Microsoft is set to backtracking about the importance of installing the Windows XP service pack update. A leaked e-mail, dated 11 August, from a senior source within Microsoft’s security team says that the company should reduce the severity rating of the update from “Critical” to “Important” - even though it admits that this will mean most users’ machines will remain infested with worms and viruses.
The move follows concerns by sysadmins that the ‘critical’ rating would upgrade unmanaged PCs automatically, causing difficulties for IT departments. But the company recognises that it’s in a difficult position.
“We would need to push consumers to take action to install [SP2] and recognize that many would not do so,” says the executive in the e-mail. “The effect of that is that worms and viruses will propagate through those machines as before. We are between the rock and the hard place,” he added.
Microsoft would not comment on the content of the leaked e-mail but the press office has not confirmed that the severity rating of SP2 remains 'critical'.
Mikko Hypp"nen, director of anti-virus research at Finnish company F-Secure, said the vast majority of malware authors’ create viruses and worms by dissecting patches to uncover the original vulnerability. The technical information contained inside a patch is used to develop the exploit.
By releasing the update as “Important”, Hypp"nen said Microsoft is allowing the “bad guys” to get a head start on creating the next generation of viruses and worms.
“If a fix for a common problem is available, but it's not widely installed to affected computers, it might actually make things worse. ‘Black hat’ hackers get the latest patch, run it, and compare the patched program with the original, un-patched program. This way they can pin-point exactly what was fixed and figure out a way to exploit it,” said Hypp"nen.
Unfortunately, before Microsoft can help the millions of consumers affected by viruses, it has to consider the effect a significant software update will have on its most profitable customers, the large corporates.
According to the Microsoft security advisor’s e-mail, he is worried that IT administrators will lose control over remote worker’s machines that use Auto Update – as recommended on Microsoft’s Web site -- and as a result many remote workers would be locked-out of corporate applications.
“While it is fair to say that they [enterprise customers] knew SP2 was coming… and that it would cause some problems in deployment… they did not know that it would be rated critical. The critical rating means that their unmanaged machines, from remote employees to independent sales staff to contract employees and partners, will be upgraded without the involvement of the IT staff. That is causing them some severe distress,” the Microsoft security executive said.
In order to deploy a service pack or operating system (OS) update reliably, larger organisations usually spend months or even years modifying and testing their applications before starting the migration process.
To ease the transition, Microsoft has launched a software tool that enables IT administrators to hold off the automatic update system for 120 days. But this was never going to be enough.
“As you know, most of our customers take substantially longer [than 120 days] to test and deploy OS upgrades, which is how they view SP2. I agree with the decision that SP2 is a critical upgrade for consumers but… it seems to me that the only solution, which may be unpalatable, is to downgrade the severity of the SP2 release to Important so that the upgrade does not occur automatically,” the security advisor said.
But anti-virus companies are warning that such a move is likely to increase the amount of viruses and worms circulating on the Internet and actually make life worse for most Windows users.
Graham Cluley, senior technology consultant for anti-virus company Sophos, said viruses and worms are likely to be developed specifically to target non-SP2 systems.
“It's quite likely. There will be some people who have either not patched or updated to SP2. Those users will be at risk from attack,” he said.