As soon as you install SP2 on a Windows XP PC with a certain configuration, your file and printer sharing data are visible worldwide, despite an activated Firewall. This also applies to all other services. The PC only has to provide sharing for an internal local network and connect to the Internet via dial-up or ISDN.

Due to the bug carried over from SP1 as well as a new bug, the firewall configuration with SP2 has a catastrophic effect. The SP2 installation simply uses the previous configuration of the firewall: If it was active for the dial-up connection, now it also has been activated for the network adapter.

At the same time, an exception is determined for file and printer sharing: For the internal network card - and astonishingly also for all adapters.

With the first use of the dial-up connection after installing SP2, all of your shared data are available on the Internet. Now, other users can start guessing your passwords for administrator and guest and you basically are no more secure than the first Windows 95 users with an Internet connection - thanks to Service Pack 2.

The makers of the most secure operating system in the world, Microsoft is calling on hackers to try and take down its SP2 version of XP.

The fighting talk came from Vole's UK head Alistair Baker has told hackers that if they could get through a Windows XP system with SP2 running he would be impressed.

He said his company's Windows XP operating system update was the "first big line we have drawn in the sand" to combat security breaches and spam. Now while we are impressed with Alistair's commitment to his product, we do think he is asking for trouble.

Windows XP Service Pack 2 promises to raise the security bar for the sometimes beleaguered operating system. Unfortunately, one of the new features could be spoofed so that it reports misleading information about system security, or worse, lets a malicious program watch for an opportunity to do damage without being detected. The feature is the Windows Security Center (WSC), which displays the status ( (Figure 1) )of the key elements of your defenses: Firewall, Updates, and Antivirus.

Based on an anonymous tip, we looked into the WMI and the Windows Security Center's use of it, and found that it may not only be a security hole, but a crater in the wrong hands. Due to the nature of WMI, the WSC could potentially allow attackers to spoof the state of security on a user's system while accessing data, infecting the system, or turning the PC into a zombie for spam or other purposes.

IT administrators and security experts who have had a chance to install, work with and investigate the changes Windows XP Service Pack 2 makes to the operating system said last week the upgrade doesn't live up to the spirit of Microsoft's Trustworthy Computing campaign announced by Chairman and Chief Software Architect Bill Gates in January 2002.

Within about a week of its limited release two weeks ago, a German security researcher found two issues with SP2 that changed the way Microsoft products typically warn users about dangerous online content.

One of the added features of SP2 is a default installation of the IIS (Internet Information Services) Web server package, which includes an HTTP server and an SMTP server. Although IIS—which is not known for its security—is not enabled by default, the fact that it is installed as part of a security update worries many in the security community.

Barely hours after home users started securing their PCs with a key update for Windows XP, security experts have found ways around it.

SP2 provides a single place for people to control anti-virus software, firewall and XP updates as well as blocking pop-up ads, some spyware and warning about the dangers of e-mail attachments.

But security expert Secunia has posted information about a bug in Internet Explorer that could, it says, let a malicious website "plant an arbitrary executable file in a user's start-up folder".

The vulnerabilities discovered have are not being exploited in the wild and have only been demonstrated as working in ideal circumstances.

However, Microsoft has produced a so-called hotfix for SP2 to help tackle a problem some people are having with programs that use particular net addresses.

Microsoft has issued a list of nearly 50 software applications and games that may encounter problems with its Windows XP Service Pack 2 update.

In a document published in the "Knowledge Base" section of the company's Web site, Microsoft details the various issues that people may face when they install the SP2 package, which was released to PC manufacturers earlier this month. A range of applications are listed in the Microsoft report, including several of the software maker's own products, along with antivirus tools, Web server software and a handful of games.

Among the most high-profile products listed on the Microsoft document are antivirus applications from Symantec, network management software made by Computer Associates International, and multimedia tools from Macromedia. Microsoft also acknowledges that several of its own products, including Visual Studio .Net, Operations Manager, SQL Server and Systems Management Server software, must be tweaked to work properly with SP2.

A Linux developer -- he prefers to remain anonymous -- has told NewsForge he was recently contacted by Microsoft and invited to a job interview. He accepted, and during the interview he asked the obvious question: Why was Microsoft interested in hiring someone with strong Linux skills? The reply was that Microsoft is working on an emulator that will allow Windows users to run Unix.

Considering that Microsoft already has an emulator that will do just that, it's not crystal clear exactly what the monopoly has in mind for Linux on its desktop and/or server products. Microsoft purchased its Virtual PC product from Connectix early last year.

Just prior to the first release of a Microsoft version of Virtual PC last November, Microsoft announced what apparently was a slightly different approach. eWeek's Steven J. Vaughan-Nichols reported being told that "the new version will no longer offer official support for BSD Unix, Linux, NetWare, or Solaris on Intel."

Why is Microsoft interviewing Linux developers? Are they needed to work on the Virtual PC product, or on Longhorn? I called Microsoft public relations -- actually, it was Waggoner Edstrom's Rapid Response Team, which handles MS public relations -- and put the developer's question to them.

The first response I received said "After speaking with my colleagues, I can confirm that Microsoft has no plans to port to Linux at this time." Since that was an answer to a question I hadn't asked, I asked again. The second response was unequivocal: "Unfortunately, we do not have further comment on your question."

"Microsoft is starting to make deep strategic changes to increase security in the OS and not just fix a security bug here and there," says Chris Wysopal, a security expert with US company @Stake. "Some of the improvements have been a long time coming."

Other enhancements are aimed at preventing "buffer overflow" attacks, which involve breaking into supposedly protected regions of a computer's memory by inputting excess data.

HTML content in received emails will also be switched off. This is because spammers can use HTML to detect when a recipient has viewed an email to identify the most responsive targets.

Although the software will be free to authorised users, Microsoft plans to stop those running unauthorised copies of its software from receiving the new upgrade. Those using serial codes associated with pirated versions of the operating system will be unable to download the new software.

The decision to block these versions of Windows from receiving the update has alarmed some experts who worry that they will remain vulnerable to computer viruses, worms and other forms of attack and will therefore be a threat to other computers.

SCO claims that Linux users need to buy the licences because Linux contains some of its intellectual property, placed there without consent.

He admitted that only 20 to 30 organisations have now bought an SCO Linux licence since it was launched.

Sontag blamed action by Novell, which has claimed ownership of the Unix copyrights, for slowing down licence sales. "Some people have used that as an excuse to wait," he said.

Sontag claimed that licence sales are slowly increasing, but "not as fast as I would like".

The Mozilla Foundation announced the Mozilla Security Bug Bounty Program, an initiative that rewards users who identify and report security vulnerabilities in the open source project's software. Sponsered by Linspire, Inc and Mark Shuttleworth, the program will give $500 to users who report a significant bug in Mozilla software. Users who identify security bugs in Mozilla software are encouraged to go to the Security Projects Page for more information.