A little-known Russian security firm claimed Monday [US] that it's spotted vulnerabilities in Microsoft Windows XP SP2, and has taken the unusual step of producing its own patch for the bug.
Researchers at Moscow-based Positive Technologies said that they uncovered the flaws in Windows XP SP2's DEP (Data Execution Mechanism) back in early October, and reported it to Microsoft more than a month ago.
When it didn't receive a response, Positive released details of the vulnerability on its website, and posted a patch that supposedly temporarily fixes the problem.
As implemented in SP2, DEP is a collection of hardware and software technologies that do additional checks on memory to protect against malicious code exploits like buffer overflows. While hardware DEP technologies -- such as those in some AMD processors and in upcoming CPUs from Intel -- can protect code throughout the system from such exploits, the software-only DEP that Positive claims is buggy only protects a specific number of Windows' system files.
The utility which can be downloaded from the Positive website sets a global flag on the system to block at least one possible exploit vector.
But analysts warn users to be wary of applying non-vendor patches.
"It's just too dangerous," said John Pescatore, a vice president at Gartner, and one of the research firm's security experts. "We tell clients 'never accept patches from anyone but the vendor.' There's no way a major firm -- like an Oracle or a SAP -- could do full regression testing on a patch for another vendor's product, much less a little company like [Positive]."
Recently, Microsoft has been vocal in its denunciations of security firms and researchers who publicise details of vulnerabilities before the developer has a chance to create and release a patch.
Although Pescatore dismissed self-patching, he sympathised with the Positive Technologies of the world when it comes to releasing information.
"I don't believe disclosure should wait forever. We tried that a couple of years ago, and what happened was that vendors never released patches," he said. "You don't want a vulnerability disclosed the exact instant it's discovered, or even days later, but a month is right on that borderline of reasonableness.
"Even if [a vendor] doesn't have a patch, they usually have a workaround by then."
Copyright (c) 2005 CMP Media LLC
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
