A Russian security firm claimed on Monday that it had spotted a vulnerability in Windows XP SP2, and it took the unusual step of issues its own patch for the bug.
Moscow’s Positive Technology claimed that it had spotted the bug in XP SP2 in October, and informed Microsoft of it last month. The flaw is apparently inside XP’s Data Execution Mechanism (DEP).
Having waited a month, Positive disclosed the issue on its website, and posted a patch which temporarily solves the problem.
DEP is a collection of hardware and software technologies that do additional checks on memory to protect against malicious code exploits. According to Positive, DEP as implemented in XP SP2 only protects a specific number of Windows’ system files.
But analysts warn users to be wary of applying non-vendor patches.
“It´s just too dangerous,” said John Pescatore, a vice president at Gartner, and one of the research firm´s security experts. “We tell clients ´never accept patches from anyone but the vendor.´ There´s no way a major firm — like an Oracle or a SAP — could do full regression testing on a patch for another vendor´s product, much less a little company like [Positive].”
Microsoft denied that the issue was a vulnerability, claiming that since it required full administrative privileges to run, there was effectively no added risk.
“An attacker cannot use this method by itself to attempt to run malicious code on a user´s system,” Microsoft said in a statement. “There is no attack that utilizes this, and customers are not at risk from the situation.”
In addition, Microsoft disagrees with Positive’s interpretation of the DEP implementation, saying the technology was not created to necessarily foil existing threats but to make developing attacks against Service Pack 2 harder.
“Maybe you could classify this problem as a lost opportunity on Microsoft´s part to protect Windows better, but that doesn´t make it a vulnerability,” says Peter Lindstrom, a researcher at Spire Security.