We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Critical security update missing from XP SP3

Microsoft fails to explain missing patch

The situation is odd, said Andrew Storms, director of security operations at nCircle Network Security, and more than a little confusing. "Microsoft calls its service packs cumulative updates, and tells customers they're the new baseline, in this case for installing XP. I don't know of another instance where they've not included all the security patches with a service pack."

Microsoft's own marketing and technical documentation claims that its service packs are all-inclusive. A white paper issued early last month, 'Windows XP Service Pack 3 Overview' (download PDF), states on its title page that: "Windows XP Service Pack 3 (SP3) includes all previously released updates for the operating system, and a small number of new updates to ensure that Windows XP customers have the latest updates for their system."

"You'll still need to update Flash after XP SP3," noted Storms. "It still requires manual intervention."

Consumer computer users will be the most likely affected by the missing update, Storms said, since enterprises do - or at least should - test a service pack before deploying it to, for example, determine what currently-supported component or application might be overwritten by the update. "The real significance of this is on the consumer side," said Storms. "In all likelihood, they probably wouldn't notice anything amiss until the next Patch Tuesday, when they read that they have to update Windows and go to Windows Update."

According to Microsoft, Windows Update should display MS06-069 as an available update the first time the service is called after a XP SP3 update. If the user has enabled Windows Update automatic updating, MS06-069 should be downloaded and installed.

Even then, however, users will need to further update Flash Player by visiting the Adobe website. On Tuesday, Microsoft again declined to explain why it had not included an update to Flash Player 9.0.124.0 - the most current edition - with XP SP3.

Storms speculated that Microsoft might issue a patch for the third-party software soon. "It wouldn't surprise me," he said. "Adobe took a lot of flack last week about the SQL-injection attacks."

Storms was referring to last week's disclosure that hackers have been using SQL-injection attacks to compromise legitimate websites, then instructing those sites to redirect visitors to malware hosting servers that try multiple exploits - including one that triggers a bug in Flash Player 9.0.115.0 - to hijack PCs.
"Adobe may have gone to Microsoft and asked for help to update customers," said Storms. "In conversations with our clients, it's clear that users don't update Flash unless they have to."

Microsoft's next security update is scheduled for next Tuesday, June 10.

Users running XP SP3 can determine which version of Flash Player is installed by calling up this Adobe website in their browser. Adobe has recommended that all users update to Version 9.0.124.0.

Click here for Computex 2008 breaking news


IDG UK Sites

Best Black Friday 2014 tech deals: Get bargains on smartphones, tablets, laptops and more

IDG UK Sites

What the Internet of Things will look like in 2015: homes will get smarter, people might get fitter

IDG UK Sites

See how Trunk's animated ad helped Ade Edmondson plug The Car Buying Service

IDG UK Sites

Yosemite tips: Complete Guide to OS X Yosemite