Holes in SP2 Discovered

beatmix01

Golden Member
Jun 22, 2001
1,008
1
0
Researchers find holes in XP SP2
Related linksToday's breaking news
Send to a friendFeedback

By Paul Roberts
IDG News Service, 08/18/04

Security researchers inspecting an update to Microsoft's Windows XP found two software flaws that could allow virus writers and malicious hackers to sidestep new security features in the operating system.

German Internet security portal Heise Security published a security bulletin, dated Aug. 13, describing two holes in Windows XP Service Pack 2 (SP2) and warning users about running programs from untrusted Internet sites. The flaws could allow virus writers to circumvent the security feature and write worms that spread on XP SP2 systems, according to the bulletin. However, the researcher who discovered the holes said he does not consider the flaws to be serious and he still recommends installing SP2.
Advertisement:

Microsoft is investigating the reports of a method to bypass what it calls the Attachment Execution Services in Windows XP SP2, but was not aware of any way for an attacker to use the flaws reported by Heise Security to gain access to a Windows machine, a spokeswoman said.

Microsoft released XP SP2 to its customers shortly after completing work on the massive software update on Aug. 6. SP2 contains a number of new security features, including an improved version of Windows Internet Connection Firewall, now named the Windows Firewall, a new, user-friendly interface for managing security settings and improved features for detecting and blocking malicious content downloaded from Web sites.

Heise Security Editor and Chief Jürgen Schmidt and his colleagues discovered the holes in an XP SP2 feature that marks files downloaded using the Internet Explorer Web browser or saved from e-mail messages using the Outlook Express e-mail client with a "Zone Identifier" or "ZoneID," according to Schmidt.

The ZoneID records the Internet Explorer security zone from which the file originated. Internet Explorer security zones assign different levels of security permission to different sources of files and data. For example, Web sites and files downloaded from the Internet are considered less secure than those obtained from a local area network the computer is connected to, or from the local computer hard drive.

XP SP2 saves ZoneIDs in a text file on the local computer. That file is linked to the downloaded file and used to issue pop-up warnings when Windows users attempt to open files from a dangerous source. However, certain Windows features allow users to open files without receiving a warning, Heise Security found.

For example, users can open files using text commands issued through the Windows command prompt, a standard Windows feature, without being warned about the risk associated with opening the file.

A second bug exploits what Schmidt called a "programming error" in XP SP2 that fails to update the ZoneID information cached for immediate use when files are renamed. That could allow malicious hackers or viruses to get around the user warnings, at least temporarily, by renaming a malicious file that would otherwise generate a warning, he said.

Neither security hole could be exploited by a remote attacker, and both require Windows users to take actions, such as opening the Windows command shell, or renaming files to overwrite other files on Windows, he said.

However, a flaw such as the failure to update cached ZoneID information could cause problems as third-party software programs try to take advantage of XP SP2, he said.

Microsoft was informed of the holes on Aug. 12. The Microsoft Security Response Center responded to the report, saying that the issues raised were not in conflict with "the design goals of the new protections," and that it did not consider the holes serious enough to warrant a patch or workaround, Schmidt said.

A Microsoft spokesman could not confirm or deny that the company issued a statement to Heise Security.

Many security experts agree that XP SP2 improves Windows security, especially by deploying a desktop firewall by default that blocks all but common Internet traffic to and from Windows XP machines. However, the hunt for holes in XP SP2 began as soon as the software update was released. Some security researchers predict that hackers will discover ways to circumvent many of the XP SP2 features, even writing worms and viruses that target machines running the updated operating system.

"SP2 is not going to be the end of all viruses. Users have to be aware of the fact, that the new security features of SP2 are not catch-all solutions," Schmidt said.

Microsoft encourages customers to activate the Windows XP Auto Updates feature so that they can download and install Windows XP SP2 as soon as it is released to the Auto Updates service, a spokeswoman said.

The IDG News Service is a Network World affiliate.

http://www.nwfusion.com/news/2004/0818reseafind.html?nl
 

Crucial

Diamond Member
Dec 21, 2000
5,026
0
71
However, the researcher who discovered the holes said he does not consider the flaws to be serious and he still recommends installing SP2.

That should have been your topic summary.
 

beatmix01

Golden Member
Jun 22, 2001
1,008
1
0
Originally posted by: RagingBITCH
Old news. And SP2 is already released to the public.

May be old, however, I am sure some people are still unaware.

In terms of being released to public, I meant available on Windowsupdate considering thats how most people do their upgrades, if they do it at all.
 

skace

Lifer
Jan 23, 2001
14,488
7
81
For example, users can open files using text commands issued through the Windows command prompt, a standard Windows feature, without being warned about the risk associated with opening the file.

This doesn't seem like a flaw at all. If you are using the dos prompt, microsoft most likely assumes you know what you are doing and don't need a popup. The more popups present when using DOS, the harder it is to script something that will work automatically without user intervention.

Your average user, the type who would need a popup asking them if they are sure they want to open xyz program because it might be dangerous, will most likely not be using dos.
 

Amused

Elite Member
Apr 14, 2001
55,841
13,932
146
Originally posted by: ThePresence
Originally posted by: Amused
Originally posted by: RagingBITCH
Old news. And SP2 is already released to the public.

I don't see it at Windows Update yet.

I got SP2 as an auto-update today.

Well, I manually update and it still hasn;t shown up on the list.

What gives?
 

Sideswipe001

Golden Member
May 23, 2003
1,116
0
0
Dunno why, I've had it for days. Run SUS server at work, and it downloaded it last week. Already deployed it to the 3 XP computers here (with no problems). ;)