Microsoft began rolling out SP2 last week, claiming that the software offers the latest security 'innovations,' fixes several major security holes, and provides new protective features.

However, a security researcher in Germany has discovered two holes in SP2. The first is a drag-and drop flaw that could allow a malicious Web site to plant an attack program on a user's machine; the second, a hole in the lockdown of Internet Explorer's My Computer security zone. The Internet Explorer hole doesn't seem to pose an immediate threat, security experts say.

Worries about how well SP2 will work with existing software, combined with concerns about possible security vulnerabilities, have led many corporates to hold back from installing the security update. Last week, Microsoft admitted that it had identified 50 programs -- ranging from business applications to utilities and security software -- that will not work properly with SP2.

Microsoft was due to start rolling out SP2 to users who had enabled the automatic update function on their computers on August 16th. But software glitches have led Microsoft to postpone the automatic update release to the August 25th.

The Service Pack 2 delays have sparked debate about the value of certain security measures. Industry experts are in agreement that I.T. professionals should test SP2 before an enterprise installs the patch. But some analysts say that Microsoft should not be the centerpiece of a security strategy, despite being the maker of the operating system.

'If you want Microsoft to secure these threats, then we're going to see such attacks on an ongoing basis,' said PivX security expert Thor Larholm, referring to the recent re-emergence of the Download.Ject worm. Microsoft says the new SP2 contains a patch that solves the vulnerability.

But Larholm suggests the solution most likely will be short-lived. 'If you want the security vendors to secure IE, that has already happened,' he said. PivX published extensive research about Internet Explorer last year and made public its findings and recommendations, Larholm points out.

Like many in the security industry, Larholm does not blame Microsoft for the vulnerabilities in its operating systems. But he and others point out that the opportunities for hackers are greater than the average enterprise imagines.
utomatic updates.

Also, to make it easier for corporate users to test SP2 before they deploy it on their desktop computers, Microsoft has issued a toolkit that temporarily disables the automatic-update function. The company said that it issued the toolkit in response to requests from organizations that have large number of computers set up to receive automatic updates.

Computers that are set to recieve automatic updates will receive SP2 today.