MICROSOFT XP SERVICE PACK 2

Service Pack 2 Flaws

MICROSOFT XP SERVICE PACK 2

The growing threat of hackers and viruses has prompted Microsoft to roll out a billion-dollar upgrade of its Windows computer operating system to strengthen security. The software giant is offering the update free so the largest possible number of people install it, a recognition of the size of the problem posed by virus-infected computers on the internet, the overwhelming majority of which use Windows.

The firm is spending US$300m (Ł167m) on the upgrade campaign worldwide, which includes free CDs with Service Pack 2 (SP2) on the covers of technology magazines, and on request. But the company has probably spent $1bn in total through programming costs and delays to its next version of Windows, codenamed "Longhorn" and due in late 2006, caused by putting extra staff on to SP2.

Paul Randle, the product marketing manager for SP2 in the UK, declined to comment on the cost of developing SP2 but said that it was not an end in itself. "Microsoft is committed to making security protections easier for our customers," he said. "SP2 is part of an ongoing effort that will take time, as there is no silver bullet against hackers."

Microsoft has repeatedly suffered since the release of its Windows XP system in October 2001 from attacks by hackers, virus-writers and scammers. The "Blaster" and "Sasser" worms brought the internet to its knees in the summer of 2003 and in spring 2004 the "Netsky" and "MyDoom" viruses infected hundreds of thousands of PCs worldwide.

There has been a huge rise in the number of "phishing" scams in which criminals send out e-mails directing people to websites masquerading as online banks to capture their details and then clean out accounts. Flaws in Windows or other Microsoft software has been key to their success.

Microsoft's upgrade, which comes in a 200-megabyte file, aims to close security loopholes. The firm claims that SP2 makes Windows more secure than ever before, with improvements to its Internet Explorer browser, Outlook Express e-mail and dozens of other parts of the system.

Heise Security, the Germany company that first raised the issue, recommends that people install SP2, but that does not cut out the need for antivirus software. Another firm, Sophos, warned of a new program that can infect PCs with SP2 installed and target banks online.

The "Togfer" program is sent as an attachment to an e-mail or as a file to be downloaded from a website. If the attachment is activated, Togfer installs itself and watches for online banking, including Abbey, Barclays, Cahoot, HSBC, Lloyds, NatWest, Nationwide and Woolwich. It then sends details such as user name and passwords to remote hackers, who break into the account and loot it.

Victims would usually have the loss refunded by the bank but Graham Cluley, senior technology consultant for Sophos, said, "This is very different from the fraudulent e-mails. It waits for the customer to visit the real banking website, and makes robbery a breeze." He said people should take "extreme care" and install up-to-date antivirus software.