Claims that vulnerabilities in Windows XP SP2 could allow an attacker to silently and remotely compromise a machine when a user simply browses a Web page, or receives other mobile code through IM or e-mail, are being disputed by Microsoft.
"At this time, Microsoft cannot confirm Finjan's claims of '10 new vulnerabilities' in Windows XP SP2," a Microsoft spokesperson said in an e-mail exchange. "Our early analysis indicates that Finjan's claims are potentially misleading and possibly erroneous regarding the breadth and severity of the alleged vulnerabilities in Windows XP SP2."
Finjan CEO Shlomo Touboul attributed the flaws to "certain features of security" in SP2 caused by backwards compatibility issues and the emergence of mobile code, such as HTML and Java. In a statement, he said it "has created a situation in which active content travels freely over the Web and gains full control of host computers."
"We stand behind everything we've said," said Gil Arditi, CSO of San Jose, Calif.-based Finjan Software in a telephone interview Thursday. "We sent Microsoft a proof of concept of each of the 10 flaws."
But what are the flaws? Finjan gave scant details on the following:
- Hackers can remotely access users' local files
Windows XP SP2 is designed to deny access to a local file in the course of Internet browsing. Therefore, any attempt by a remote Web page to access a local file in any way other than downloading a file is denied. Finjan has shown that this feature can be remotely compromised by hackers.
- Hackers can switch between Internet Explorer security zones to obtain rights of local zone
IE uses security zones to differentiate between mobile codes by their origin. In this way the permissions of files running from the local hard drive are much higher than the permissions of code downloaded from the Internet. Finjan has shown that it is possible to elevate the privilege level of mobile code downloaded from the Internet. By gaining additional privileges, the remote code could read, write and execute files on the user's hard drive.
- Hackers can bypass SP2's .exe file notification mechanism
One of the mechanisms that have been implemented in SP2 is the verification of the download and the execution of content arriving from the Internet. This mechanism is implemented by three new features -- an information bar inside Internet Explorer which filters and blocks unauthorized operations performed by Web pages, a file download dialog which requires the user's confirmation for file save and execution operations, and an execution verification dialog. These features are important to prevent unauthorized silent "drive-by" installations of malicious software.
Though Finjan followed "responsible disclosure" guidelines by notifying Microsoft and not releasing details of the flaw, some in the security industry have questioned the software company's motives. A news release announcing the flaws also mentioned that several of Finjan's products can prevent exploitation of the flaws, and no workarounds were in evidence.
"What's the purpose of such an announcement?" asked Gerhard Eschelbeck, CTO of Qualys Inc. in Redwood Shores, Calif. "It doesn't supply the end user any detail on how to protect themselves or how to secure a network."
Finjan said it didn't want to recommend any measures that might contribute to malicious activity and plans to release details of the flaws only when patches have been released by Microsoft.
"To offer workarounds would be shining a spotlight on how to write exploits for the flaws," explained Tim Warner, Finjan's head of European sales.
Microsoft says it is still evaluating Finjan's claims. "Once Microsoft concludes investigating Finjan's claims and if Microsoft finds any valid vulnerability in Windows XP SP2, it will take immediate and appropriate action to help protect customers," the spokesman said.