[ISN] Researchers find holes in XP SP2

InfoSec News isn at c4i.org
Thu Aug 19 12:00:41 EDT 2004


By Paul Roberts
AUGUST 18, 2004 

Security researchers inspecting a new update to Microsoft Corp.'s
Windows XP found two software flaws that could allow virus writers and
malicious hackers to sidestep new security features in the operating

German Internet security portal Heise Security published a security
bulletin, dated Aug. 13, that describes two holes in Windows XP
Service Pack 2 (SP2) and warns users about running programs from
untrusted Internet sites. The flaws could allow virus writers to
circumvent the security feature and write worms that spread on XP SP2
systems, according to the bulletin. However, the researcher who
discovered the holes said he doesn't consider the flaws to be serious
and still recommends installing SP2.

Microsoft released XP SP2 to its customers shortly after completing
work on the massive software update, on Aug. 6. SP2 contains a number
of new security features, including an improved version of Windows
Internet Connection Firewall, now named Windows Firewall, a new,
user-friendly interface for managing security settings and improved
features for detecting and blocking malicious content downloaded from
Web sites.

Heise Security Editor and Chief Jurgen Schmidt and his colleagues
discovered the holes in an XP SP2 feature that marks files downloaded
using the Internet Explorer Web browser or saved from e-mail messages
using the Outlook Express e-mail client with a Zone Identifier, or
ZoneID, according to Schmidt.

The ZoneID records the Internet Explorer security zone from which the
file originated. Internet Explorer security zones assign different
levels of security permission to different sources of files and data.  
For example, Web sites and files downloaded from the Internet are
considered less secure than those obtained from a LAN the computer is
connected to or from the local computer hard drive.

XP SP2 saves ZoneIDs in a text file on the local computer. The file is
linked to the downloaded file and used to issue pop-up warnings when
Windows users attempt to open files from a dangerous source. However,
certain Windows features allow users to open files without receiving a
warning, Heise Security found.

For example, users can open files using text commands issued through
the Windows command prompt, a standard Windows feature, without being
warned about the risk associated with opening the file.

A second bug exploits what Schmidt called a "programming error" in XP
SP2 that fails to update the ZoneID information cached for immediate
use when files are renamed. That could allow malicious hackers or
viruses to get around the user warnings, at least temporarily, by
renaming a malicious file that would otherwise generate a warning, he

Neither security hole could be exploited by a remote attacker, and
both require Windows users to take actions such as opening the Windows
command shell or renaming files to overwrite other files on Windows,
he said.

However, a flaw such as the failure to update cached ZoneID
information could cause problems as third-party software programs try
to take advantage of XP SP2, he said.

Microsoft was informed of the holes Aug. 12. The Microsoft Security
Response Center responded to the report, saying that the issues raised
were not in conflict with "the design goals of the new protections"  
and that it didn't consider the holes serious enough to warrant a
patch or workaround, Schmidt said.

A Microsoft spokesman couldn't confirm that the company issued a
statement to Heise Security.

Many security experts agree that XP SP2 improves Windows security,
especially by deploying a desktop firewall by default that blocks all
but common Internet traffic to and from Windows XP machines. However,
the hunt for holes in XP SP2 began as soon as the software update was
released. Some security researchers predict that hackers will discover
ways to circumvent many of the XP SP2 features, even writing worms and
viruses that target machines running the updated operating system.

"SP2 is not going to be the end of all viruses. Users have to be aware
of the fact that the new security features of SP2 are not catchall
solutions," Schmidt said.

More information about the ISN mailing list