Print
Close Window
From: www.itworld.com
Windows XP SP3 omits critical security update
June 4, 2008 —
Microsoft Tuesday confirmed that Windows
XP Service Pack 3 (SP3) omits a critical security update issued by the company
in November 2006.
The company acknowledged the omission while attempting to clarify the impact
XP SP3 has on existing installations of Flash Player, an add-on that Microsoft
bundled with Windows XP when it first shipped in 2001. Microsoft has patched
Flash Player in the past using Windows Update, notably with the security update
MS06-069 it issued Nov. 14, 2006.
MS06-069,
the AWOL update, patched five vulnerabilities in Adobe
Systems Inc.'s Flash Player, and was rated "critical" by Microsoft,
the company's highest threat ranking.
Microsoft did not explain why the patch is missing from the service pack, which
it has billed as including "all previously released updates."
Flash Player has made security news of late; last week, for example, researchers
revealed that hackers were actively exploiting Flash Player 9.0.115.0, an edition
released by Adobe in December 2007. On Monday, Computerworld reported that Windows
XP SP3 shipped
with that out-of-date and vulnerable version, rather than the newer and
more secure Flash Player 9.0.124.0, which Adobe issued in early April, about
two weeks before Microsoft wrapped up the service pack and began distributing
it to OEMs.
At the time, Microsoft declined to answer questions about XP SP3 and Flash,
including why it wasn't able to add the newest version to XP SP3 and what advice
it would give users.
On Tuesday, however, a Microsoft spokeswoman issued a clarification, saying
that XP SP3 "does not ship any version of Flash in the Windows XP Service
Pack 3 update that customers use to update existing SP2 machines. Any statement
that Microsoft installs any versions of Flash Player with Windows XP SP3 is
inaccurate."
Instead, said the spokeswoman in an e-mail, XP SP3 has a hands-off approach
to Flash; it does not disturb whatever version of the popular Internet multimedia
software that the user has installed. If, for instance, users have upgraded
to Flash Player 9.0.115.0 themselves, then that is the version that remains
on the PC after the XP SP3 update.
The same goes for users who had earlier applied the MS06-069 patch, which updated
Flash to version 8.0.33.0 in late 2006, but who have not refreshed Flash since
then. "The Windows XP SP3 update has no impact on systems where customers
have applied MS06-069, which has been available to XP users on [Windows Update/Automatic
Updates] since November 2006," she said.
That hands-off attitude also extends to new installations of XP SP3. In fact,
said Microsoft's spokeswoman, new PCs assembled with the latest service pack
don't touch the original 2001 version of Flash 6 bundled with the OS when it
debuted. "A new system built using a copy of Windows XP with SP3 integrated
will install the original Flash 6 that shipped with Windows XP gold and will
need MS06-069 installed from Windows Update," she said.
The situation is odd, said Andrew
Storms, director of security operations at nCircle Network Security Inc.,
and more than a little confusing. "Microsoft calls its service packs cumulative
updates, and tells customers they're the new baseline, in this case for installing
XP. I don't know of another instance where they've not included all the security
patches with a service pack."
Microsoft's own marketing and technical documentation claims that its service
packs are all-inclusive. A white paper issued early last month, "Windows
XP Service Pack 3 Overview" (download
PDF), states on its title page that: "Windows XP Service Pack 3 (SP3)
includes all previously released updates for the operating system, and a small
number of new updates to ensure that Windows XP customers have the latest updates
for their system."
"You'll still need to update Flash after XP SP3," noted Storms. "It
still requires manual intervention."
Consumer computer users will be the most likely affected by the missing update,
Storms said, since enterprises do -- or at least should -- test a service pack
before deploying it to, for example, determine what currently-supported component
or application might be overwritten by the update. "The real significance
of this is on the consumer side," said Storms. "In all likelihood,
they probably wouldn't notice anything amiss until the next Patch Tuesday, when
they read that they have to update Windows and go to Windows Update."
According to Microsoft, Windows Update should display MS06-069 as an available
update the first time the service is called after a XP SP3 update. If the user
has enabled Windows Update automatic updating, MS06-069 should be downloaded
and installed.
Even then, however, users will need to further update Flash Player by visiting
the Adobe Web site. On Tuesday, Microsoft again declined to explain why it had
not included an update to Flash Player 9.0.124.0 -- the most current edition
-- with XP SP3.
Storms speculated that Microsoft might issue a patch for the third-party software
soon. "It wouldn't surprise me," he said. "Adobe took a lot of
flack last week about the SQL-injection attacks."
Storms was referring to last
week's disclosure that hackers have been using SQL-injection attacks to
compromise legitimate Web sites, then instructing those sites to redirect visitors
to malware hosting servers that try multiple exploits -- including one that
triggers a bug in Flash Player 9.0.115.0 -- to hijack PCs.
"Adobe may have gone to Microsoft and asked for help to update customers,"
said Storms. "In conversations with our clients, it's clear that users
don't update Flash unless they have to."
Microsoft's next security update is scheduled for next Tuesday, June 10.
Users running XP SP3 can determine which version of Flash Player is installed
by calling up this
Adobe page in their browser. Adobe has recommended that all users update
to Version 9.0.124.0.
Computerworld