Microsoft Patch Day: The Next Generation

Opinion: Welcome to the SP2 era. Will we have a bifurcated patch day? Will Microsoft be able to move any faster?

Its not really the first patch day of the Windows XP Service Pack 2 era. Last months, Aug. 10, was a few days after the initial release of the massive security-focused update.

But the initial day was anticlimactic, yielding only a single Exchange Server issue, and for an old version at that. But now were over a month since Microsoft finalized the "gold" SP2 code, and we may be about to see how they will handle patches in the post-SP2 era.

The biggest issue is how Microsoft prioritizes patches for vulnerabilities that affect only pre-SP2 versions. I agree with a lot of what my colleague Steven J. Vaughan-Nichols has to say on this matter, but I dont share his pessimistic sense. At the very worst, SP2 is now just another version of Windows they have to deal with.

I expect that for some time Microsoft will have to keep Windows XP SP1 and SP2 tracks for security vulnerabilities. In a very important sense, the SP1 track is more similar to the Windows 2000 track than SP2, because Internet Explorer is so different in Windows XP SP2.

The other thing Im looking out for is whether they move any faster on SP2 vulnerabilities than they have in the past on SP1 and other earlier versions. We have had one important SP2 vulnerability since it was released, the (in)famous drag-and-drop vulnerability. Its not a real killer, but its a bad one, and it demonstrates an oversight in Microsofts lockdown of Internet Explorer in Service Pack 2.

One can only imagine that when Microsoft works on the patch for this vulnerability they will discover underlying problems broader than this particular hole. The report accompanying the patch will expose other problems.

/zimages/5/28571.gifFor insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog.

But once again Im optimistic because another thing SP2 does is really, really urge you to turn on Automatic Updates. Some experts are uncomfortable with Automatic Updates. Fine, experts can turn them off, but novices should be running them. Enterprises and other expert-run networks can set up their own Windows Software Update Services servers and test patches while still allowing automatic updates to proceed as soon as they think it prudent.

But in either case I think we can expect that more users of SP2 will be getting updates more quickly. SP2 vulnerabilities will have a harder time getting exploited widely unless they appear as day 0 network worms. The drag-and-drop vulnerability, in spite of Secunias typically hysterical claims about outside exploits, dont have the potential to spread widely, and require user interaction and a Web site to host them, both of which are brakes on the spread of the attack.

I cant make up my mind about the severity of the drag-and-drop vulnerability. If its really serious, then I wouldnt expect it this patch day because Microsoft will fix it out of cycle when then can fix it. But if its not that important, then they may wait until next month to fix it, because it hasnt been that long since it was revealed.

In fact, if I had to wager, Id bet on more SP1 patches this month and for a while. There are still a bunch of SP1 vulnerabilities out there unpatched, and now that SP2 is done I would hope they would get some more attention.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

/zimages/5/28571.gifCheck out eWEEK.coms Security Center at for security news, views and analysis.
Be sure to add our security news feed to your RSS newsreader or My Yahoo page:

More from Larry Seltzer