A list of vulnerabilities

By Ryan Naraine  |  Posted 2005-04-07 Print this article Print

These vulnerabilities include:

  • Finjans Alleged Flaws:
    Last November, private security consulting firm Finjan Software triggered a debate on responsible disclosure after it released information on 10 new flaws found in the Windows XP SP2 (Service Pack 2) operating system.
    Finjan warned at the time that attackers could "silently and remotely" hijack SP2 machines because of "major flaws" that compromise end-user security.

    Finjan CEO Shlomo Touboul told eWEEK.com that full technical details of the vulnerabilities—including proof-of-concept code—were given to Microsoft but that the software giant hurriedly downplayed the risks. "Our early analysis indicates that Finjans claims are potentially misleading and possibly erroneous regarding the breadth and severity of the alleged vulnerabilities in Windows XP SP2," the company spokeswoman said.
  • Read more here about the Windows XP SP2 update.
  • Office Encryption Weakness:
    Hongjun Wu, a researcher at the Institute for Infocomm Research in Singapore, warned that Microsofts misuse of the RC4 (Rivest Cipher 4) algorithm in its Word and Excel products could open the door for malicious hacker attacks.

    "[W]hen an encrypted document gets modified and saved, the initialization vector remains the same and thus the same keystream generated from RC4 is applied to encrypt the different versions of that document. The consequence is disastrous since a lot of information of the document could be recovered easily," Wu said.

    However, Microsoft maintains that the reported flaw poses a very low threat for users of the two popular word processing programs. "In some cases, an attacker may be able to read the contents of an encrypted file if multiple versions of that file are available to the attacker," a Microsoft spokeswoman acknowledged, and she urged customers to restrict access to their encrypted Office documents as they are being created and revised, and by saving the document with a new password after making changes. The company promised to investigate Wus findings and, if necessary, provide a patch at a later date.
  • Next Page: ActiveX, Media Player and Old School.


    Submit a Comment

    Loading Comments...
    Manage your Newsletters: Login   Register My Newsletters

    Rocket Fuel