Microsoft Corp. has responded to criticism from users and issued a software patch for a major security vulnerability in the Windows XP operating system, reversing an earlier decision to require users to upgrade to Windows XP Service Pack 1 to remove the vulnerability.
The security hole exists in the Windows XP Help and Support Center and affects the Microsoft Windows XP Home Edition, Professional, and 64-Bit Edition operating systems, according to information posted on Microsoft’s product support Web site.
By taking advantage of a flaw in code for a feature that sends information on new hardware to Microsoft, an attacker could remotely access a vulnerable machine from a Web page or a link in an e-mail formatted in HTML. Files on the vulnerable machine could be opened or deleted using the vulnerability, according to information posted on Microsoft’s Web site.
Soon after the discovery of the vulnerability, Microsoft issued Service Pack 1 for Windows XP, which patched the vulnerability in addition to a number of other security holes in the XP operating system. Initially, the company refused to issue a separate patch for the vulnerability, citing company policy that favored the use of service packs over patches when fixing vulnerabilities.
The company almost immediately encountered resistance to the hard line approach from across its customer base, however.
Home users who connected to the Internet using dial-up modems objected to the large size of the service pack. According to Microsoft’s Web site, the 30MB file would take about 90 minutes to download using a 56Kbps modem. Some business users balked at the prospect of rolling out such a large and sophisticated software update without thoroughly testing it on their own networks.
One software developer and security expert even published free software on the net to patch the vulnerability without Service Pack 1. There were also scattered reports of computers or applications crashing following the upgrade.
Last week, however, Microsoft appeared to have abandoned their position on requiring the upgrade to Windows XP Service Pack 1, quietly releasing a security bulletin and a software patch for the Help and Support Center vulnerability that can be installed separately from the service pack. (See http://www.microsoft.com/technet/security/bulletin/ms02-060.asp.)
Microsoft also posted a revised statement on their Web site regarding the vulnerability that explained the company’s change of heart. (See http://www.microsoft.com/technet/treeview/default.asp?url=/Technet/security/topics/HCP1.asp.)
“In this case, we heard from some customers that they have not yet found sufficient time to fully test and deploy Service Pack 1 in order to protect their systems,” the statement read, in part. “In recognition of the heightened awareness and customer concern around this issue, Microsoft is working to release an independent fix for this vulnerability.”
The revised statement also refuted claims that the company knew about and tried to conceal the vulnerability and criticism over the refusal to post work-around instructions for the vulnerability in advance of the patch.
“It has been suggested that Microsoft has tried to hide this issue. This is not true,” the statement read, pointing to a Microsoft Knowledge Base article on the vulnerability and noting that the list of fixed security holes that accompanied Service Pack 1 included a reference to the Help and Support Center vulnerability.
In response to the criticism for not posting a work-around for the vulnerability, Microsoft stated that no work-around short of a software fix was possible, and indicated that published fixes from third parties were not effective.