RealTime IT News

Researcher Finds Flaws in XP SP2

German research firm Heise Security has issued an advisory for a pair of security flaws in Microsoft's recently shipped Windows XP Service Pack 2 with a warning that attackers could launch malicious files from an untrusted zone.

According to the alert posted online, Heise said two vulnerabilities in the implementation of a new "security warning" feature in SP2 opens the door for the spread of harmful viruses.

The flaws occur because the Windows command shell ignores zone information and starts executables without warnings. Heise Security said the second bug relates to the inability of the Windows Explorer feature to update zone information properly when files are overwritten.

"[Windows Explorer] can be tricked to execute files from the Internet without warning," the firm said.

According to the advisory, Microsoft investigated the warnings and found that they were not in conflict with the design goals of the new protections built into XP.

"We are always seeking improvements to our security protections, and this discussion will certainly provide additional input into future security features and improvements, but at this time we do not see these as issues that we would develop patches or workarounds to address," Microsoft explained.

However, Heise said there was evidence that XP SP2 will launch malicious files without warning the user.

"Exploitation of this issue requires some user interaction -- at least as long as nobody comes up with a way to execute cmd.exe with parameters from within Outlook Express or Internet Explorer," the company said, noting that virus writers could create e-mail worms to launch files without getting a warning from SP2.

Separately, e-commerce giant eBay posted a notice to its users to warn of potential disruptions with some of its auction creation tools.

"Members who use the eBay toolbar will notice that some of the features are working and others are not. For those of you who use or try to sign up for eBay's Enhanced Picture Services, it is currently not working. You will be able to access and use the Basic Picture Services at this time. We are working fast to address these issues," eBay said.