Critical Update for Windows XP Released

Microsoft Corp. timed the release of a “critical update” package to coincide with the launch of its new Windows XP operating system launch on Thursday.

The software giant says that the Windows XP software update –- which is the first such patch of its kind -– is designed to fix at least one bug that was detected after the Windows XP development code went gold on August 24th.

The bug, which affects Internet Explorer versions 5.01, 5.5 and 6.0, has to do with the way in which IE processes URLs that refer to third-party Web sites. According to a security bulletin that Microsoft published earlier this month, a malicious hacker could encode an URL “in a particular way” such that she could include spoofed HTTP requests which would be sent to a third-party Web site. At the time, the software giant allowed that if an attacker exploited this vulnerability against a Web-based service, she could “take action on the user’s behalf, including sending a request to delete data.”

The knowledge base article describing the fixes that are included in the first Windows XP software update discusses only the IE bug.

However, a message that Windows XP displays to an end user when it prompts her to download the new software update appears to refer to the presence of other potential vulnerabilities, as well: “This update resolves all critical updates that were found in Windows XP between August 2001 and October 2001. Among the updates included in the package are several that eliminate security vulnerabilities.”

Officials from Microsoft could not immediately be reached to clarify what issues are actually patched in the first Windows XP software update.

The Windows XP critical update offers a test of XP’s integrated automatic update facility, which prompts a user to download and install new software updates. If auto-update works as advertised, a user who purchases a new PC pre-loaded with Windows XP will be greeted with a small icon in the tray area of her start bar when she boots her PC for the first time and connects to the Internet. Similarly, a user who installs or upgrades to Windows XP should be presented with a similar prompt.

According to Russ Cooper, editor of the Windows NT Bugtraq Mailing list, the Windows XP critical update actually patches two IE 6-related vulnerabilities, although it references only a single knowledge base article which deals with only one of the vulnerabilities at issue.

“I suspect that the wording ... was probably written more generically, or was written for IE 5, where there are several vulnerabilities, but there are two [vulnerabilities] in IE 6 and this patches them both,” he explains.

Microsoft’s original security bulletin confirmed the presence of three separate Internet Explorer vulnerabilities, two of which affected IE 6 -– which ships with Windows XP.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.


  • Microsoft Offers Endpoint Configuration Manager Advice for Keeping Remote Clients Patched

    Microsoft this week offered advice for organizations using Microsoft Endpoint Configuration Manager with remote Windows systems that need to get patched, and it also announced Update 2002.

  • Azure Edge Zones Hit Preview

    Azure Edge Zones, a new edge computing technology from Microsoft designed to enable new scenarios for developers and partners, emerged as a preview release this week.

  • Microsoft Shifts 2020 Events To Be Online Only

    Microsoft is shifting its big events this year to be online only, including Ignite 2020.

  • Microsoft Browser Support for TLS 1.0 and 1.1 Ending 2H 2020

    Microsoft announced on Tuesday that its plans to drop support for Transport Layer Security (TLS) protocols 1.0 and 1.1 in its browsers will get delayed by a few months until the second half of this year.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.