Tim,

You make a good point about the severity of the holes reported thus far. However, the default configurations of Windows Firewall that I have seen expose the "protected" systems to attacks in spite of the firewall being running.

Also, the LMZ Lockdown feature in IE is a joke -- as folder templates can easily bypass it, and it leaves several ActiveX objects capable of serious damage accessible.

The stack protection included in the OS components in SP2 slightly impedes attacks when combined with /SAFESEH, but exploitation of the vast majority of stack-based buffer overflows will still be possible, due to code complexities involved.

The heap protection also fails to block every heap overflow exploit I've tested... I can go on, Tim. Just to show that NX is also not the magic potion it's cracked up to be, I've produced code that executes a return-into-libc attack using a heap-based buffer overflow. The scary thing is, it's just as easy to find a target with SP2 installed as without. The only difference is that there is an SP2 target, and a pre-SP2 target.

So, the assessment of this is that SP2 is definitely a step in the right direction, but the battle to secure Windows is far from over. A lot of the excessive media coverage of SP2's failure to *be* a panacea is proportional to the excessive media coverage of its *billing* as one. Microsoft has overly-hyped SP2 from day one, while those of us on the front lines said "Bring it on!" Microsoft has, and now it's our turn to bring them back to Earth with news of their failure to live up to *their own* hype.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/265/28444#28444