Critical Update for Windows XP Released
Microsoft Corp. timed the release of a “critical update” package to coincide with the launch of its new Windows XP operating system launch on Thursday.
The software giant says that the Windows XP software update –- which is the first such patch of its kind -– is designed to fix at least one bug that was detected after the Windows XP development code went gold on August 24th.
The bug, which affects Internet Explorer versions 5.01, 5.5 and 6.0, has to do with the way in which IE processes URLs that refer to third-party Web sites. According to a security bulletin that Microsoft published earlier this month, a malicious hacker could encode an URL “in a particular way” such that she could include spoofed HTTP requests which would be sent to a third-party Web site. At the time, the software giant allowed that if an attacker exploited this vulnerability against a Web-based service, she could “take action on the user’s behalf, including sending a request to delete data.”
The knowledge base article describing the fixes that are included in the first Windows XP software update discusses only the IE bug.
However, a message that Windows XP displays to an end user when it prompts her to download the new software update appears to refer to the presence of other potential vulnerabilities, as well: “This update resolves all critical updates that were found in Windows XP between August 2001 and October 2001. Among the updates included in the package are several that eliminate security vulnerabilities.”
Officials from Microsoft could not immediately be reached to clarify what issues are actually patched in the first Windows XP software update.
The Windows XP critical update offers a test of XP’s integrated automatic update facility, which prompts a user to download and install new software updates. If auto-update works as advertised, a user who purchases a new PC pre-loaded with Windows XP will be greeted with a small icon in the tray area of her start bar when she boots her PC for the first time and connects to the Internet. Similarly, a user who installs or upgrades to Windows XP should be presented with a similar prompt.
According to Russ Cooper, editor of the Windows NT Bugtraq Mailing list, the Windows XP critical update actually patches two IE 6-related vulnerabilities, although it references only a single knowledge base article which deals with only one of the vulnerabilities at issue.
“I suspect that the wording ... was probably written more generically, or was written for IE 5, where there are several vulnerabilities, but there are two [vulnerabilities] in IE 6 and this patches them both,” he explains.
Microsoft’s original security bulletin confirmed the presence of three separate Internet Explorer vulnerabilities, two of which affected IE 6 -– which ships with Windows XP.
Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.