XP Service Pack Said to Fix Major Flaw

Microsoft always urges users to update programs when it ships a Service Pack, but an easily exploited Windows XP flaw makes it especially important that users of the operating system download and install the newly released SP1 promptly, several security experts warn.

The Win XP flaw is described as a still little-known but critical vulnerability, and is described as "trivially easy" to exploit by some who have studied it. It could allow files on any PC running Windows XP to be deleted simply by clicking on a malicious URL, according to bug hunter's reports.

An exploit could be distributed by e-mail as a URL the recipient is invited to click, or posted in a newsgroup or on a Web page.

Urged to Update

However, it is plugged by SP1, says Steve Gibson, a security expert and software developer who warns about the flaw in very general terms on his Web site.

According to Gibson, "this vulnerability is so dangerous that it would be irresponsible for me to say more" about how it works. He claims Microsoft has known of this problem for months but did not immediately post a separate security fix, waiting until SP1.

PC World editors were able to test the flaw, confirming that it works as alleged, and that SP1 appears to block the exploit.

Microsoft representatives initially said they were unaware of reports of a new flaw, but that Windows XP users should keep their versions of the OS up to date. Later, a spokesperson confirmed that SP1 fixes the flaw described by the bug-hunters.

Timely Fix

Microsoft posted the Windows XP SP1 for free download on Monday afternoon. The company says it provides a collection of existing security fixes, driver updates, and other improvements.

Microsoft representatives have urged all Windows XP users to download and install SP1. Future updates to Win XP will require SP1 be installed, says Charmaine Gravning, a product manager.

Gibson and others, however, say its urgent that all Windows XP uses adopt SP1 promptly because it will fix the flaw that Microsoft does not acknowledge.

"The exploitation of a single easily designed URL that immediately erases the files in any directory of a Windows XP system will prove irresistible to the world's script kiddies," Gibson says. "All that's necessary is posting a note anywhere on the Internet for hapless users to click. Game over."

Early reports of the Windows XP vulnerability apparently came from Shane Hird, an Australian bug-hunter, according to Gibson and others. Hird describes the flaw and its exploit on his Service Tracker Web site, and says he notified Microsoft of the hole in June.

"Microsoft has noted they intend to roll the fix into SP1 for XP," Hird says in his report, noting that he "received no objections" when he told Microsoft he would publish the exploit advisory before SP1 posted.

The flaw was also a hot topic in postings on some Usenet and developer discussion groups.

Few Dramatic Changes

Microsoft describes SP1 as an update to "enhance security, reliability, and compatibility." It incorporates many of the bug fixes and minor tweaks, such as new drivers, that Microsoft has posted for download since Windows XP shipped last October.

Other new functions of SP1 are the capability for users and vendors to set the defaults for programs from third parties instead of Microsoft's bundled applications, such as the music players; and even to deactivate access to some of those bundled Microsoft programs.

Users now have a three-day grace period to reactivate their product license when the OS determines it has been installed on a second PC. Microsoft also dropped the price of additional product keys, the so-called family license, by $5, so a second license costs $15 to $30 less than buying another full copy of the OS.

The 137MB SP1 is also available for purchase on a CD for $9.95.

PC World contributing editors Steve Bass, Stuart J. Johnston, and Scott Spanbauer assisted with this report.