October 24, 2002, 2:53 PM — Microsoft Corp. has responded to criticism from users and issued a software patch for a major security vulnerability in the Windows XP operating system, reversing an earlier decision to require users to upgrade to Windows XP Service Pack 1 to remove the vulnerability.
The security hole exists in the Windows XP Help and Support Center and affects the Microsoft Windows XP Home Edition, Professional, and 64-Bit Edition operating systems, according to information posted on Microsoft's product support Web site.
By taking advantage of a flaw in code for a feature that sends information on new hardware to Microsoft, an attacker could remotely access a vulnerable machine from a Web page or a link in an e-mail formatted in HTML. Files on the vulnerable machine could be opened or deleted using the vulnerability, according to information posted on Microsoft's Web site.
Soon after the discovery of the vulnerability, Microsoft issued Service Pack 1 for Windows XP, which patched the vulnerability in addition to a number of other security holes in the XP operating system. Initially, the company refused to issue a separate patch for the vulnerability, citing company policy that favored the use of service packs over patches when fixing vulnerabilities.
The company almost immediately encountered resistance to the hard line approach from across its customer base, however.
Home users who connected to the Internet using dial-up modems objected to the large size of the service pack. According to Microsoft's Web site, the 30M-byte file would take about 90 minutes to download using a 56K-bps (bit-per-second) modem. Some business users balked at the prospect of rolling out such a large and sophisticated software update without thoroughly testing it on their own networks.
One software developer and security expert even published free software on the net to patch the vulnerability without Service Pack 1.
There were also scattered reports of computers or applications crashing following the upgrade.
Last week, however, Microsoft appeared to have abandoned their position on requiring the upgrade to Windows XP Service Pack 1, quietly releasing a security bulletin and a software patch for the Help and Support Center vulnerability that can be installed separately from the service pack.
Microsoft also posted a revised statement on their Web site regarding the vulnerability that explained the company's change of heart.