XP SP2 Flaw Warning Sparks Debate on Disclosure

Microsoft reacts sharply to an alert released by Finjan Security highlighting 10 potentially serious vulnerabilities in Windows XP Service Pack 2.

The debate over responsible disclosure of security flaw warnings has erupted again, with Microsoft chiding a private research firm for releasing information on 10 new flaws found in the Windows XP SP2 (Service Pack 2) operating system.

San Jose, Calif.-based Finjan Software released an alert warning that attackers could "silently and remotely" hijack SP2 machines because of "major flaws" that compromise end-user security.

Finjan chief executive Shlomo Touboul told eWEEK.com that full technical details of the vulnerabilities—including proof-of-concept code—were given to Microsoft, but the software giant reacted sharply by suggesting that the Finjan warning is overblown.

"Our early analysis indicates that Finjans claims are potentially misleading and possibly erroneous regarding the breadth and severity of the alleged vulnerabilities in Windows XP SP2," a Microsoft spokesperson said.

"Once Microsoft concludes investigating Finjans claims and if Microsoft finds any valid vulnerability in Windows XP SP2, it will take immediate and appropriate action to help protect customers," she added.

According to Finjan, the flaws are so serious that XP SP2 users are at risk if they simply browse a Web page. The holes also could be exploited to allow malicious hackers to remotely access users local files or to switch between Internet Explorer Security Zones to obtain rights of local zone.

The research outfit also claims that it discovered a bug in the notification mechanism built into XP SP2 to warn users when executable files are being downloaded. Finjan claims it has already proven to Microsoft that hackers can bypass the mechanism to inject arbitrary code without any warning or notification.

When told that Microsoft was discounting the severity of his companys claims, Finjans Touboul lashed back: "These are not theoretical assumptions. These findings are based on code implementing each and every one of those 10 vulnerabilities."

Microsoft said it would continue investigating Finjans claims to confirm valid vulnerability claims before rolling out possible fixes.

"[We encourage] Finjan to abide by the principles of responsible disclosure and to decline to provide further comment or details on the alleged vulnerabilities until Microsoft is able to complete its investigation and can respond properly to protect customers," the spokesperson said.

Next Page: Cooperation between independent researchers and software vendors.