Update: This article noted that the researchers "were forced to admit they were wrong." However, heise Security's Jurgen Schmidt, who originally found and published the company's assertions about the XP SP2 flaws, says that he hasn't changed his stance. The URLs below point to his original findings.
Some German security researchers briefly held the spotlight yesterday after they claimed that they were the first to discover flaws in Microsoft's newly released and eagerly anticipated Windows XP Service Pack 2 (SP2) update. But Microsoft was quick to dismiss the claims, arguing that the flaws are theoretical, not actual. By late yesterday, the researchers were forced to admit that they were wrong.
The heise Security researchers had claimed that XP SP2 contains two security flaws that could potentially let attackers execute code on users' PCs. They allegedly found the flaws in the new XP SP2 code that handles potentially malicious attachments and downloads.
Microsoft quickly issued a statement about the claims, noting that the company "has investigated these reports and is not aware of any instance in which an attacker could specifically bypass the service in email or a Web browser to allow a malicious attacker access to a user's system. This feature is one that is supposed to protect users against executable files from an unknown source or untrusted locations. As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources. We don't see these issues as being in conflict with the design goals of the new protections \[in XP SP2\]."
The heise Security researchers subsequently admitted that the flaws are theoretical only and that no software code exists to exploit them. And the company still recommends that users install XP SP2. Regardless, other security researchers are certain that XP SP2 flaws will eventually be found. A representative of vulnerability-assessment company PivX Solutions told CNET.com that his company has alerted Microsoft to several problems, and eEye Digital Security says that it's still investigating XP SP2.
Microsoft has been quite upfront about the update's capabilities. Although the service pack will make XP more secure, it isn't a panacea and won't solve all security problems. "SP2 is a step along the way to better security," Windows Group Product Manager Greg Sullivan told me recently. "But it's only a step. We still have more work to do."
heise Security articles about SP2 security flaws:
Flaws in SP2 Security Features
Microsoft: A Matter of Trust
