Microsoft downplays XP SP2 flaw claims

Microsoft has won the first round against security researchers digging for flaws in its Windows XP Service Pack 2 (SP2), dismissing claims by German consultants to have identified vulnerabilities.

Heise Security said that flaws in the configuration of XP after implementing SP2 could allow files to be downloaded onto a client PC without the user's consent by bypassing the new warning procedure for downloading files.

But the researchers admitted these holes were mainly theoretical and that no code yet exists to exploit them anyway. Microsoft has said it does not consider the areas identified as issues that it would develop patches or workarounds to address.

In a statement to the researchers the company said that it had investigated the report, but added: "We don't see these issues as being in conflict with the design goals of the new protections."

Microsoft later told vnunet.com in a statement: "Microsoft has investigated these reports and is not aware of any instance in which an attacker could specifically bypass the service in email or a web browser to allow a malicious attacker access to a user's system.

"As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources."

Heise Security still recommends that users install SP2.


Vnunet