More than two years after company officials claimed Microsoft Corp. would emphasize security over features in all products, the whopping update to the companys Windows XP operating system is being hit for introducing new vulnerabilities.
IT administrators and security experts who have had a chance to install, work with and investigate the changes Windows XP Service Pack 2 makes to the operating system said last week the upgrade doesnt live up to the spirit of Microsofts Trustworthy Computing campaign announced by Chairman and Chief Software Architect Bill Gates in January 2002.
Within about a week of its limited release two weeks ago, a German security researcher found two issues with SP2 that changed the way Microsoft products typically warn users about dangerous online content.
Internet Explorer and Outlook Express typically mark files with a ZoneID tag, which tells users where a file originated and how safe it is. That process is thwarted by changes in SP2 that allow the ZoneID tag to be ignored in certain cases, such as when a user opens a file through the command shell, according to a bulletin written by Jurgen Schmidt, a researcher with Heise Security, a unit of Heise Zeitschriften Verlag GmbH & Co. KG, in Hannover, Germany.
As a result, an attacker could use this method to entice a user into opening a malicious file, Schmidt said.
Schmidt also found that SP2 provides for caching of ZoneID look-ups, meaning a safe ZoneID tag would remain even after a file is overwritten. A local attacker could use this method to spoof trusted ZoneIDs.
When questioned about Schmidts findings, a Microsoft spokesperson in Redmond, Wash., told eWEEK, “We investigated the report and are not aware of any circumstances in which attackers can take over systems using these issues.”
But the explanation offers little comfort to users, most of whom recall Gates Trustworthy Computing directive, which instructed: “When we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve.”
“I think that Microsoft just should fix it as soon as possible,” said Oliver Schneider, network administrator at Brandenburg Technical University, in Cottbus, Germany, who has rolled out SP2 to some XP users. “I think that the ZoneID … is not really safe. Imagine a smart Trojan, which, as Trojans do, pretends to do something useful. Now after downloading it and starting, it can easily download the hostile part.”