Critical Update for Windows XP Released

Microsoft Corp. timed the release of a “critical update” package to coincide with the launch of its new Windows XP operating system launch on Thursday.

The software giant says that the Windows XP software update –- which is the first such patch of its kind -– is designed to fix at least one bug that was detected after the Windows XP development code went gold on August 24th.

The bug, which affects Internet Explorer versions 5.01, 5.5 and 6.0, has to do with the way in which IE processes URLs that refer to third-party Web sites. According to a security bulletin that Microsoft published earlier this month, a malicious hacker could encode an URL “in a particular way” such that she could include spoofed HTTP requests which would be sent to a third-party Web site. At the time, the software giant allowed that if an attacker exploited this vulnerability against a Web-based service, she could “take action on the user’s behalf, including sending a request to delete data.”

The knowledge base article describing the fixes that are included in the first Windows XP software update discusses only the IE bug.

However, a message that Windows XP displays to an end user when it prompts her to download the new software update appears to refer to the presence of other potential vulnerabilities, as well: “This update resolves all critical updates that were found in Windows XP between August 2001 and October 2001. Among the updates included in the package are several that eliminate security vulnerabilities.”

Officials from Microsoft could not immediately be reached to clarify what issues are actually patched in the first Windows XP software update.

The Windows XP critical update offers a test of XP’s integrated automatic update facility, which prompts a user to download and install new software updates. If auto-update works as advertised, a user who purchases a new PC pre-loaded with Windows XP will be greeted with a small icon in the tray area of her start bar when she boots her PC for the first time and connects to the Internet. Similarly, a user who installs or upgrades to Windows XP should be presented with a similar prompt.

According to Russ Cooper, editor of the Windows NT Bugtraq Mailing list, the Windows XP critical update actually patches two IE 6-related vulnerabilities, although it references only a single knowledge base article which deals with only one of the vulnerabilities at issue.

“I suspect that the wording ... was probably written more generically, or was written for IE 5, where there are several vulnerabilities, but there are two [vulnerabilities] in IE 6 and this patches them both,” he explains.

Microsoft’s original security bulletin confirmed the presence of three separate Internet Explorer vulnerabilities, two of which affected IE 6 -– which ships with Windows XP.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.


  • Google IDs on Azure Active Directory B2B Service Now at 'General Availability'

    Microsoft announced on Wednesday that users of the Google identity and access service can use their personal log-in IDs with the Azure Active Directory B2B service to access resources as "guests."

  • Top 4 Overlooked Features of a Data Backup Strategy

    When it comes to implementing an airtight backup-and-recovery plan, these are the four must-have features that many enterprises nevertheless tend to forget.

  • Microsoft Bolsters Kubernetes with Azure Confidential Computing

    Microsoft on Tuesday announced various developments concerning the use of Kubernetes, an open source container orchestration solution fostered by Google.

  • Windows Will Have Support for Encrypted DNS

    Microsoft announced this week that the Windows operating system already has support for an encrypted Domain Name System option that promises to add greater privacy protections for Internet connections.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.