By Robert Lemos, 19 August 2004 09:00
NEWS Security researchers say they're starting to find flaws in Microsoft's latest major update for Windows XP.
Last week, German company Heise Security announced that two flaws could be used to circumvent the new warnings that Windows XP Service Pack 2, or SP2, normally would display about running untrusted programs, potentially giving a leg up to a would-be intruder's attempts to execute code on a victim's PC.
And more revelations about vulnerabilities are on the way, Thor Larholm, senior security researcher with vulnerability-assessment company PivX Solutions, said. Larholm has been looking for holes in the security of SP2 since the update was released and has notified Microsoft about several issues but he would not discuss the details.
"I'm positive that we will see critical flaws over the next few weeks, and worms that will circumvent SP2 features over the next few months," he said.
Larholm has found dozens of flaws in Windows XP and Internet Explorer over the past few years and had previously maintained a web page of unpatched vulnerabilities in the software giant's browser.
Microsoft would not discuss whether it had received reports of new vulnerabilities in Windows XP Service Pack 2 but did say that the company's researchers had investigated the Heise issues and found them wanting.
"The security response centre is investigating those reports," said a representative of the company. "This feature is one that is supposed to protect users against executable files from an unknown source or untrusted locations. At this time, [Microsoft's security response centre is] not aware of any instance that attackers could specifically bypass the service through email or a browser."
Security researchers also point out that Microsoft has not solved some well-known issues with a few of the security technologies incorporated into SP2. Though the firewall is improved, it can be circumvented by any locally running program, a problem with most personal firewall programs, said Marc Maiffret, chief hacking officer for security software maker eEye Digital Security. Maiffret and his staff are analysing the security update as well.
"We have seen some interesting things but it is only about a week into it," Maiffret said.
The flaw reports could cause companies to hesitate even more before installing Microsoft's latest step to secure Windows. Many companies have said they will hold off on the update until it has been thoroughly vetted.
SP2 is designed to add better security to the operating system's handling of network data, program memory, browsing activity and email messages by changing the system's code and configuration. For example, a revamped firewall is intended to keep attackers out and attempts to prevent malicious applications from connecting to the internet by requiring that the user give specific permission to each application.
The major software update, which took almost a year to create, came to life after the MSBlast worm hit the internet on 11 August. Almost 26 days before, Microsoft had issued a patch for the security hole the worm exploited, but many people did not install the fix even though there was widespread expectation that a virus would be created to take advantage of the flaw.
Microsoft chairman Bill Gates has described SP2 as the most extensive free update to Windows ever and executives have acknowledged that work on the update has delayed other projects, including Longhorn, the next major version of Windows.
In addition to making the software available via automatic update, Microsoft will allow information-technology managers to download an upgrade that companies can use to update their machines.
As for flaws in XP itself, eEye's Maiffret points out that the update is about making Windows XP more secure by adding new protection features and better configuration, not about finding all the vulnerabilities in the operating system.
"Microsoft never claimed that SP2 would close all the security holes," he said.
CNET News.com's Ina Fried contributed to this report.
Robert Lemos writes for CNET News.com
Comments
There are 2 comments. Join the discussion
1. anonymous
The past few days I've heard a lot about XP-SP2... and none of it "good".
Companies with WAN and LAN networks had best "look before they leap" before allowing this new product to be installed.
Today I heard on a radio news station that a lot of users who have already found a place to obtain SP2 and have installed it are having unpleasent issues.
If you already have a personal fire wall program in place, or a good anti-virus application, chances are that either they won't work anymore, or you won't be able to get updates for them anymore.
In place of them will be the new Windows-XP firewall and virus programs which are parts of SP2. And their default settings are set to have most everything else locked up tight.
And while there are ways to reconfigure them, it's purposely made to be a complicated thing to accomplish to discourage amatures from disabling most of the new security features (which few users will like).
My company has placed a block on our network to prevent anyone from being auto-updated with SP2 until we have had the time to check it out first (and to listen to everyone else's crys and complaints until then).
Oh yeah... I also heard that "once installed, your stuck with it and can't remove it again."
So my advice is to "go slow" on this.
2. anonymous
I'd rather rely on the antivirus/firewall I have that take SP2 and have their 'fixes' render it useless!