Microsoft has confirmed that Windows XP Service Pack 3 (SP3) omits a critical security update issued by the company in November 2006.
The company acknowledged the omission while attempting to clarify the impact XP SP3 has on existing installations of Flash Player, an add-on that Microsoft bundled with Windows XP when it first shipped in 2001. Microsoft has patched Flash Player in the past using Windows Update, notably with the security update MS06-069 it issued on November 14, 2006.
MS06-069, the absent update, patched five vulnerabilities in Adobe's Flash Player, and was rated 'critical' by Microsoft, the company's highest threat ranking.
Microsoft did not explain why the patch is missing from the service pack, which it has billed as including "all previously released updates".
Flash Player has made security news of late; last week, for example, researchers revealed that hackers were actively exploiting Flash Player 184.108.40.206, an edition released by Adobe in December 2007. On Monday, it was revealed that Windows XP SP3 shipped with that out-of-date and vulnerable version, rather than the newer and more secure Flash Player 220.127.116.11, which Adobe issued in early April, about two weeks before Microsoft wrapped up the service pack and began distributing it to OEMs.
At the time, Microsoft declined to answer questions about XP SP3 and Flash, including why it wasn't able to add the newest version to XP SP3 and what advice it would give users.
On Tuesday, however, a Microsoft spokeswoman issued a clarification, saying that XP SP3 "does not ship any version of Flash in the Windows XP Service Pack 3 update that customers use to update existing SP2 machines. Any statement that Microsoft installs any versions of Flash Player with Windows XP SP3 is inaccurate".
Instead, the spokeswoman said XP SP3 has a hands-off approach to Flash; it does not disturb whatever version of the popular internet multimedia software that the user has installed. If, for instance, users have upgraded to Flash Player 18.104.22.168 themselves, then that is the version that remains on the PC after the XP SP3 update.
The same goes for users who had earlier applied the MS06-069 patch, which updated Flash to version 22.214.171.124 in late 2006, but who have not refreshed Flash since then. "The Windows XP SP3 update has no impact on systems where customers have applied MS06-069, which has been available to XP users on [Windows Update/Automatic Updates] since November 2006," she said.
That hands-off attitude also extends to new installations of XP SP3. In fact, said Microsoft's spokeswoman, new PCs assembled with the latest service pack don't touch the original 2001 version of Flash 6 bundled with the OS when it debuted. "A new system built using a copy of Windows XP with SP3 integrated will install the original Flash 6 that shipped with Windows XP gold and will need MS06-069 installed from Windows Update," she said.
The situation is odd, said Andrew Storms, director of security operations at nCircle Network Security, and more than a little confusing. "Microsoft calls its service packs cumulative updates, and tells customers they're the new baseline, in this case for installing XP. I don't know of another instance where they've not included all the security patches with a service pack."
Microsoft's own marketing and technical documentation claims that its service packs are all-inclusive. A white paper issued early last month, 'Windows XP Service Pack 3 Overview' (download PDF), states on its title page that: "Windows XP Service Pack 3 (SP3) includes all previously released updates for the operating system, and a small number of new updates to ensure that Windows XP customers have the latest updates for their system."
"You'll still need to update Flash after XP SP3," noted Storms. "It still requires manual intervention."
Consumer computer users will be the most likely affected by the missing update, Storms said, since enterprises do - or at least should - test a service pack before deploying it to, for example, determine what currently-supported component or application might be overwritten by the update. "The real significance of this is on the consumer side," said Storms. "In all likelihood, they probably wouldn't notice anything amiss until the next Patch Tuesday, when they read that they have to update Windows and go to Windows Update."
According to Microsoft, Windows Update should display MS06-069 as an available update the first time the service is called after a XP SP3 update. If the user has enabled Windows Update automatic updating, MS06-069 should be downloaded and installed.
Even then, however, users will need to further update Flash Player by visiting the Adobe website. On Tuesday, Microsoft again declined to explain why it had not included an update to Flash Player 126.96.36.199 - the most current edition - with XP SP3.
Storms speculated that Microsoft might issue a patch for the third-party software soon. "It wouldn't surprise me," he said. "Adobe took a lot of flack last week about the SQL-injection attacks."
Storms was referring to last week's disclosure that hackers have been using SQL-injection attacks to compromise legitimate websites, then instructing those sites to redirect visitors to malware hosting servers that try multiple exploits - including one that triggers a bug in Flash Player 188.8.131.52 - to hijack PCs.
"Adobe may have gone to Microsoft and asked for help to update customers," said Storms. "In conversations with our clients, it's clear that users don't update Flash unless they have to."
Microsoft's next security update is scheduled for next Tuesday, June 10.
Users running XP SP3 can determine which version of Flash Player is installed by calling up this Adobe website in their browser. Adobe has recommended that all users update to Version 184.108.40.206.