Microsoft has acknowledged that it is working on a patch for a potentially serious security hole in fully patched versions of Windows XP Service Pack 2.

The software maker's confirmation follows public disclosure of the vulnerability by a private security researcher who goes by the moniker "badpack3t."

In an advisory posted at SecurityProtocols.com, the researcher described the issue as a remote kernel denial-of-service flaw affecting XP SP2, with the default firewall turned on.

"I have been working with Microsoft to get a patch out for this. I notified them 5/4/2005 about the flaw, and they have been working on it since then. Microsoft told me the patch was going to be released in August," he added in the advisory.

Security alerts aggregator Secunia Inc. has flagged the issue as "moderately critical" and confirmed the reports that the integrated firewall does not protect against the flaw.

The discovery has triggered lots of discussions on security mailing lists, with some experts claiming there is a chance that the bug could be used to execute code remotely.

Pedro Bueno, an incident handler at the SANS Internet Storm Center, said the flaw resides in the Windows "Remote Desktop" feature that allows XP users to remotely control computers from another office, from home or while traveling.

A spokesperson for Redmond, Wash.-based Microsoft Corp. confirmed that it was investigating the public reports, but she downplayed the severity of the vulnerability.

"The initial investigation has found that neither of these involve remote code execution, and Microsoft has not been made aware of attacks that try to use the reported vulnerabilities or of customer impact at this time," the spokesperson said in a statement released to Ziff Davis Internet News.

"Upon completion of these investigations, Microsoft will take the appropriate action to help protect customers. This may include providing a security update through the monthly release process or issuing a security advisory, depending on customer needs," she added.

When vulnerabilities are publicly reported before a patch is available, Microsoft has promised to issue security advisories with mitigation guidance and workarounds, but, in this case, the company has not yet decided if an advisory is necessary.

Source


"We can categorically state that we have not released man-eating badgers into the area."

-UK military spokesman Major Mike Shearer