A week after releasing Windows XP Service Pack 2 to enterprises, Microsoft is trying to quell confusion over an apparent security flaw and applications that won't work without adjustments.
The software giant acknowledged Wednesday it's investigating reports of a method attackers can use to bypass SP2's Attachment Execution Service. The feature is designed to help protect users from executing files from unknown sources or untrusted locations.
"Microsoft has investigated these reports and is not aware of any instance in which an attacker could specifically bypass the service in e-mail or a Web browser to allow a malicious attacker access to a user's system," a company spokesman said.
Though the company reiterated its recommendation for users to turn on Automatic Update, it has delayed using the service to distribute SP2 for a week. "To provide corporate customers with additional time to configure Windows XP-based machines running Automatic Updates, we have adjusted the AU delivery date to Wednesday, Aug. 25 for Windows XP Professional customers only," a Microsoft spokesman said. "We made this adjustment … in response to customer feedback."
Meanwhile, antivirus vendors whose applications are on the tweaking list are trying to reassure customers that their products will work with SP2. The list on Microsoft's Web site includes directions on how to make everything work properly and includes applications from New York-based Computer Associates and Cupertino, Calif.-based Symantec Corp.
Symantec released a statement within an hour of SP2's release to manufacturing Aug. 6 saying its products work with SP2. The company clarifies on its Web site that while it is compatible, the Windows Security Center feature in SP2 may indicate otherwise.
"By design, Symantec includes tamper-protection features to make it difficult to scan the status of its products," the company said. "As a result, the Windows Security Center can detect the presence, but not the status, of some Symantec security software." The company is developing an update to ensure the security center shows the status of its products as "green (on)." It also announced that its 2005 product line is SP2 compatible.
Computer Associates's CA ARCserve, eTrust 6.0.100 and eTrust 7.0 are also on the list. Toby Weiss, senior vice president of eTrust security management solutions for the firm, said those are older releases that can be tweaked for compatibility on the company's support site. "Our newest solutions work with SP2 out of the box," he said.
Weiss said IT practitioners shouldn't be discouraged by SP2's challenges. "Any big change like this requires a good, careful management process," he said, adding that experts have said all along that "testing is key, and some tweaking will be needed along the way."
SP2 is designed to make Windows XP more ironclad against attackers who have successfully exploited its multiple security holes, most recently in the form of Sasser, Dowload.ject and new strains of Mydoom. Among its security enhancements, SP2 turns on the Internet Connection Firewall (ICF) by default, closes ports except when they're in use and improves the firewall configuration interface. It also improves Internet Explorer controls and user interfaces to block malicious ActiveX controls and spyware.