Microsoft Patches the Patch

Microsoft is only partway into delivering the long-awaited Service Pack 2 for Windows XP to users, yet it has already begun releasing fixes for problems that the mammoth update can cause, however inadvertently. The company has issued what is likely the first of several "hotfix" patches, which developers and analysts say are just a fact of PC life.

"Writing software is a complicated endeavor done by humans, [and] we don't see SP2 as the be-all and end-all, that there will no longer be a need for future patches," says Rob Enderle, principal analyst for technology analysis firm The Enderle Group.

So if you're looking for Windows XP SP2 to solve all present and future problems, keep dreaming. Meanwhile, though, only a tiny fraction of Windows XP users will need to get the new hotfix, released earlier this week not long after SP2 became available. A hotfix is a patch that addresses a specific problem, usually for only one or a few customers, and is not generally distributed to the vast majority of users.

Fixing a Glitch

This first hotfix for Windows XP SP2 patches a problem that SP2 creates for some users of virtual private networks, telecommunications software that is generally used to let workers connect securely--usually to a corporate computer--from a remote location such as home or the road.

The good news is that very few users actually need this patch, according to Ryan Burkhardt, lead program manager for Windows XP SP2 at Microsoft. Additionally, most, if not all, affected VPN users will get the hotfix through their employer's IT department.

Its release, especially so soon after the service pack's rollout, is a reminder that no software is ever perfect, and over time it will need to be patched repeatedly. In addition, because of the popularity of Windows, many people--both crackers and legitimate security researchers--are constantly searching for as yet undiscovered security flaws that can be exploited.

For instance, earlier this week German Internet security portal Heise Security published a security bulletin describing two holes in SP2.

Are they actually bugs? That's still in question, because Microsoft usually does not acknowledge previously unknown security flaws until it has tested and verified the problems and is ready to patch them.

Serving Customers

Security has been a dominant focus, as well as a major source of pain, for the software giant over the past few years, particularly as the world moved onto the Web. Microsoft has touted SP2 for nearly a year as a heavyweight advance in securing users' PCs from attack.

However, Microsoft execs like to say that their toughest competition is the huge installed base of previous versions of its own products. Despite all the focus on Windows XP, that statement is quite true.

Last January, Microsoft buckled under user demands and agreed to continue to provide patches rated "critical" on its four-tier severity rating scale for Windows 98, Windows 98 Second Edition, and Windows Millennium Edition. The company extended the support a year and a half beyond its intended expiration, until June 30, 2006.

But although Microsoft has been diligent about patching its more recent Windows versions since that announcement, its developers have lagged in posting patches for Windows 98 and Me users. Two recently announced security holes have not yet been patched for those older systems. One patch, MS04-023, is five weeks behind the Windows XP equivalent, while a second patch, MS04-025, is nearly three weeks late.

Correction: Microsoft did release the two security patches available for those older operating systems. MS04-023 is available as a download for Windows 98 and SE and separately for Windows 98 and 98SE. Also downloadable are versions of MS04-025 for the older versions of Windows.

A Microsoft spokesperson reaffirmed promises that the company will continue to release critical updates for Windows 98, 98 SE, and Me, but declined to commit to a timeframe. Nor would the spokesperson say whether patches might arrive at the same time as patches for newer Windows versions. She also declined to comment on why the patches for the older operating systems are running behind--although it's likely Microsoft's developers have been focused on deploying XP SP2 and quickly patching any consequent bugs.

Harder to Reach

If you use Windows 98, 98 SE, or Me, however, you're far from alone. More than 40 million PC users worldwide still run the older operating systems, says research firm IDC. And Microsoft CEO Steve Ballmer recently said an estimated 650 million PCs are in use globally, which would mean that roughly 1 in 16 users still has one of those older systems.

Luckily, say analysts, many of those users of aging software are not connected to the Internet. Many who are online use only dial-up connections, so they are likely to spend less time online and are at smaller risk of attack than business or home users with broadband connections.

Nevertheless, Microsoft has an admitted responsibility to keep protecting those customers, industry watchers say.

"It's still a large number of people who potentially are impacted," says Dan Kusnetzky, vice president of system software research at IDC.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
  
Shop Tech Products at Amazon