Microsoft decries recent reports of flaws in Windows XP Service Pack 2 as "misguided" and "not accurate" and said it wants to clear the air so users can separate fact from fiction.
The software giant responded Wednesday to the past week's wave of media attention over researchers who claimed to find flaws while testing SP2, Microsoft's much anticipated security overhaul of Windows XP. The most notable report focused on a "highly critical" drag-and-drop flaw discovered by a researcher known as "http-equiv."
The vulnerability, affecting Internet Explorer, is caused by "insufficient validation of drag-and-drop events issued from the 'Internet' zone to local resources," Copenhagen, Denmark-based security firm Secunia said in an advisory. "This can be exploited by a malicious Web site to plant an arbitrary executable file in a user's startup folder, which will get executed the next time Windows starts up." Secunia has given http-equiv's claim high billing on its daily vulnerability list and said the flaw has been confirmed on a fully patched system with Internet Explorer 6.0 and Windows XP SP1 and SP2.
Adding to the media buzz was a Microsoft list of applications that need tweaking to function properly with SP2. Because of the size and scope of SP2, experts have warned enterprises to study it on test computers and work out the compatibility issues before downloading it onto their networks. A Microsoft spokeswoman sought to calm "undue concern" over SP2 in an e-mailed statement Wednesday.
"Some articles have posted that claim there is a highly critical vulnerability that would allow a malicious user to spoof the Windows Security Center in Windows XP SP2. This claim is not accurate," she said. "To clarify, there is not a vulnerability in the Windows Security Center. In order for an attacker to spoof the Windows Security Center, he or she would have to have local administrator rights on the computer."
She added, "If an attacker were granted access to a user's system, either by being granted them or attaining them by enticing a user to open a malicious attachment, the criminal actions the attacker could pursue include many that are far more interesting than spoofing the Windows Security Center. In Windows XP SP2, we have added functionality to reduce the likelihood of unknown applications from running on the user's system including turning Windows Firewall on by default, data execution prevention and attachment manager in Outlook Express, to name a few."
Despite Microsoft's efforts to calm nerves, the reported SP2 flaw continues to get attention. Secunia updated its advisory on the drag-and-drop vulnerability Wednesday, saying that while the proof of concept showing how the flaw can be exploited depends on the user performing a drag-and-drop event, "it may potentially be rewritten to use a single click as user interaction instead."
Meanwhile, the Bethesda, Md.-based Internet Storm Center said it has been receiving reports that the vulnerability discovered by http-equiv is being actively exploited in the wild. "If you run across this on a fully patched box, please submit the offending URL and any dropped (dragged 'n' dropped in this case) malcode to the ISC," the Internet Storm Center advised.