Answering critics, Microsoft patches XP

Microsoft Corp. has responded to criticism from users and issued a software patch for a major security vulnerability in the Windows XP operating system, reversing an earlier decision to require users to upgrade to Windows XP Service Pack 1 to remove the vulnerability.

The security hole exists in the Windows XP Help and Support Center and affects the Microsoft Windows XP Home Edition, Professional, and 64-Bit Edition operating systems, according to information posted on Microsoft's product support Web site.

By taking advantage of a flaw in code for a feature that sends information on new hardware to Microsoft, an attacker could remotely access a vulnerable machine from a Web page or a link in an e-mail formatted in HTML. Files on the vulnerable machine could be opened or deleted using the vulnerability, according to information posted on Microsoft's Web site.

Soon after the discovery of the vulnerability, Microsoft issued Service Pack 1 for Windows XP, which patched the vulnerability in addition to a number of other security holes in the XP operating system. Initially, the company refused to issue a separate patch for the vulnerability, citing company policy that favored the use of service packs over patches when fixing vulnerabilities.

The company almost immediately encountered resistance to the hard line approach from across its customer base, however.

Home users who connected to the Internet using dial-up modems objected to the large size of the service pack. According to Microsoft's Web site, the 30M-byte file would take about 90 minutes to download using a 56K-bps (bit-per-second) modem. Some business users balked at the prospect of rolling out such a large and sophisticated software update without thoroughly testing it on their own networks.

One software developer and security expert even published free software on the net to patch the vulnerability without Service Pack 1.

There were also scattered reports of computers or applications crashing following the upgrade.

Last week, however, Microsoft appeared to have abandoned their position on requiring the upgrade to Windows XP Service Pack 1, quietly releasing a security bulletin and a software patch for the Help and Support Center vulnerability that can be installed separately from the service pack. (See http://www.microsoft.com/technet/security/bulletin/ms02-060.asp.)Microsoft also posted a revised statement on their Web site regarding the vulnerability that explained the company's change of heart. (See http://www.microsoft.com/technet/treeview/default.asp?url=/Technet/security/topics/HCP1.asp.)"In this case, we heard from some customers that they have not yet found sufficient time to fully test and deploy Service Pack 1 in order to protect their systems," the statement read, in part. "In recognition of the heightened awareness and customer concern around this issue, Microsoft is working to release an independent fix for this vulnerability."

The revised statement also refuted claims that the company knew about and tried to conceal the vulnerability, and criticism over the refusal to post work-around instructions for the vulnerability in advance of the patch.

"It has been suggested that Microsoft has tried to hide this issue. This is not true," the statement read, pointing to a Microsoft Knowledge Base article on the vulnerability and noting that the list of fixed security holes that accompanied Service Pack 1 included a reference to the Help and Support Center vulnerability.

In response to the criticism for not posting a work-around for the vulnerability, Microsoft stated that no work-around short of a software fix was possible, and indicated that published fixes from third parties were not effective.

Join the newsletter!

Or
Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

Computerworld
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?