Flaws and a Delay for XP SP2

Just one day after Microsoft delayed the delivery of its Windows XP Service Pack 2 (XP SP2) update for the Professional Edition, a German research firm announced the discovery of two security flaws in the application.

XP SP2, the long-awaited security-centric update from Microsoft, is meant to resolve the many security issues that have plagued the XP operating system since its release in 2001.

German research firm Heise Security has issued an advisory for a pair of security flaws in Microsoft’s recently shipped Windows XP SP2 with a warning that attackers could launch malicious files from a non-trusted zone.

According to the alert posted online, Heise said two vulnerabilities in the implementation of a new “security warning” feature in SP2 opens the door for the spread of harmful viruses.

The flaws occur because the Windows command shell ignores zone information and starts executable files without warnings. Heise Security said the second bug relates to the inability of the Windows Explorer feature to update zone information properly when files are overwritten.

“[Windows Explorer] can be tricked to execute files from the Internet without warning,” the firm says.

According to the advisory, Microsoft investigated the warnings and found that they were not in conflict with the design goals of the new protections built into XP.

“We are always seeking improvements to our security protections, and this discussion will certainly provide additional input into future security features and improvements, but at this time we do not see these as issues that we would develop patches or workarounds to address,” Microsoft explains.

However, Heise says there is evidence that XP SP2 will launch malicious files without warning the user.

“Exploitation of this issue requires some user interaction &#151 at least as long as nobody comes up with a way to execute cmd.exe with parameters from within Outlook Express or Internet Explorer,” the company says, noting that virus writers could create e-mail worms to launch files without getting a warning from SP2.

Separately, e-commerce giant eBay posted a notice to its users to warn of potential disruptions with some of its auction creation tools.

“Members who use the eBay toolbar will notice that some of the features are working and others are not. For those of you who use or try to sign up for eBay’s Enhanced Picture Services, it is currently not working. You will be able to access and use the Basic Picture Services at this time. We are working fast to address these issues,” eBay said.

XP SP2 Delivery Schedule Adjusted
Microsoft’s delay in delivering the automated delivery XP SP2 update for its XP Professional Edition comes as a result of several high-end enterprise customers needing more time to prepare for the Automatic Update feature.

Microsoft originally planned to deliver SP2 via Automatic Update as a critical download on August 10, but this has been pushed back to August 25 for machines running Windows XP Professional Edition.

The service pack delivery via Automatic Update is on schedule for machines running pre-release versions of Windows XP SP2. On Wednesday, August 18, the company released SP2 for users running Windows XP Home Edition only.

A Microsoft spokesman confirmed that the adjustment dates affects only users of Windows XP Professional because enterprises needed additional time to configure desktops running Automatic Updates.

“We actually haven’t made many distribution changes, but those we have made have been in response to customer feedback,” the spokesman says. “For example, some enterprise customers were interested in temporarily disabling Automatic Updates in order to be fully prepared to install SP2, and we provided a tool that allows them to do so.

“We designed AU [Automatic Update] with consumers and small businesses in mind, and we were quite pleasantly surprised by the number of enterprise customers that have found it a valuable means of keeping computers up to date.”

He says the software giant is on track for more than 100 million SP2 installations through Automatic Update alone by the end of October. The company has already distributed one million copies of the service pack through its Download Center and MSDN portals.

Adapted from Internetnews.com.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!

Must Read

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.