August 18, 2004 12:47 PM PDT

Pros point to flaws in Windows security update

Security researchers say they're starting to find flaws in Microsoft's latest major update for Windows XP.

Last week, German company Heise Security announced that two flaws could be used to circumvent the new warnings that Windows XP Service Pack 2, or SP2, normally would display about running untrusted programs, potentially giving a leg up to a would-be intruder's attempts to execute code on a victim's PC.

And more revelations about vulnerabilities are on the way, Thor Larholm, senior security researcher with vulnerability-assessment company PivX Solutions, said Wednesday. Larholm has been looking for holes in the security of SP2 since the update was released and has notified Microsoft about several issues, but he would not discuss the details.

"I'm positive that we will see critical flaws over the next few weeks, and worms that will circumvent SP2 features over the next few months," he said.

Larholm has found dozens of flaws in Windows XP and Internet Explorer over the past few years and had previously maintained a Web page of unpatched vulnerabilities in the software giant's browser.

Microsoft would not discuss whether it had received reports of new vulnerabilities in Windows XP Service Pack 2 but did say that the company's researchers had investigated the Heise issues and found them wanting.

"The security response center is investigating those reports," said a representative of the company. "This feature is one that is supposed to protect users against executable files from an unknown source or untrusted locations. At this time, (Microsoft's security response center is) not aware of any instance that attackers could specifically bypass the service through e-mail or a browser."

Security researchers also point out that Microsoft has not solved some well-known issues with a few of the security technologies incorporated into SP2. Though the firewall is improved, it can be circumvented by any locally running program, a problem with most personal firewall programs, said Marc Maiffret, chief hacking officer for security software maker eEye Digital Security. Maiffret and his staff are analyzing the security update as well.

"We have seen some interesting things, but it is only about a week into it," Maiffret said.

The flaw reports could cause companies to hesitate even more before installing Microsoft's latest step to secure Windows. Many companies have said they will hold off on the update until it has been thoroughly vetted.

SP2 is designed to add better security to the operating system's handling of network data, program memory, browsing activity and e-mail messages by changing the system's code and configuration. For example, a revamped firewall is intended to keep attackers out and attempts to prevent malicious applications from connecting to the Internet by requiring that the user give specific permission to each application.

The major software update, which took almost a year to create, came to life after the MSBlast worm hit the Internet on Aug. 11. Almost 26 days before, Microsoft had issued a patch for the security hole the worm exploited, but many people did not install the fix even though there was widespread expectation that a virus would be created to take advantage of the flaw.

Microsoft Chair Bill Gates has described SP2 as the most extensive free update to Windows ever, and executives have acknowledged that work on the update has delayed other projects, including Longhorn, the next major version of Windows.

In addition to making the software available via automatic update, Microsoft will allow information-technology managers to download an upgrade that companies can use to update their machines.

As for flaws in XP itself, eEye's Maiffret points out that the update is about making Windows XP more secure by adding new protection features and better configuration, not about finding all the vulnerabilities in the operating system.

"Microsoft never claimed that SP2 would close all the security holes," he said.

CNET News.com's Ina Fried contributed to this report.

4 comments

Join the conversation!
Add your comment
Jesus H. Cricket...
Why in the hell can't Microsoft get anything write. Now we have to patch the patch because the patch is crap. I wish we had an alternative to Windows (do speak to me about Linux or the Macintosh, they aren't viable for consumers).

I am getting really pissed. First we have to nearly 10 years for the next version of Windows, Microsoft doesn't want to update IE and now their patch is got more holes than a strainer. What the hell is the point.

Maybe a Macintosh is the way to go. At the rate Microsoft is going people are going to have to switch to something.

Robert
Posted by (336 comments )
Reply Link Flag
Look in the mirror
I despise Micro$oft as much as the next person, but when your rant contains more errors than the OS you are ranting about, it kind of loses credibility.

...get anything write.
write (verb) - to form (as characters or symbols) on a surface with an instrument (as a pen)
right (adjective) - correct

...(do speak to me...
If you want us TO speak to you then why are you complaining about the fact that "...,they aren't viable for consumers.")

...we have to nearly 10 years...
We have to what?

...their patch is got more holes...
is (verb) - state of being
has (adject) - to hold, include, or contain as a part or whole
Posted by (2 comments )
Link Flag
Jesus H. Cricket...
Why in the hell can't Microsoft get anything write. Now we have to patch the patch because the patch is crap. I wish we had an alternative to Windows (do speak to me about Linux or the Macintosh, they aren't viable for consumers).

I am getting really pissed. First we have to nearly 10 years for the next version of Windows, Microsoft doesn't want to update IE and now their patch is got more holes than a strainer. What the hell is the point.

Maybe a Macintosh is the way to go. At the rate Microsoft is going people are going to have to switch to something.

Robert
Posted by (336 comments )
Reply Link Flag
Look in the mirror
I despise Micro$oft as much as the next person, but when your rant contains more errors than the OS you are ranting about, it kind of loses credibility.

...get anything write.
write (verb) - to form (as characters or symbols) on a surface with an instrument (as a pen)
right (adjective) - correct

...(do speak to me...
If you want us TO speak to you then why are you complaining about the fact that "...,they aren't viable for consumers.")

...we have to nearly 10 years...
We have to what?

...their patch is got more holes...
is (verb) - state of being
has (adject) - to hold, include, or contain as a part or whole
Posted by (2 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.