Microsoft has responded to Neowin with regard to the XP SP 2 problem story we ran yesterday, as reported by PC Magazine & e-Week. The open letter is an unedited version of what we received early this morning.
We wanted to alert you to some misguided press reports that may cause Microsoft customers undue concern. Some articles have posted that claim there is a highly critical vulnerability that would allow a malicious user to spoof the Windows Security Center in Windows XP SP2 however this claim is not accurate. we don't know how closely you have been following this issue, but we wanted to make sure you had the facts from Microsoft.
As you know Windows Security Center, found in the Windows XP Control panel, provides customers the ability to easily check the status of essential security functionalities such as firewalls, automatic updates and antivirus. Windows Security Center will inform users whether key security capabilities are turned on and up to date and will notify users if it appears that updates need to be made or if additional action steps may need to be taken to help them get more secure.
To clarify, there is not a vulnerability in the Windows Security Center. In order for an attacker to spoof the Windows Security Center, he or she would have to have local administrator rights on the computer (ed. XP Homes default user is 'Admin', and many XP Pro users set their account to admin status for a hassle free life). If an attacker were granted access to a user's system, either by being granted them or attaining them by enticing a user to open a malicious attachment, the criminal actions the attacker could pursue include many that are far more serious than just spoofing the Windows Security Center. In Windows XP SP2, we have added functionality to reduce the likelihood of unknown applications from running on the user's system including turning Windows Firewall on by default, Data Execution Prevention and Attachment Manager in Outlook Express, to name a few.
All the best,
Windows Community Team