Reported bugs in SP2 let files find their way onto users' machines

The SP2 update makes XP less attractive to virus writers and malicious hackers by plugging widely exploited loopholes.

But discoveries by security firm Secunia and German company Heise show that some holes have been left open.

Microsoft said it was investigating one of the new bugs but said no users had been caught out by this loophole.

Bug watch

The bug Microsoft is looking into lets malicious programs hide as images that automatically install and then run when Windows is re-started.

Microsoft only put the SP2 security patch for the Home edition of Windows XP on its auto-update servers this week.

SP2 provides a single place for people to control anti-virus software, firewall and XP updates as well as blocking pop-up ads, some spyware and warning about the dangers of e-mail attachments.

SP2 CHANGES Pop-up ads blocked Revamped firewall on by default Outlook Express, Internet Explorer and Windows Messenger warn about attachments Origins of downloaded files logged Web graphics in e-mail no longer loaded by default Some spyware blocked Users regularly reminded about Windows Updates Security Centre brings together information about anti-virus, updates and firewall Protection against buffer over-runs Windows Messenger Service turned off by default Q&A: What you need to know

The update also tweaks XP to make it less vulnerable to the bugs exploited by viruses and other malicious programs.

But security expert Secunia has posted information about a bug in Internet Explorer that could, it says, let a malicious website "plant an arbitrary executable file in a user's start-up folder".

When an infected system is re-booted, the planted program will run.

The bug works on systems patched with SP2.

The loophole, which strikes when files are dragged and dropped from the net on to a local zone, was found by an ethical hacker who goes by the handle of http-equiv.

A demonstration of the bug has been posted on the Malware website.

"Given the significant amount of user action required to execute an attack, Microsoft does not consider this to be a high risk for customers," said Paul Randle, head of all things XP at Microsoft UK.

But he added that Microsoft was investigating to see what action needed to be taken to deal with the bug.

Tricking Windows

Other problems with SP2 were discovered by German magazine Heise, which published information about two of them.

Heise found that the system SP2 introduces to warn users about the dangers of running untrusted files downloaded from the net can be subverted.

The company found a way to trick Windows into running net-downloaded files without warning users about what was happening.

When Heise asked Microsoft about the bugs, the software giant said it did not think that it needed to produce patches or workarounds to tackle them.

The vulnerabilities discovered have are not being exploited in the wild and have only been demonstrated as working in ideal circumstances.