Pros point to flaws in Windows security update

Last week, German company Heise Security announced that two flaws could be used to circumvent the new warnings that Windows XP Service Pack 2, or SP2, normally would display about running untrusted programs, potentially giving a leg up to a would-be intruder's attempts to execute code on a victim's PC.

And more revelations about vulnerabilities are on the way, Thor Larholm, senior security researcher with vulnerability-assessment company PivX Solutions, said Wednesday. Larholm has been looking for holes in the security of SP2 since the update was released and has notified Microsoft about several issues, but he would not discuss the details.

"I'm positive that we will see critical flaws over the next few weeks, and worms that will circumvent SP2 features over the next few months," he said.

Larholm has found dozens of flaws in Windows XP and Internet Explorer over the past few years and had previously maintained a Web page of unpatched vulnerabilities in the software giant's browser.

Microsoft would not discuss whether it had received reports of new vulnerabilities in Windows XP Service Pack 2 but did say that the company's researchers had investigated the Heise issues and found them wanting.

"The security response center is investigating those reports," said a representative of the company. "This feature is one that is supposed to protect users against executable files from an unknown source or untrusted locations. At this time, (Microsoft's security response center is) not aware of any instance that attackers could specifically bypass the service through e-mail or a browser."

Security researchers also point out that Microsoft has not solved some well-known issues with a few of the security technologies incorporated into SP2. Though the firewall is improved, it can be circumvented by any locally running program, a problem with most personal firewall programs, said Marc Maiffret, chief hacking officer for security software maker eEye Digital Security. Maiffret and his staff are analyzing the security update as well.

"We have seen some interesting things, but it is only about a week into it," Maiffret said.

The flaw reports could cause companies to hesitate even more before installing Microsoft's latest step to secure Windows. Many companies have said they will hold off on the update until it has been thoroughly vetted.

SP2 is designed to add better security to the operating system's handling of network data, program memory, browsing activity and e-mail messages by changing the system's code and configuration. For example, a revamped firewall is intended to keep attackers out and attempts to prevent malicious applications from connecting to the Internet by requiring that the user give specific permission to each application.

The major software update, which took almost a year to create, came to life after the MSBlast worm hit the Internet on Aug. 11. Almost 26 days before, Microsoft had issued a patch for the security hole the worm exploited, but many people did not install the fix even though there was widespread expectation that a virus would be created to take advantage of the flaw.

Microsoft Chair Bill Gates has described SP2 as the most extensive free update to Windows ever, and executives have acknowledged that work on the update has delayed other projects, including Longhorn, the next major version of Windows.

In addition to making the software available via automatic update, Microsoft will allow information-technology managers to download an upgrade that companies can use to update their machines.

As for flaws in XP itself, eEye's Maiffret points out that the update is about making Windows XP more secure by adding new protection features and better configuration, not about finding all the vulnerabilities in the operating system.

"Microsoft never claimed that SP2 would close all the security holes," he said.

CNET News.com's Ina Fried contributed to this report.