Microsoft has finally broken its silence over concerns from users that Windows XP Service Pack 3 (SP3) may be vulnerable to online attacks by revealing which XP users need to upgrade their Adobe Flash Player software.
The confusion started on Monday, when the Internet Storm Center pointed out that Microsoft had quietly noted that the recent XP SP3 was vulnerable to five Flash bugs patched in November 2006. Some took this to mean that if an XP system was updated to SP3, it would somehow wind up with an older, buggy, version of the Flash Player.
Microsoft originally declined to comment on the matter, but on Tuesday it reconsidered and said that this is not the case.
"Microsoft does not ship any version of Flash in the Windows XP Service Pack 3 update that customers use to update existing SP2 machines," the company said.
However some people who build new XP systems using SP3 will need to update their software. "A new system built using a copy of Windows XP with SP3 integrated will install the original Flash 6 that shipped with Windows XP Gold and will need MS06-069 installed from Windows Update," Microsoft said.
They should, however, be running the latest version of the player, 220.127.116.11, which includes bug fixes that protect against an attack currently being used by criminals.
Just last week Symantec mistakenly reported that attackers had discovered an unpatched zero-day flaw in the Flash Player. The bug turned out to be something patched in April, but nevertheless, it is being exploited in a fairly widespread attack, so having a vulnerable version of Flash is a dangerous proposition.
But that incident, combined with Microsoft's initial silence on the XP SP 3 issue, has made things tough for Windows users, said Susan Bradley, a Windows blogger who is chief technology officer with Tamiyasu, Smith, Horn and Braun, Accountancy Corp. "It is very confusing," she said. "First we were really freaking out because we thought we had a zero-day," she said, "Now we've got this bulletin that says if you apply this, you're [in trouble]."
Users can find out if their PCs are running the latest version of the player by checking with the Adobe website.