• United States

XP SP2: Fallout and reactions

Aug 16, 200410 mins

* Patches from Yahoo, SCO, Gentoo, others * Beware latest Agabot variants * FDA reads riot act to device makers, and other interesting reading

Windows XP Service Pack 2 (XP SP2) has been out a week now. Microsoft already has a tool out that allows enterprise users to block its download:

Windows XP Service Pack 2 (XP SP2) has been out a week now. Microsoft already has a tool out that allows enterprise users to block its download:

And a FAQ dedicated to the update:

The general reader response has been one of “wait and see” when it comes to applying updates in the corporate environment:

Greg Goodson writes:

“Given Microsoft’s track record with XP Service Packs there is no way I would just deploy it across the enterprise.  The other issue is how will it react to existing Firewall and other 3rd party security software.   What non-Microsoft software products will be blown up by the upgrade.  There isn’t a comprehensive list of know issues yet published, at least that I have found.  I certainly can not afford to take down every XP workstation while Microsoft tries to figure out what went wrong and giving the answer it worked ok on their machines is not an answer.”

Steve Van Domelen says:

“We are definitely taking a wait-and-see approach.  I have heard IBM is also holding its release (our provider for all desktop/laptops systems) since it is known to break some of their software.  We used to take Windows updates automatically, but this one has warning signs all over it.  I am especially concerned about their approach to automatically install software or features that we specifically do not want (firewall, popup killer).  We already have a non-Microsoft approach for these and it will certainly cause problems, confusion and excessive work to my already budget-constrained staff.  I could go on, but you get the picture and I’m sure you’ve heard it all before.”

Mark Carhart writes in with:

“[We] will be doing serious testing in a non-work environment one month after the service pack is released. Once the non-work environment testing is completed we will move to step 2, testing one computer in a work environment and working out any problems before the final step which his a complete rollout.”

Not everyone is pessimistic though:

Mark Thornhill says:

“I’ve been using SP2 on one of my machines for a little over a month.  I really like it, though it took some getting used to and some minor custom setting changes.  But, overall, I think it’s a great move for [Microsoft]. The popup blocker, I feel, is a lifesaver.  I can’t tell you how many times one of our users will end up with gator or some other program loaded and BAM, they’re tagged. I have plans of implementing it early September in my business.”

Peter Goyer writes in:

“We are deploying it as we speak. The service pack may solve some of our security issues. They are not severe, so a more radical approach is not required. We will always have students that download songs and other things they are not supposed to. This is a small step but hopefully [Microsoft] rolled out a worthwhile one.”

If you’ve got a success or horror story, let us know at

For more XP SP2 coverage:

Windows Service Pack 2 puts users on the defensive

Corporate customers that use Microsoft’s Automatic Updates feature to patch will have to install blockers on their desktops this week to thwart the delivery and installation of Windows XP SP 2. Network World, 08/16/04.

Hunt for XP SP2 flaws seen in full swing

While users are testing Service Pack 2 for Windows XP to prevent compatibility problems, hackers are picking apart the security-focused software update looking for vulnerabilities, security experts said. IDG News Service, 08/13/04.

Radio: Windows XP Service Pack 2

Windows XP Service Pack 2 is here. The latest upgrade for Microsoft’s flagship desktop operating system comes with a number of security enhancements, to say the least. Joe Wilcox, senior analyst at Jupiter Research and author of the Microsoft Monitor Weblog, joins us to discuss the impact of XP Service Pack 2 on your applications. Network World Fusion, 08/12/04.

Initial Windows XP SP2 fallout limited

Since Microsoft began the staged rollout of Windows XP Service Pack 2 late last week only minor compatibility issues have come up, but that might be because many users are waiting to install the update. IDG News Service, 08/12/04.

Today’s bug patches and security alerts:

Yahoo patches IM client

A flaw in the third-party component used in Yahoo Messenger could be exploited to crash an affected system. For more, go to:


HP security fix wrap up

HP has released a variety of security updates for its HP-UX operating system. The flaws fixed include a root access vulnerability in CIFS Server; a code execution flaw in Apache/PHP; a second Apache flaw; a buffer overflow in Mozilla; a data corruption problem in Process Resource Manager; and, a remote access vulnerability in xfs and stmkfont. All of them can be downloaded by logging into the HP IT Resource Center:


Vendors patch gaim

Two remotely exploitable buffer overflows have been found in gaim, a general purpose Instant Messaging client that works with multiple IM services. For more, go to:


Mandrake Linux:



SCO patches tcpdump for UnixWare

A flaw in the tcpdump network-monitoring tool makes it susceptible to a denial-of-service attack when a specially crafted packet is received. For more,  go to:


Gentoo patches MPlayer

A bug in the TranslateFilename() function used by MPlayer could be exploited by embedding code in a music file. The code would be executed on the affected machine with the privileges of the user that opened MPlayer. For more, go to:

Gentoo issues fix for SqWebMail

A flaw in SqWebMail, a groupware application, could be exploited using a cross-scripting attack. An attacker could use this modify the SqWebMail and steal cookie information. For more, go to:

Gentoo releases fix for SpamAssassin

The Gentoo SpamAssassin implementation is vulnerable to a denial-of-service when it tries to process a malformed message. For more, go to:


Conectiva releases Apache fix

A format string vulnerability in the Apache ssl_log function could allow an attacker to execute arbitrary messages in the log messages for HTTPS. For more, go to:


OpenPKG releases cvstrac fix

According to an advisory from OpenPKG, “Richard Ngo discovered a vulnerability in the CVS repository web browsing tool CVSTrac [2]. If properly exploited an attacker can execute arbitrary code on the CVSTrac host with the privileges of the associated Web server.” For more, go to:


Mandrake Linux shores up Shorewall

A flaw in Shorewall could allow unauthorized users to over overwrite arbitrary files on the affected machine. For more, go to:


Today’s roundup of virus alerts:

Symbian bugged by Mosquito bite

Users of mobile phones running the Symbian operating system are vulnerable to a Trojan contained in an illegally adapted version of the Mosquitos game, Symbian said Thursday. IDG News Service, 08/13/04.

W32/Agobot-ZX – This Agobot variant installs itself as “sysdrv32.exe” in the Windows System folder. It spreads via network shares and can disable security-related applications running on the infected machine. It can also provide backdoor access via IRC. (Sophos)

W32/Agobot-LX – A multipurpose Agobot variant that acts similar to ZX above with the added bonus of being able to sniff network traffic and steal activation keys for popular games. This variant installs itself as “windrvconf.exe” in the Windows System folder. (Sophos)

W32/Agobot-MA – Very similar to Agobot-LX, except this version installs itself as “wmon32.exe” in the Windows System directory. (Sophos)

W32/Cali-A – A mass-mailing worm that spreads with an .exe attachment and can be used in a denial-of-service attack against a number of hard coded sites. The virus scans infected machines for e-mail addresses to target. (Sophos)

W32/Annil-G – This worm spreads via e-mail, network shares and peer-to-peer networks. It’s main focus is to spread and doesn’t seem to cause any real permanent damage. It may try to prevent users from downloading executable files. (Sophos)

Troj/Iefeat-K – A Trojan horse that tries to download adware from remote sites. It installs itself as “addtt.exe” on the infected machine. (Sophos)

W32/Rbot-FV – According to Sophos, “W32/Rbot-FV is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.” (Sophos)

W32/Rbot-FY – Similar to Rbot-FV above, except this variant uses the file “wuamgrd.EXE”. (Sophos)

W32/Saros-A – This worm can be used to drop malware on the infected machine and display a message at given time intervals. It installs itself in the Windows System folder as NonYou.exe, Love-ScreenSaver.scr, and MSOutlookInternetUpdate.exe. (Sophos)

W32/Sdbot-MH – A bot that installs itself as “winsx.exe” in the Windows System folder and can be used to provide backdoor access to the infected machine via IRC. (Sophos)


From the interesting reading department:

Tales from the copy room

It wasn’t long ago when the biggest security issue in the photocopier industry was how to keep randy employees from scanning body parts. But times have changed. A new generation of jazzed-up office copiers can scan documents, send faxes or e-mail, and store reams of document images. The new networked machines are akin to modern desktop computers and servers, which makes them more vulnerable to predatory hackers. IDG News Service, 08/11/04.

FDA reads riot act to device makers

Amid growing concern about security in hospital patient-care systems, the federal agency that regulates medical devices last week announced a get-tough policy to improve equipment safety. Network World, 08/16/04.

Technology Update: Network modeling detects anomalies

New relational network-modeling systems detect security threats by recognizing when network traffic patterns vary from the norm. Network World, 08/16/04.

Check Point primps for small firms

President Jerry Ungerman talks about SMB needs, the company’s SofaWare and Zone Labs acquisitions, and more. Network World, 08/16/04.

On the lookout for spyware

Organizations are increasingly eyeing spyware as a threat that needs to be blocked from reaching end users’ desktops. Network World, 08/16/04.

McAfee upgrades security management software

McAfee next week plans to ship an updated version of its anti-virus management product, ePolicy Orchestrator, that adds capabilities such as intrusion-prevention management and rogue-computer detection. Network World, 08/16/04.

EBay taps WholeSecurity to fend off phishers

The online auction giant is licensing WholeSecurity’s Web Caller-ID software, which detects spoofed sites. EBay will include Web Caller-ID in the Account Guard feature of the eBay Toolbar that stays resident in users’ browsers, alerting them whenever they visit a site purporting to be eBay or its online payment subsidiary PayPal. Network World, 08/16/04.

Vendors target remote-access security

Juniper and WatchGuard are coming out with new gear to provide small businesses and corporate offices with remote-access technology that can be managed from central consoles. Network World, 08/16/04.

Blaster suspect pleads guilty to spreading worm

A 19-year-old pleaded guilty in a Minnesota federal court on Wednesday to spreading the W32.Blaster-B worm over the Internet. IDG News Service, 08/12/04.