Finjan warns of 10 flaws in Windows SP2


Finjan warns of 10 flaws in Windows SP2

Arif Mohamed
Security supplier Finjan Software has issued an alert relating to 10 security vulnerabilities in Windows XP Service Pack 2 (SP2).

The firm warned that by exploiting all the vulnerabilities, attackers could remotely take over an SP2 machine when the user browses a web page.

The flaws identified by Finjan included bugs that could allow a hacker to remotely access local files; to switch between internet Explorer security zones to obtain access to the local security zone; or bypass SP2's notification mechanism for downloading and executing exe files, so files could be downloaded and executed without a warning to the user.

Finjan said it had been able to demonstrate a number of these vulnerabilities and had provided full technical details to Microsoft, but added it would not release details of the flaws to the public.

Microsoft said, "At this time, we cannot confirm Finjan's claims of '10 new vulnerabilities' in Windows XP SP2. Moreover, Microsoft is unaware of attacks against customers attempting to use the alleged vulnerabilities."

Windows XP Service Pack 2 is designed to deny access to a local file in the course of internet browsing. Any attempt by a remote web page to access a local file in any way other than downloading a file is denied.

According to Finjan, this feature can be compromised. It also said it is possible to elevate the privilege level of mobile code downloaded from the internet. By gaining additional privileges, the remote code could read, write and execute files on the user's hard drive, Finjan warned.

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy