Microsoft Corp. is revising a security patch for Windows XP systems with Service Pack 1 installed after customers complained that installing the patch slowed their systems down to a crawl.
Microsoft is working on a revised patch for Windows XP Service Pack 1 and will re-issue that patch when it has been completed and fully tested, the Redmond, Washington, software maker said in a revised version of its security bulletin MS03-013 posted late Wednesday. (See: http://www.microsoft.com/technet/security/bulletin/MS03-013.asp)
Originally released on April 16, the security bulletin addressed a buffer overrun vulnerability in the Windows kernel, which manages core services for the operating system such as allocating processor time and memory, as well as error handling.
A flaw in the way the kernel passes error messages to a debugger could enable a malicious hacker to take any action on a vulnerable system such as deleting data, reconfiguring the device or modifying user accounts and privileges, Microsoft said in its advisory.
Soon after the patch was released, however, Windows XP users began complaining in online forums of performance problems that appeared after the patch was applied.
Users reported that Windows XP can take up to 10 seconds or even more to start an application after installation of the patch. Removing the patch brings system speed back to normal, Windows XP users wrote in dozens of postings on several online discussion boards.
The company received a "small number" of complaints resulting from "special situations" involving the interaction of XP Service Pack 1 and third party applications following the patch, according to Stephen Toulouse, security program manager at Microsoft's Security Response Center.
Some users experiencing the problem did not even think a patch could be to blame.
"I first blamed my VirusScan, since I had a problem several years ago when VirusScan would run away with my CPU and hog all of the cycles," a high-tech corporate communications consultant in Oakland, California, who asked not to be named, wrote in an e-mail to the IDG News Service. "I had not even considered going to Microsoft tech support."
"I've never called Microsoft. Also, I thought maybe some virus was causing it. So I ran the antivirus software I have. I thought maybe that would take care of it," wrote Sandra D., an aspiring author who uses a PC at her home in Pennsylvania.
Other users with systems suddenly moving at sluggish speed complained that the phone number for Microsoft's help line is hard to find or costs too much.
"I attempted to contact the Microsoft help desk, but when I found there was a substantial fee involved, I declined to do it. Also, because my purchase of Windows XP Professional was made as part of a Dell hardware purchase, the Microsoft Web site said I should contact Dell tech support. I did contact Dell, but they said they could not be responsible for this particular problem because it is a Microsoft problem," wrote one reader who heads up a technology management consultancy near Salt Lake City.
"Microsoft help is usually the very last step I consider. I'm just too overwhelmed by the size and complexity of Microsoft's operating system, Web site, organization, et cetera," wrote Offer P., a home PC user in Israel who was able to restore his system speed to normal after removing the patch.
Toulouse, commenting on the user reaction, said Microsoft's free +1-866-PC SAFETY (+1-866-727-2338) help line for virus-related support is also open for calls from users in the U.S. and Canada on issues with security patches. Users outside the U.S. and Canada can find numbers on Microsoft's support Web site at http://support.microsoft.com/, he said.
"If anyone is having issues I really want them to call the number for support," Toulouse said. So far Microsoft has had hardly any support calls on this Windows XP performance issue, he said.
In updating its security bulletin, Microsoft acknowledged those problems, but said that customers running Windows XP Service Pack 1 should still consider applying the flawed patch as protection until a new version is released.
"Customers are encouraged to review this security bulletin ... (and) assess whether their particular environments demand that the patch should be applied immediately or whether their particular level of risk permits delaying deployment of the patch until it is revised and the performance problem corrected," the company said.
Customers who restrict access between different users on a computer should install this update, Microsoft said in the end-user version of its bulletin. If the PC is only used by a single user or no passwords or other measures are used to limit access to accounts on the computer, it is not important to install this update, according to the bulletin. The end-user bulletin can be viewed at http://www.microsoft.com/security/security_bulletins/ms03-013.asp.
In response to the performance issues, Microsoft has lowered the Windows Update ranking for the security patch so it does not automatically install on systems that have the auto-update feature enabled. Also, the Windows Update Web site no longer displays the patch as critical, but as recommended, according to a Microsoft spokesman who asked not to be named.
"These steps were taken to give customers the opportunity to evaluate the patch before installing it," the spokesman said.
Microsoft is actively involved in finding a solution to the performance problems, in addition to investigating how the faulty patch made it through Microsoft's patch review process, Toulouse said.
Microsoft said it will also publish a knowledge base article that describes what environmental factors produce slow downs when combined with the XP patch and what can be done to reduce the impact of the slow downs should they occur.
That article should be available within the next few days, according to Toulouse. He declined to estimate when an updated patch that resolves the performance issues will be available, however.