According to the security company, the flaws mean that "attackers can silently and remotely take over an SP2 machine when the user simply browses a web page".
Finjan has informed Microsoft of the flaws and is working with the Redmond, Washington-based giant to sew them up. The company won't provide any details about the flaws, which have yet to be patched, in case it helps hackers and virus writers start work on exploiting the vulnerabilities before Microsoft issues any potential fix.
However, Finjan did give details of what kind of attack the flaws could be used to launch.
One, according to the company, would allow hackers to remotely access users' local files, by compromising a feature that disallows remote web pages access to local file apart from by downloading a file.
Another flaw could let hackers bypass XP SP2's notification mechanism about downloading and execution of .exe, which could let them download files without warning the user.
Microsoft, however, isn't hitting the panic button just yet.
A Microsoft spokeswoman said "Microsoft is aware of the claims by Finjan Software of possible vulnerabilities in Windows XP SP2. At this time, Microsoft cannot confirm Finjan’s claims of 'ten new vulnerabilities' in Windows XP SP2. Moreover, Microsoft is currently unaware of active attacks against customers attempting to utilise the alleged vulnerabilities as reported by Finjan."
"Our early analysis indicates that Finjan’s claims are potentially misleading and possibly erroneous regarding the breadth and severity of the alleged vulnerabilities in Windows XP SP2," she added.
Microsoft is investigating the claims and will issue a fix if necessary.
Talkback
If it's rubbish then why is Microsoft investigating it still? Either Microsoft states that they're still investigating and will report their findings in due time OR they call it rubbish and at the same time don't mind if the exploit code is published in public on, say, the ZDNet UK frontpage. Because then we'll know in days how rubbish it really is.
Answer me this. How come that exploits for well known Open Source solutions are almost always disclosed in public first to then get fixed within days and even hours while exploits for Microsoft products are often disclosed in private first for weeks and even months on end to then get fixed in a monthly patch cycle by fixes that sometimes do more harm then good?
How come that the Internet itself is heavily depended on all sorts of Open Source and Public Domain solutions (Apache, BIND, SMTP, POP3, Linux, HTTP, etc, etc) around the globe on thousands upon thousands upon thousands of machines without a single global disaster year in, year out while Microsoft products have several each year? I mean, if you want to put your name in the history books then go and kill BIND or Apache worldwide. It's never been done before so that should give you headlines. Whereas killing Microsoft products on a global scale isn't surprising anymore. It's more a question of when rather then if. Then again, in the Microsoft case you're paying for that service. Maybe that's the difference. As long as you pay for it you're actually saying: I want more of this. Don't really bother with security and privacy, I'll pay for the next release anyway. Either directly or indirectly by purchasing hardware from a vendor that's hooked on one of those Microsoft taxes.
I really don't want to sound like yet another mean spirited gloating Apple user but really, this is all very confusing. Here we yet yet more flaws in windows and very few of you appear to have the gumption to do anything but accept it. Mr' Gates' monopoly abuse continues unfettered and his fortune expands along with it and you have no problem with this? You just keep downloading the fixes/patches/'service packs', live in fear of what could be in the next email attachment and happily enjoy the sight of an odd orangy 'x' at the top right of every window. And you think that this is just how life with a computer is supposed to be? After the list of viruses got above 10,000 I'd have expected some reaction but there isn't any. Lots of complaining but no action. I really don't understand.
While not wishing to trash Apple as they produce fine machines, I can't help thinking that if they were to take over the position of PCs as the dominant systems, they too would be the target of virus writers as they are not immune from viruses.
But it has been proved before that OSX is in terms of structure more robust than any version of Windows.