A potentially serious security hole has been discovered in fully patched versions of Windows XP SP2, even with the integrated firewall turned on.
Microsoft has acknowledged that it is working on a patch for a potentially serious security hole in fully patched versions of Windows XP Service Pack 2.
The software makers confirmation follows public disclosure of the vulnerability by a private security researcher who goes by the moniker "badpack3t."
In an advisory posted at SecurityProtocols.com,
the researcher described the issue as a remote kernel denial-of-service flaw affecting XP SP2, with the default firewall turned on.
"I have been working with Microsoft to get a patch out for this. I notified them 5/4/2005 about the flaw, and they have been working on it since then. Microsoft told me the patch was going to be released in August," he added in the advisory.
Security alerts aggregator Secunia Inc. has flagged the issue as "moderately critical" and confirmed the reports that the integrated firewall does not protect against the flaw.
The discovery has triggered lots of discussions on security mailing lists, with some experts claiming there is a chance that the bug could be used to execute code remotely.
Pedro Bueno, an incident handler at the SANS Internet Storm Center, said the flaw resides in the Windows "Remote Desktop"
feature that allows XP users to remotely control computers from another office, from home or while traveling.
A spokesperson for Redmond, Wash.-based Microsoft Corp. confirmed that it was investigating the public reports, but she downplayed the severity of the vulnerability.
"The initial investigation has found that neither of these involve remote code execution, and Microsoft has not been made aware of attacks that try to use the reported vulnerabilities or of customer impact at this time," the spokesperson said in a statement released to Ziff Davis Internet News.
"Upon completion of these investigations, Microsoft will take the appropriate action to help protect customers. This may include providing a security update through the monthly release process or issuing a security advisory, depending on customer needs," she added.
When vulnerabilities are publicly reported before a patch is available, Microsoft has promised to issue security advisories with mitigation guidance and workarounds, but, in this case, the company has not yet decided if an advisory is necessary.
Click here to read more about Microsofts new security notification service.
Secunia also issued a separate alert for a denial-of-service bug in the Windows Network Connections Service. Affected products include Microsoft Windows 2000 Advanced Server, Datacenter Server, Professional and Server, and Microsoft Windows XP Home Edition and Professional.
"The vulnerability is caused by an error in a function in netman.dll when a large integer is supplied as argument. Successful exploitation crashes the Network Connections Service," the Secunia warning said.
In the absence of a fix from Microsoft, Secunia recommended that only trusted users be granted access to affected systems.
Read more here about recent patches to Microsoft Word and Internet Explorer.
Despite the issues, Microsoft continues to encourage customers to download Windows XP Service Pack 2, insisting that it offers a "significant step" toward Microsofts goal of making the operating system more secure by default.
Microsoft recommends that customers follow the published Protect Your PC guidance
on enabling a
firewall, getting software updates and installing anti-virus software.
The flaw warnings come just days after Microsoft released three bulletins to fix "critical" security holes affecting users of its widely used Microsoft Word and Internet Explorer products.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.