Archived from groups: microsoft.public.windowsxp.basics (
More info?)
Tom Porterfield wrote:
> TedK wrote:
>> The following sight is a write up discussing two security holes
>> found in SP2 by German research firm Heise Security:
>>
>>
http://www.internetnews.com/security/article.php/3396761
>>
>> Any comments from MVPs on this?
>
> Let's look at these one at a time, as two issues are raised here. In
> the first, the steps to become at risk are to save a file from the
> internet or e-mail attachment. The risk here is that it could be any
> type of file, including an image file. Then open a command window and
> drag the file to the command window. Then hit enter. At that point
> the file would be executed. A fair amount of user interaction is
> required here for this exploit to work. There is no known automatic
> way to carry out the exploit. While there is some risk, and it
> mostly comes from the fact that the command processor (cmd.exe) will
> execute any file based on content rather than extension and ignore
> the zoneid, I don't think most users will be gullible enough to
> follow the precise sequence of events necessary to expose their
> systems.
> In the second, even the Heise site states:
>
> "Exploiting this issue requires the ability to overwrite existing
> files which have a trusted or non-existant ZoneID. Right now there is
> no known way to achieve this in an attack mounted from the Internet."
>
> They admit right there that this is only a theoretical risk as there
> is no known way to pull it off. Someone would already require control of
> your machine to pull this off and fool you into executing a file that
> you thought was safe. If they already have control of your machine
> you've already lost and there is nothing you can do to prevent worse
> activity than is described in the article.
>
> Neither one of these issues are new with SP2. I guess the point is
> that neither is "patched" by SP2 either. MS has gone a long way with
> SP2 in making Windows XP more secure. It isn't perfect, nothing is.
> People need to still be wary about any file received from the internet or
> in
> e-mail. Always verify the source no matter how innocent things may
> appear.
Or, to put it another way, Windows XP wasn't designed for AOHELL users...
;o) <eg>.
--
My great-grandfather was born and raised in Elgin - did he eventually
lose his marbles?