Ten new security holes in Windows XP Service Pack 2 have been discovered, so get ready to insert new patches into your patch management schedule. Microsoft recently announced their Security Bulletin Advance Notification Program, which gives administrators a several days advance notice of upcoming patches, however these new security holes were announced by security product maker Finjan Software.

Finjan said their Malicious Code Research Center discovered the new vulnerabilities, at least some of which are very dangerous. A spokesperson for the company said "Finjan has provided Microsoft with full technical details concerning the vulnerabilities \[... \]and has been assisting Microsoft to patch these holes. In order to prevent the creation of malicious viruses and worms, Finjan will not release any
technical details about these vulnerabilities until they are fully patched by Microsoft."

Shlomo Touboul, CEO and Founder of Finjan Software, said "Windows XP SP2 operating system is a continuation of the same Windows XP Operating System and Windows Kernel. All Windows versions have been developed with requirements for highest backward compatibility and open architecture, with maximum productivity and ease of use. In addition, Windows applications typically run with administrative permission with full and unlimited access to computer resources."

 "This, together with the emerging technology of mobile code has created a situation in which active content travels freely over the web and gains full control of host computers. These fundamentals create a green field for hackers shown by constantly increasing attacks and damage over the last few years. A security patch of Windows operating system without changing the rules of the game will not be enough to fight the recent complex malicious code attacks such as Scob, Mydoom, and others. End users and Enterprises must add an independent security layer that is not dependent on the above fundamentals. Application level behavior blocking is the leading technology designed to immunize systems from both known and unknown vulnerabilities and exploits; viruses, worms, Trojans, spyware, phishing and other threats," Touboul continued.

The vulnerabilities discovered at Finjan could allow attackers to "silently and remotely" take control over an affected system when a user visits a malicious Web page. As you well know, enticing someone to visit a Web page is relatively easy to do.

The company outlined several scenarios to better explain the risks:

  • Hackers can remotely access users' local files Windows(R) XP SP2 is designed to deny access to a local file in the course of Internet browsing. Therefore, any attempt by a remote web page to access a local file in any way other than downloading a file, is denied. Finjan has shown that this feature can be remotely compromised by hackers.
  • Hackers can switch between Internet Explorer Security Zones to obtain rights of local zone Internet Explorer uses the notion of security zones to differentiate between mobile codes by their origin. In this way, for example, the permissions of files running from the local hard drive are much higher than the permissions of code downloaded from the Internet. Finjan has shown that it is possible to elevate the privilege level of mobile code downloaded from the Internet. By gaining additional privileges, the remote code could read, write and execute files on the user's hard drive.
  • Hackers can bypass SP2's notification mechanism on the download and execution of EXE files and therefore download files without any warning or notification One of the mechanisms that have been implemented in SP2 is the verification of the download and the execution of content arriving from the Internet. This mechanism is implemented by three new features - an information bar inside Internet Explorer which filters and blocks unauthorized operations performed by web pages, a file download dialog which requires the user's confirmation for file save and execution operations, and
    an execution verification dialog. These features are important to prevent unauthorized silent "drive-by" installations of malicious software.

Upon learning of this news story a spokesperson for Microsoft said the company "is aware of the claims by Finjan Software and at this time cannot confirm Finjan's claims of  "ten new vulnerabilities" in Windows XP SP2. Moreover, Microsoft is currently unaware of active attacks against customers
attempting to utilize the alleged vulnerabilities as reported by Finjan.  We have been contacted by Finjan regarding various potential issues as part of the usual responsible disclosure protocol and are actively investigating those issues through our security response process to determine the validity and accuracy of the reported issues."

"Our early analysis indicates that Finjan's claims are potentially misleading and possibly erroneous regarding the breadth and severity of the alleged vulnerabilities in Windows XP SP2.  Once Microsoft concludes investigating Finjan's claims and if Microsoft finds any valid vulnerability in Windows XP SP2, Microsoft will take immediate and appropriate action to help protect customers. "

Other vendors also offer advance notice of unpatched security holes in Windows platforms and related services. For example, eEye Digital Security maintains a Web page of upcoming advisories on their Research site. As of November 10 the page lists one upcoming advisory that relates to remote code execution, which eEye given its highest severity rating. The company notifies the vendor (in this case Microsoft) of vulnerabilities and when the vendor releases a patch then eEye releases its own advisory to the public. Often times knowledge of still other unpatched vulnerabilities can be gathered from intrusion detection systems, which store signatures to recognize attacks.

The practice of notifying the public about the mere existance of security vulnerabilities (not to mention any significant details) is a sore spot in many people's minds. Researchers gain publicity for themselves and their products, and at the same time some claim they offer advance notice in order to keep a tiny bit of pressure on vendors to work quickly to produce patches. Striking a balance in that sort of act is difficult at best since it's not likely that everyone can be pleased all of the time and invariably it's the end users of products who suffer most in the event that too much information is released too soon.