Microsoft and everyone else in the PC world knew that hackers would be working hard to find the cracks in the latest Windows XP software upgrade, intended mostly to bolster security. But it is security researchers and their work that has caused the greatest headache for Microsoft so far as it rolls out Service Pack 2 (SP2) to consumers and corporate users.
At least two security bulletins from different companies have come out warning of holes in the brand new, large update. German company Heise warned of two flaws in the implementation of SP2 security features that could leave systems vulnerable to attack. In addition, Danish security outfit Secunia also has warned of a “drag and drop” vulnerability in Internet Explorer that could be exploited even on systems that have been updated with SP2.
Michael Sutton, director of iDefense Labs, told TechNewsWorld the early SP2 security issues are not major ones. However, the vulnerability expert did indicate that SP2 will undergo a tremendous amount of scrutiny because it is a Microsoft product and because it focuses on security, challenging both attackers and experts in a sense.
“This is a real effort on Microsoft’s part to fix big picture issues, rather than a fix here and a fix there,” Sutton said. “It will definitely undergo a lot of scrutiny.”
Highly Critical or No Conflict?
The SP2 update, which enables a default firewall and antivirus protection for the bombarded Windows XP operating system, has forced Microsoft to walk a tightrope between security enhancement and impact on other features and applications.
In its security advisory, Heise described the SP2 security holes as “highly critical,” but when the company reported the issues to Microsoft last week, the software giant reportedly indicated it did not view the vulnerabilities as very significant.
“We are always seeking improvements to our security protections and this discussion will certainly provide additional input into future security features and improvements, but at this time we do not see these as issues that we would develop patches or workarounds to address,” the Microsoft Security Response Center reportedly said in response to the weaknesses reported by Heise.
Old Microsoft, Old Ways
Heise Security’s Jurgen Schmidt said in an online response that while there were indications Microsoft has been on the right track with SP2 and security, its response to the reported SP2 bugs shows the company is clinging to its old ways.
“Here it is again: the old Microsoft which backs off to a position like ‘This is not a bug, it’s a feature,'” Schmidt said. “Their intention is clear. If Microsoft admitted that there is a bug in one of the new security functions, this would result in a lot of bad publicity. So Microsoft prefers that some security experts raise their eyebrows, hopes that nothing serious will happen and that the discussion stays limited to small insider groups.”
In response to the Secunia issues, which involve the highly integrated and highly functional Explorer browser and do require some user interaction, Microsoft reportedly said it is not considered a significant risk.
Easier Attack, Tougher Defend
Sutton said that although they were not extremely critical security holes, the early SP2 issues are indicative of the constant pressure that will be applied to the security set of patches.
Sutton said that while attacker knowledge and tools are both more readily available and easier to use, Microsoft has to deal with increasing complexity of systems, different languages and other compatibility issues.
“It is going to get tougher for them,” Sutton said. “It’s not going to get easier.”
Sutton did praise Microsoft for its monthly patching schedule, which means system administrators and other IT pros might not know how bad the next bug or virus is, but they do know when a security update will be coming and can plan accordingly. The success of the plan is evident in other software companies, such as Oracle, opting for a similar regular update schedule.
However, Sutton was critical of Microsoft for its turnaround time on vulnerabilities, adding that when his company reports an issue to Microsoft, it is typically a matter of months, rather than weeks, before it is addressed.
“We have seen six months in some cases — that’s a long time for a vulnerability to exist and the vendor knows about it,” Sutton said. “It’s just taking way too long for patches to be put in place.”