Microsoft is backing down about the importance of installing the Windows XP service pack update.
A leaked e-mail, dated 11 August, from a senior source in Microsoft’s security team, said the company should reduce the severity rating of the update from “critical” to “important”, even though it admits that this will mean most users’ machines will remain infested with worms and viruses.
The move follows concerns by systems administrators that the critical rating would upgrade unmanaged PCs automatically, causing difficulties for IT departments. But Microsoft recognises that it is in a difficult position.
“We would need to push consumers to take action to install [SP2] and recognise that many would not do so,” said the e-mail. “The effect of that is that worms and viruses will propagate through those machines as before. We are between the rock and the hard place."
Microsoft would not comment on the content of the leaked e-mail but the press office has not confirmed that the severity rating of SP2 remains critical.
Mikko Hyppönen, director of anti-virus research at Finnish company F-Secure, said the vast majority of malware authors create viruses and worms by dissecting patches to uncover the original vulnerability. The technical information contained inside a patch is used to develop the exploit.
By releasing the update as important, Hyppönen said Microsoft is allowing the hackers to get a head start on creating the next generation of viruses and worms.
“If a fix for a common problem is available, but it's not widely installed to affected computers, it might actually make things worse. ‘Black hat’ hackers get the latest patch, run it, and compare the patched program with the original, unpatched program. This way they can pin-point exactly what was fixed and figure out a way to exploit it,” said Hyppönen.
But Microsoft has to consider the effect a significant software update will have on its most profitable customers, the large corporates.
According to the Microsoft security adviser’s e-mail, he is worried that IT administrators will lose control over remote workers' machines that use Auto Update and as a result many remote workers would be locked out of corporate applications.
“While it is fair to say that they [enterprise customers] knew SP2 was coming… and that it would cause some problems in deployment… they did not know that it would be rated critical. The critical rating means that their unmanaged machines, from remote employees to independent sales staff to contract employees and partners, will be upgraded without the involvement of the IT staff. That is causing them some severe distress,” the Microsoft security executive said.
In order to deploy a service pack or operating system update reliably, larger organisations usually spend months or even years modifying and testing their applications before starting the migration process.
To ease the transition, Microsoft has launched a software tool that enables IT administrators to hold off the automatic update system for 120 days. But this was never going to be enough.
“As you know, most of our customers take substantially longer [than 120 days] to test and deploy OS upgrades, which is how they view SP2. I agree with the decision that SP2 is a critical upgrade for consumers but… it seems to me that the only solution, which may be unpalatable, is to downgrade the severity of the SP2 release to important so that the upgrade does not occur automatically,” the security adviser said.
Munir Kotadia writes for Techworld