News Stay informed about the latest enterprise technology news and product updates.

SP2 fix not your typical security update

Microsoft releases a patch for SP2 that may surprise some users, given that it breaks with the Patch Tuesday cycle and was unaccompanied by a security bulletin.

If you're surprised to see a message from Microsoft about a new downloadable patch for Windows XP Service Pack 2 [SP2], you're probably not alone.

News of the patch began circulating on some security message lists last week, but the software giant has since posted an advisory on its Web site. As a message on the Bethesda, Md.-based SANS Internet Storm Center (ISC) Web site indicated Wednesday morning, this fix has caught some users off guard.

ISC notes that lists like Full Disclosure, Bugtraq, and NTbugtraq have been buzzing about the patch since last week, but that Microsoft had not issued a general announcement.

"It is surmised that this is because the patch is not exactly a security patch," the ISC said. "Instead it was more of a hotfix

More on SP XP2

XP SP2 finally arrives. Now what?

How serious are the new XP SP2 flaws?

Microsoft issues critical fixes...

for [a] stop condition/blue screen scenario and is not covered by the standard security bulletins. Since the initial chatter last week about the patch, MS has apparently pushed the patch up a level to be a more critical patch without a security bulletin, which may be forthcoming."

So, the ISC said, those who go to Windows update or have automatic update could start seeing this patch at any time.

According to Microsoft's advisory, the patch fixes a condition in which computers running SP2, Windows XP Tablet PC Edition 2005 or Windows Server 2003 unexpectedly stop. "Additionally, the following stop error message appears on a blue screen: Stop 0x05 [INVALID_PROCESS_ATTACH_ATTEMPT]," the advisory said.

"This problem occurs because a coding error in the HTTP.sys file causes stack corruption," the advisory added. "This problem occurs if… TDI [transport driver interface] filter drivers are installed on your computer [and if] the installed TDI filter drivers return STATUS_PENDING to the TDI_SET_EVENT_HANDLER I/O request, so that the call is processed as an asynchronous APC."

TDI filter drivers are typically installed by antivirus or firewall programs, the software giant noted.

Meanwhile, a coding error in the Http.sys file may cause stack corruption when the TDI filter driver finishes processing the TDI_SET_EVENT_HANDLER I/O request asynchronously on a different thread, the advisory said, adding, "The stack for the original thread is overwritten when the I/O request is processed. This causes the stop error message."

Microsoft said the problem doesn't occur with the original released version of Windows XP or with Windows XP Service Pack 1.

A Microsoft spokeswoman noted that the company's primary method for distributing software updates to customers is through Windows Update. "This is why we encourage our customers to enable automatic updates within Windows, so that they can receive not just security updates, but also non-security related improvements or enhancements," she said.

Dig Deeper on Emerging cyberattacks and threats

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.