Researcher Finds Flaws in XP SP2

German research firm Heise Security has issued an advisory for a pair
of security flaws in Microsoft’s recently shipped
Windows XP Service Pack 2 with a warning that attackers could launch
malicious files from an untrusted zone.

According to the alert posted online,
Heise said two vulnerabilities in the implementation of a
new “security warning” feature in SP2 opens the door for the spread of
harmful viruses.

The flaws occur because the Windows command shell ignores zone
information and starts executables without warnings. Heise Security
said the second bug relates to the inability of the Windows Explorer
feature to update zone information properly when files are overwritten.

“[Windows Explorer] can be tricked to execute files from the Internet
without warning,” the firm said.

According to the advisory, Microsoft investigated the warnings and
found that they were not in conflict with the design goals of the new
protections built into XP.

“We are always seeking improvements to our
security protections, and this discussion will certainly provide
additional input into future security features and improvements, but at
this time we do not see these as issues that we would develop patches or
workarounds to address,” Microsoft explained.

However, Heise said there was evidence that XP SP2 will launch
malicious files without warning the user.

“Exploitation of this issue requires some user interaction — at
least as long as nobody comes up with a way to execute cmd.exe with
parameters from within Outlook Express or Internet Explorer,” the
company said, noting that virus writers could create e-mail worms to
launch files without getting a warning from SP2.

Separately, e-commerce giant eBay posted a notice
to its users to warn of potential disruptions with some of its auction
creation tools.

“Members who use the eBay toolbar will notice that some
of the features are working and others are not. For those of you who use
or try to sign up for eBay’s Enhanced Picture Services, it is currently
not working. You will be able to access and use the Basic Picture
Services at this time. We are working fast to address these issues,”
eBay said.