 |
 SP2 is a major security enhancement, but not impeccant
August 24, 2004
Worries about how well SP2 will work with existing software, coupled with concerns about possible security vulnerabilities, have led many IT people to hold back from installing the security update.
Last week, Microsoft admitted that it had identified 50 programs -- ranging from business applications to utilities and security software -- that will not work properly with SP2. Internet security experts are advising companies to be wary of installing the update. "Don't apply it until you know that it's working," said Secunia CTO Thomas Kristensen.
Microsoft was due to start rolling out SP2 to users who had enabled the automatic update function on their computers on August 16th. But software glitches have led Microsoft to postpone the automatic update release to the August 25th.
"These reports of conflicts and security flaws are nothing new," Yankee Group analyst Laura DiDio told in her interview with NewsFactor. "Whenever a new security patch comes out, you hear this drumbeat. People have very high expectations of Microsoft -- they think that after spending billions of dollars, it should be able to fix their security problems." But Microsoft some of the responsibility for any problems arising from SP2 lies with the independent software vendors and also with the users themselves, DiDio said. "Some users have very badly configured networks," she said. "Also, no software is ever perfect, as software is not an exact science. Nor is there hack-proof software. Networks were originally designed to share information, not to prevent people from gaining access".
Meanwhile, security researchers are reporting new vulnerabilities in SP2 that could allow a malicious Web site to deposit an attack program on a user's system.
The attack utilizes Internet Explorer's drag-and-drop features and the Windows "shell folders" to copy an executable from a malicious Web site to a user's startup folder, from which it would execute the next time the user logged on. The researcher who reported the problem to security mailing lists provided proof-of-concept code that leaves a file named "malware.exe" in the user's startup folder. For the attack to succeed, the user would need to visit a Web page that hosted it and follow the instructions.
A German Internet security consultant claims to have found another "flaws" in Microsoft's Service Pack 2 update for the Windows XP operating system. Internet security expert Juergen Schmidt, a researcher at Hannover, Germany-based Heise Security, says in a posting on the Internet that there are possible flaws in SP2 that could allow hackers to exploit a user's computer.
Juergen has reported that hackers could avoid SP2's new security features and infect a computer that uses Windows XP with a worm or a virus, adding that certain Windows features would allow users to execute potentially harmful files downloaded from the Web without warnings of potential risks. Windows XP does not track the origin of a file in case the file had been overwritten, thus "tricking" the system to execute files from the Internet without initiating a warning, even if users install the new SP2 update.
Microsoft said that it had investigated the claims, but was not aware of any way a hacker could use the flaws revealed in those studies to take over a Windows XP-run machine.
|
|
