Microsoft plays down SP2 security glitches

Glitches between Windows XP Service Pack 2 (SP2) and critical applications continue to emerge, with McAfee admitting its flagship VirusScan product prior to version 7.1 requires a customised patch to be operational with Windows Security Center, part of SP2.

McAfee also said its enterprise Desktop Firewall product requires a patch before it can function with Windows Security Center. Since it was released, activists have been searching for weaknesses in Microsoft's security-focused service pack.

Microsoft has already dismissed claims by German researchers that they had found a flaw.

Now a group has claimed malicious code could bypass the new security procedures in XP by using the drag-and-drop features of Internet Explorer.

Consultant Secunia said researcher http-equiv has demonstrated that "the vulnerability is caused due to insufficient validation of drag-and-drop events issued from the internet zone to local resources".

For example, this can be exploited by a malicious web site to plant an arbitrary executable file in a user's startup folder, which will be executed the next time Windows starts up.

But Microsoft believes hackers looking to exploit this would have to rely on help from users.