Information About Security Vulnerability in Windows XP Help and Support Center

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

A security vulnerability in Windows XP, which has been fixed in Service Pack 1 has been a popular topic of discussion. In the interest of helping our customers understand the situation, we'd like to provide some clear updated information about the vulnerability, the risk it poses, and our efforts to determine the most effective way to help ensure the safety of the greatest number of our customers.

The vulnerability involves a flaw in the Windows XP Help and Support Center; specifically, in a feature that helps customers locate the appropriate device drivers for new hardware. It was reported to the Microsoft Security Response Center, and we worked closely with the finder to investigate it. Both the finder and Microsoft agree on the scope of the vulnerability it could allow an attacker to delete files on another users system. An attacker could exploit the vulnerability via a web site or HTML mail. However, the vulnerability provides no way to force a user to the attackers web site. Likewise, the mail-based attack vector could not be exploited if the user were running Outlook 2002, Outlook Express 6, or had installed the Outlook Email Security Update on either Outlook 98 or 2000.

We initially concluded that the best way to deliver the fix was via Windows XP Service Pack 1. This is in keeping with our long-held conviction that service packs not patches are the delivery vehicle of choice for security fixes. As we've previously noted, service packs have three distinct advantages over patches:

  • They contain fixes for a large number of bugs. For instance, Service Pack 1 not only contains every previously released security patch for Windows XP, but also contains fixes for many security issues Microsoft discovered during the recent Windows Security Push.

  • They're better tested. Patches are tactical responses, and timeliness is the overriding consideration when we build them. Service packs, in contrast, can be much more extensively tested, and thus the quality is much higher.

  • Their uptake rate dwarfs that of security patches. Customers downloaded almost a million copies of Windows XP Service Pack 1 in the first two days after release, and the uptake rate is, if anything, increasing. No security patch in history has had an uptake rate approaching this.

However, as part of our ongoing commitment to keeping customers information safe, we also listen closely to customer feedback and look for opportunities to improve the security response process of both Microsoft and our customers. In this case, we heard from some customers that they have not yet found sufficient time to fully test and deploy Service Pack 1 in order to protect their systems from this vulnerability. Therefore, in recognition of the heightened awareness and customer concern around this issue, Microsoft is working to release an independent fix for this vulnerability to allow customers more time for Service Pack 1 testing and deployment to those customers who need it.

It has been suggested that Microsoft has tried to hide this issue. This is not true. Microsoft Knowledge Base article 328940, which is included in the Security section of the Fix List for Service Pack 1, discusses the vulnerability.

Finally, some critics have suggested that we should have posted workaround instructions. In particular, several third party commentators have recommended that customers delete one of the Help and Support Center files as a temporary expedient. However, this is not an effective workaround. The same self-healing capabilities that could protect Windows XP against an attack via the vulnerability could also restore the file. In addition, Microsoft didn't just investigate the particular vulnerability that was reported. Per our usual procedures, we also checked neighboring features and functions for related problems and we did find some. These additional vulnerabilities can only be remediated by installing corrected software.

Windows XP Service Pack 1 is a well-tested release that corrects hundreds of bugs, including security-related ones. We encourage customers to install it at the earliest opportunity to ensure that their systems are fully secure.

Updated September, 26, 2002 to reflect Microsoft's decision to produce a fix for this vulnerability separate from Windows XP Service Pack 1. This fix is discussed in the Microsoft Security Bulletin MS02-060.