Security researchers have discovered another vulnerability in Windows XP Service Pack 2, but it doesn't appear to be an immediate threat.
The researcher who uncovered the drag-and-drop flaw in Windows XP SP2 earlier in the week has reported that a new vulnerability exposes a hole in the lockdown of Internet Explorer's My Computer security zone.
The lockdown of the My Computer zone is one of the major security enhancements in SP2. Web pages in Internet Explorer run in one of several security "zones," each of which has different security rules. Prior to SP2, the My Computer zone?designed for Web pages stored on the computer itself?had extremely permissive rules. In order to take advantage of them, malware attacks frequently exploited vulnerabilities to get their Web-based pages to execute. Microsoft tightened the rules in SP2 to make it a less inviting target.
What's Next on Microsoft's Security Agenda?
Even though the Windows XP Service Pack 2 (SP2) bits are done and in the midst of being disseminated, there's no rest ahead for Microsoft's security team.
Next up on the company's security agenda: Porting the pertinent SP2 security fixes to Windows Server 2003 and certain versions of Internet Explorer; introducing new patching technologies, including Windows Update Services and Microsoft Update; and rolling out Microsoft's next-generation "Active Protection" security technologies?starting with behavior-blocking technologies.
And that's not all. Microsoft also is working on its own antivirus offering, which it is expected to deliver as a service, as well as on new, hosted security offerings for small businesses.
But first things first. Microsoft still has a lot of work yet to do on Windows XP SP2, in terms of getting this collection of new features and fixes out to as many of the estimated 300 million Windows XP users as possible. Starting on Wednesday, August 25, Microsoft is set to begin pushing the service pack automatically to users' desktops over the Web.