XPSP2 Update VII: ActiveImelda®

7 January 2005 17:28 UTC

Security pundits held their breath (and laughed) when Windows XP Service Pack 2 with 'advanced security technologies' [sic] was released: there were few risks the product would be worse than its predecessor, but few hopes things had finally changed in what the renowned CSIS calls 'a system that cannot be fixed'. All that remained was to wait for 'the other shoe'.

It's not been many months at all, but the question of a single 'other shoe' is already today taking on the spectre of the wardrobe of Imelda Marcos.

Dawn Kawamoto, staff writer for CNET, writes today of the heightened security warning of security corporation Secunia, now that exploit code for three very dangerous flaws in Service Pack 2 have been published.

Affecting IE version 6, the exploits enable malfeasants to place and execute code on the victims' computers without their knowledge. Some of the worst types of 'plants' include spyware and 'porn-dialers' (programs which silently disconnect a computer from the Internet and then dial up an extremely expensive connection, all without the victim noticing an interruption in service).

The GreyHats Security Group published the code for one of these exploits already on 21 December 2004. It blew through a hole in the Windows HTML help system.

Secunia's CTO Thomas Kristensen explained why his firm now elevates the risk rating to 'extremely critical', their highest possible rating.

'In order for us to rate a vulnerability as extremely critical, there has to be a working exploit out there that doesn't require user interaction. This is our highest rating and is the last warning for users to fix their systems.'

It must be reiterated that this exploit indeed works with Windows XP Service Pack 2 with its 'advanced security technologies'.

Secunia recommend using another browser and/or disabling ActiveX until Microsoft can find a fix.

There is yet another hole, however: Windows 'drag-drop' exposes it. The hole was first reported last October, only weeks after the release of SP2. Secunia and others are now taking it seriously as well. Says Kristensen:

'Microsoft knew of this back in October. In my opinion it's not fair to have a vulnerability known for two months without having an available patch, especially when every detail is out there.'

Microsoft on their end claim it takes 'extensive work' to find a way to patch the holes, and in the meantime recommend users read their 'safe browsing guidelines' which coincidentally do not directly advocate abandoning their own software for consistently greener pastures.

Kawamoto notes that the Secunia rating escalation is 'another setback in Microsoft's efforts to shore up its security' and reminds readers that 'when Microsoft launched SP2 in August [2004], Chairman Bill Gates touted it as a significant step in shoring up systems against attacks'.