Microsoft Patches Lingering Win XP Hole

Microsoft has responded to criticism from users and quietly issued a software patch for a major security vulnerability in Windows XP, reversing its earlier stance that users must install Service Pack 1 to plug the hole.

The security hole exists in the Windows XP Help and Support Center and affects the Microsoft Windows XP Home Edition, Professional, and 64-Bit Edition operating systems, according to information posted on Microsoft's product support Web site.

By taking advantage of a flaw in the code for a feature that sends information on new hardware to Microsoft, an attacker could remotely access a vulnerable machine from a Web page or a link in an e-mail formatted in HTML. Files on the vulnerable machine could be opened or deleted through the vulnerability, according to information posted on Microsoft's Web site.

Soon after the discovery of the vulnerability, Microsoft issued Service Pack 1 for Windows XP, which patched the vulnerability in addition to a number of other security holes. Initially, Microsoft refused to issue a separate patch for the vulnerability, saying company policy favors using service packs over patches to plug holes.

Users Dissatisfied

The company almost immediately encountered resistance to the hard-line approach from across its customer base, however.

Home users who connected to the Internet using dial-up modems objected to the large size of the service pack. According to Microsoft's Web site, the 30MB file would take about 90 minutes to download using a 56-kbps modem. Some business users balked at the prospect of rolling out such a large and sophisticated software update without thoroughly testing it on their own networks.

One software developer and security expert even published a free patch to fix the vulnerability without SP1. It became the fix of choice for users who reported problems installing SP1.

However, Microsoft appears to have abandoned its position requiring users to upgrade to Windows XP Service Pack 1. The company has released a security bulletin and patch for the Help and Support Center vulnerability that can be installed separately from the service pack.

Practice Defended

Microsoft has posted a revised statement on its Web site, regarding the vulnerability, that explains the company's change of heart.

"In this case, we heard from some customers that they have not yet found sufficient time to fully test and deploy Service Pack 1 in order to protect their systems," the statement reads. "In recognition of the heightened awareness and customer concern around this issue, Microsoft is working to release an independent fix for this vulnerability."

Microsoft's statement also declares the company did not try to conceal the vulnerability, and dismisses criticism for its refusal to post a workaround before releasing SP1.

"It has been suggested that Microsoft has tried to hide this issue. This is not true," the statement reads, pointing to a Microsoft Knowledge Base article on the vulnerability. Microsoft also notes that SP1 was released with a list of security holes that it fixes, including the Help and Support Center vulnerability.

Microsoft maintains that no workaround short of a software fix was possible, and indicates that published fixes from third parties are not effective.

For his part, the security consultant who offered a workaround fix to Windows XP users who couldn't or didn't wish to install SP1 has noted Microsoft's new policy on his own site. Steve Gibson says his program, XPdite, garnered more than 180,000 downloads before Microsoft reversed its position opposing a separate patch.

Stuart J. Johnston, contributing editor to PC World, assisted with this report.