By Robert Lemos, 17 December 2004 15:20
NEWS
Microsoft released a "critical" fix on Thursday for a security issue left unresolved by the Windows XP Service Pack 2.
Gary Schare, director of product management for Windows, said the configuration change closed a hole in the Windows firewall settings that could open up PCs to attack if the machines had been set to share files or a printer with the local network.
"The changes we made in Service Pack 2 were better than before, but they could be narrowed even further," he said. "We told people [in September] that we would issue a software update and now we have."
The hole could allow anyone to access a PC that has its file sharing exceptions set up in the Windows XP SP2 firewall. The problem affects only those who use dialling software to connect to the Internet, Microsoft indicated in a Knowledge Base article on its website.
Microsoft did not classify the configuration issue as a software vulnerability and so did not distribute the configuration update with the patches it released earlier this week, Schare said. In fact, the security group did not handle the issue; the Windows product group did.
"We didn't do as good a job as we intended getting this out," he said. "This fell between the teeth. The security team said it wasn't a vulnerability, so we don't handle it, and the product people said they are not used to meeting the monthly update schedule."
Windows XP users who use Windows update will automatically download the configuration changes.
Comments
There are 7 comments. Join the discussion
1. anonymous
Wish i could say i was surprised.......
2. Barry Haeger
XP Patch is supposed to make things better right? Wrong! Since applying last Thursday's patch to my home PC (XP Home) it has become totally unstable. It continually freezes and crashes. Sytem Restore to a point two days before the patch failed to resolve the instability. I have had to unpick the configuration application by applcation and as soon as one troublesome app is removed another begins to cause problems. the latest is unexpected restart every few minutes. Thanks Bill and a Merry Christmas to you.
3. Rich White
'Patch' implies hole, which in turn implies a lack of proper testing before release....
4. anonymous
My system also became unstable after installing the patch. Not sure which one it was, as there were 4 different Hotfixes installed that day. I noticed the problem immediately and knew right away that it had to be related to the just installed patches. I went to Ad/Remove Programs and found that something also caused the "show updates" box to be unchecked. Easily resolved by just checking it again, but annoying just the same. I uninstalled the 4 updates (not knowing which one actually caused the problem) and set my automatic updates to "ask me before installing" (I know I should have had it here to begin with, but sometimes we learn the hard way). The problem was still not resolved. I restarted twice, tried to restore to an earlier time twice (it said it could not do it the first time), and when I checked the updates again, it had unchecked the 'show updates' box again and installed one more patch without first asking me. I clicked to uninstall this patch (which was one of the four I had uninstalled before) and this time a window popped up that said if I continued with the uninstall, the following programs might no longer work properly - then it listed almost every program and application on my hard drive! I uninstalled anyway, restarted, and still my computer runs slower than it did before and occasionally freezes up or the screen just goes black without shutting down, but I can't get it to do anything but show me a black screen until I hold the power button down until it restarts. Sorry for venting my frustration, but this is a fairly new computer and I've got over a gigabyte of RAM and now it is running like it only has about 256k of RAM! I think it was the patch itself that was flawed!! Has anyone come up with a way to resolve this problem?
5. anonymous
"Fell between the teeth" - that's a new phrase to me with interesting connotations
6. Rick Halpert
This is typical of Microsoft. Which still does not get how important security is to it's user community. XP was originally billed as the, "most secure" o/s yet from Microsoft. Those of us who have long experience with MS knew better. Microsoft knows how to talk the talk but stumbles when it comes time to walk the walk. After all, putting out a truly secure product would cost a bit more in the development cycle. So, just talk the talk and put out yet another insecure o/s. And then rely on endless patches to plug holes that should never have existed in a full functioning product. Better to use the public as a beta tester than spend the necessary resources to plug these holes prior to release.
7. anonymous
1/3/2004
I went to Windows update to get this update, and it said there were no new updates. I had not got any updates for 2 weeks so the question is "Where is it?"