Answering critics, Microsoft patches XP

Microsoft Corp. has responded to criticism from users and issued a software patch for a major security vulnerability in the Windows XP operating system, reversing an earlier decision to require users to upgrade to Windows XP Service Pack 1 to remove the vulnerability.

The security hole exists in the Windows XP Help and Support Center and affects the Microsoft Windows XP Home Edition, Professional, and 64-Bit Edition operating systems, according to information posted on Microsoft's product support Web site.

By taking advantage of a flaw in code for a feature that sends information on new hardware to Microsoft, an attacker could remotely access a vulnerable machine from a Web page or a link in an e-mail formatted in HTML. Files on the vulnerable machine could be opened or deleted using the vulnerability, according to information posted on Microsoft's Web site.

Soon after the discovery of the vulnerability, Microsoft issued Service Pack 1 for Windows XP, which patched the vulnerability in addition to a number of other security holes in the XP operating system. Initially, the company refused to issue a separate patch for the vulnerability, citing company policy that favored the use of service packs over patches when fixing vulnerabilities.

The company almost immediately encountered resistance to the hard line approach from across its customer base, however.

Home users who connected to the Internet using dial-up modems objected to the large size of the service pack. According to Microsoft's Web site, the 30M-byte file would take about 90 minutes to download using a 56K-bps (bit-per-second) modem. Some business users balked at the prospect of rolling out such a large and sophisticated software update without thoroughly testing it on their own networks.

One software developer and security expert even published free software on the net to patch the vulnerability without Service Pack 1.

There were also scattered reports of computers or applications crashing following the upgrade.

Last week, however, Microsoft appeared to have abandoned their position on requiring the upgrade to Windows XP Service Pack 1, quietly releasing a security bulletin and a software patch for the Help and Support Center vulnerability that can be installed separately from the service pack. (See http://www.microsoft.com/technet/security/bulletin/ms02-060.asp.)Microsoft also posted a revised statement on their Web site regarding the vulnerability that explained the company's change of heart. (See http://www.microsoft.com/technet/treeview/default.asp?url=/Technet/security/topics/HCP1.asp.)"In this case, we heard from some customers that they have not yet found sufficient time to fully test and deploy Service Pack 1 in order to protect their systems," the statement read, in part. "In recognition of the heightened awareness and customer concern around this issue, Microsoft is working to release an independent fix for this vulnerability."

The revised statement also refuted claims that the company knew about and tried to conceal the vulnerability, and criticism over the refusal to post work-around instructions for the vulnerability in advance of the patch.

"It has been suggested that Microsoft has tried to hide this issue. This is not true," the statement read, pointing to a Microsoft Knowledge Base article on the vulnerability and noting that the list of fixed security holes that accompanied Service Pack 1 included a reference to the Help and Support Center vulnerability.

In response to the criticism for not posting a work-around for the vulnerability, Microsoft stated that no work-around short of a software fix was possible, and indicated that published fixes from third parties were not effective.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

Computerworld
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?