue our own patch," Maximov said. "We understand that
Microsoft wants to protect its product, but we feel it is more
important for people to know about the problem and to know there is a
tool to protect them."
Maximov said that it was his understanding that hacker groups are
already working on ways to exploit the holes in DEP so as to insert
rogue code into a PC's memory.
Microsoft is still investigating the issue, but early analysis
indicates that the bypassing of DEP and the heap overflow protection
feature in Windows XP SP2 is not a security vulnerability, a Microsoft
spokeswoman said in a statement. "An attacker cannot use this method
by itself to attempt to run malicious code on a user's system," she
said.
Additionally, Microsoft is not aware of any attack exploiting the
vulnerability, the spokeswoman said. "Customers are not at risk from
the situation."
Still, Microsoft is looking at ways to prevent the bypassing of the
Windows XP SP2 protection features, either through an update as part
of its monthly security patch cycle or in a service pack, the
spokeswoman said.
Moscow-based Positive Technologies has developed a temporary security
measure, which it made available on Friday as a free utility called
PTmsHORP, Maximov said.
The security hole can't be fully eliminated by a separate patch,
according to Maximov, and Positive Technologies assumed that Microsoft
was not going to publish the problem or issue a security fix before
the release of Service Pack 3, he said.
But some analysts question the wisdom of downloading third-party
patches. "Personally, I would not advise people installing such
patches," said Ovum Ltd. analyst Graham Titterington. "There is a lot
of danger in installing patches from people or companies you're not
absolutely sure of. Chances are, there wouldn't be a problem, but that
is a risk not worth taking."
When other companies make publicly known the security problems within
Microsoft products such as SP2, it puts pressure on Microsoft to
address the issue, Titterington said, but publishing third-party
patches could possibly further the problem.
"I agree that not having heard from Microsoft for a month was slightly
undesirable, but the response time for situations like this are
usually more like three months," Titterington said.
The PTmsHORP utility can be found online at
www.maxpatrol.com/ptmshorp.asp.
Joris Evers, of the IDG News Service, contributed to this report.
This posting is provided "AS IS" with no warranties, and confers no
rights. You assume all risk for your use.
-------------------------------------------------------------------
Russian company finds, patches hole in XP
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,99406,00.html?source=x10
Positive Technologies has released a patch for the flaw
News Story by Laura Rohde
JANUARY 31, 2005 (IDG NEWS SERVICE) - Russian security company
Positive Technologies has released a patch to a security hole it said
it discovered in Microsoft Corp.'s Windows XP Service Pack 2 last
year.
"We found two small flaws that a programmer could use to go around the
SP2 mechanism Data Execution Protection," Positive Technologies' chief
technology officer, Yury Maximov, said today.
As Microsoft explains on its Web site, DEP is a set of hardware and
software technologies that perform additional checks on memory to help
prevent malicious code from running on a system. According to Maximov,
Positive Technologies informed the software maker on Dec. 22 about a
problem with DEP and was told to wait for a response from the company.
"It has been over one month, and we have not heard from Microsoft, so
we decided to issue our own patch," Maximov said. "We understand that
Microsoft wants to protect its product, but we feel it is more
important for people to know about the problem and to know there is a
tool to protect them."
Maximov said that it was his understanding that hacker groups are
already working on ways to exploit the holes in DEP so as to insert
rogue code into a PC's memory.
Microsoft is still investigating the issue, but early analysis
indicates that the bypassing of DEP and the heap overflow protection
feature in Windows XP SP2 is not a security vulnerability, a Microsoft
spokeswoman said in a statement. "An attacker cannot use this method
by itself to attempt to run malicious code on a user's system," she
said.
Additionally, Microsoft is not aware of any attack exploiting the
vulnerability, the spokeswoman said. "Customers are not at risk from
the situation."
Still, Microsoft is looking at ways to prevent the bypassing of the
Windows XP SP2 protection features, either through an update as part
of its monthly security patch cycle or in a service pack, the
spokeswoman said.
Moscow-based Positive Technologies has developed a temporary security
measure, which it made available on Friday as a free utility called
PTmsHORP, Maximov said.
The security hole can't be fully eliminated by a separate patch,
according to Maximov, and Positive Technologies assumed that Microsoft
was not going to publish the problem or issue a security fix before
the release of Service Pack 3, he said.
But some analysts question the wisdom of downloading third-party
patches. "Personally, I would not advise people installing such
patches," said Ovum Ltd. analyst Graham Titterington. "There is a lot
of danger in installing patches from people or companies you're not
absolutely sure of. Chances are, there wouldn't be a problem, but that
is a risk not worth taking."
When other companies make publicly known the security problems within
Microsoft products such as SP2, it puts pressure on Microsoft to
address the issue, Titterington said, but publishing third-party
patches could possibly further the problem.
"I agree that not having heard from Microsoft for a month was slightly
undesirable, but the response time for situations like this are
usually more like three months," Titterington said.
The PTmsHORP utility can be found online at
www.maxpatrol.com/ptmshorp.asp.
Joris Evers, of the IDG News Service, contributed to this report.
)
