Late last week, a Russian security company called Positive Technologies claimed that it had discovered two minor "mistakes" in Microsoft's implementation of a security feature in Windows XP Service Pack 2 (SP2) that could allow hackers to sidestep the feature. The announcement was widely reported at the time as a major security flaw in XP SP2. However, Microsoft this week says that there is no vulnerability because the method described by Positive Technologies cannot be used to let a hacker run malicious code on a user's system.
"Customers are not at risk from the situation," a Microsoft statement reads. "There is no attack that utilizes this \[method\]." Furthermore, Microsoft says that the security feature in question, called Data Execution Protection (DEP), was designed only to prevent errant code from overwriting memory, preventing a common type of flaw called a buffer overrun. Even if a hacker were able to somehow bypass DEP, the company says, that wouldn't be enough to compromise the system.
Positive Technologies first reported the flaw to Microsoft in late December 2004, but decided to go public with the information after the software company refused to categorize it as a vulnerability. That doesn't mean that Microsoft won't fix the flaw, however. Microsoft representatives say the company will modify DEP and other SP2 features over time as needed, and will examine ways to seal off the bypass methods discovered by Positive.
After Microsoft denounced Positive's claims, Positive CTO Yury Maksimov acknowledged that the DEP vulnerability wasn't enough to open up users to an attack, but noted his frustration with Microsoft's inability to deal with the issue. "Such a vulnerability cannot cause a new worm or virus (to appear)," he wrote in an email to CNET. "But it is much better to know about the problem, than not."
