Russian security company Positive Technologies has released a patch to a security hole it said it discovered in Microsoft's Windows XP SP2 (Service Pack 2) last year.
"We found two small flaws that a programmer could use to go around the SP2 mechanism Data Execution Protection (DEP)," said Positive Technologies Chief Technology Officer Yury Maximov yesterday.
As Microsoft explains on its website, DEP is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. According to Maximov, Positive Technologies informed the software maker on 22 December about a problem with DEP and was told to wait for a response from the company.
"It has been over one month and we have not heard from Microsoft, so we decided to issue our own patch," Maximov said. "We understand that Microsoft wants to protect its product, but we feel it is more important for people to know about the problem and to know there is a tool to protect them."
Maximov added that it was his understanding that hacker groups were already working on ways to exploit the holes in DEP so as to insert rogue code into a PC's memory.
A Microsoft spokeswoman said the company is still investigating the issue, but early analysis indicates that the bypassing of DEP and the heap overflow protection feature in Windows XP SP2 is not a security vulnerability.
"An attacker cannot use this method by itself to attempt to run malicious code on a user’s system," she said. Additionally, Microsoft is not aware of any attack exploiting the issue, the spokeswoman said. "Customers are not at risk from the situation," she said.
Still, Microsoft is looking at ways to prevent the bypassing of the Windows XP SP2 protection features either through an update as part of its monthly security patch cycle or in a service pack, the spokeswoman said.
Positive Technologies has developed a temporary security measure, which it made available on Friday as a free utility called PTmsHORP, Maximov said.
The security hole cannot be fully eliminated by a separate patch, according to Maximov, and Positive Technologies assumed that Microsoft was not going to publish the problem or issue a security fix before the release of Service Pack 3, he said.
But some analysts question the wisdom of downloading third-party patches. "Personally, I would not advise people installing such patches," said Ovum analyst Graham Titterington. "There is a lot of danger in installing patches from people or companies you're not absolutely sure of. Chances are there wouldn't be a problem, but that is a risk not worth taking."
When other companies make publicly known the security problems within Microsoft products such as SP2, it puts pressure on Microsoft to address the issue, Titterington said, but publishing third-party patches could possibly further the problem.
"I agree that not having heard from Microsoft for a month was slightly undesirable, but the response time for situations like this are usually more like three months," Titterington said.
The PTmsHORP utility can be can be found online for download at www.ptsecurity.ru/ptmshorp.asp.
Joris Evers in San Francisco contributed to this report.