I have to agree with you about most of the coverage of SP2 "holes" being overblown. Much of the hoopla boils down to the firewall doing it's job. It blocks incoming connections by default. It's supposed to do that. The problem isn't that it's doing it, it's that there's so many critical applications that depend on arbitrary incoming connections to desktop machines.

I don't agree with you about things like the shell prompt "not ZoneID aware" hole. That's a hole. It may be a hole by design, but it's still a hole. When SP2 was released, the programmers KNEW we have people willing to jump through the hoops neccesary to run malware inside a password-protected Zip file. When they introduced zones, they should've extended them to all parts of the system. As it stands, they've extended them just far enough to convince ordinary non-clued users that they're protected by the new security zones but not far enough to actually handle all the things we know users are willing to do.

Ditto for the security center spoofing hole. If we're supposed to depend on the security center, then it SHOULD NOT BE POSSIBLE for anything other than us to change the security center's settings. If outside software can diddle with the settings, then we're reduced to asking ourselves whether, at this point, after what we've done, we can trust the security center. If the average Windows user could answer that reliably, we wouldn't need the security center in the first place.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/265/28366#28366