IT Admins Not ‘Trusting’ SP2 Security

More than two years after company officials claimed Microsoft Corp. would emphasize security over features in all products, the whopping update to the company’s Windows XP operating system is being hit for introducing new vulnerabilities.

IT administrators and security experts who have had a chance to install, work with and investigate the changes Windows XP Service Pack 2 makes to the operating system said last week the upgrade doesn’t live up to the spirit of Microsoft’s Trustworthy Computing campaign announced by Chairman and Chief Software Architect Bill Gates in January 2002.

Within about a week of its limited release two weeks ago, a German security researcher found two issues with SP2 that changed the way Microsoft products typically warn users about dangerous online content.

Click here to read eWEEK Labs’ review of SP2.

Internet Explorer and Outlook Express typically mark files with a ZoneID tag, which tells users where a file originated and how safe it is. That process is thwarted by changes in SP2 that allow the ZoneID tag to be ignored in certain cases, such as when a user opens a file through the command shell, according to a bulletin written by Jurgen Schmidt, a researcher with Heise Security, a unit of Heise Zeitschriften Verlag GmbH & Co. KG, in Hannover, Germany.

As a result, an attacker could use this method to entice a user into opening a malicious file, Schmidt said.

Schmidt also found that SP2 provides for caching of ZoneID look-ups, meaning a safe ZoneID tag would remain even after a file is overwritten. A local attacker could use this method to spoof trusted ZoneIDs.

When questioned about Schmidt’s findings, a Microsoft spokesperson in Redmond, Wash., told eWEEK, “We investigated the report and are not aware of any circumstances in which attackers can take over systems using these issues.”

But the explanation offers little comfort to users, most of whom recall Gates’ Trustworthy Computing directive, which instructed: “When we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve.”

“I think that Microsoft just should fix it as soon as possible,” said Oliver Schneider, network administrator at Brandenburg Technical University, in Cottbus, Germany, who has rolled out SP2 to some XP users. “I think that the ZoneID … is not really safe. Imagine a smart Trojan, which, as Trojans do, pretends to do something useful. Now after downloading it and starting, it can easily download the hostile part.”

The ZoneID changes are not experts’ only SP2 concerns. One of the added features of SP2 is a default installation of the IIS (Internet Information Services) Web server package, which includes an HTTP server and an SMTP server. Although IIS—which is not known for its security—is not enabled by default, the fact that it is installed as part of a security update worries many in the security community.

Click here to read about other SP2 security flaws.

“Most worms have SMTP and [Web] servers built in. They are poorly written and tested in limited environments. On multiple occasions, we have seen fast-spreading worms fail due to errors in code or simple typos,” said Geoff Shively, chief scientist at PivX Corp., a security research and software company based in Newport Beach, Calif. “Installing [Web] and SMTP services by default on Windows XP SP2 workstations could prove risky as malware authors could take advantage of this added functionality in creating more professional-grade threats.”

Check out eWEEK.com’s Windows Center at http://windows.eweek.com for Microsoft and Windows news, views and analysis.

Be sure to add our eWEEK.com Windows news feed to your RSS newsreader or My Yahoo page