Microsoft Readies Interim Security Pack For Windows XP

In the e-mail, Microsoft put out a call for testers to try out two versions of an interim security pack that will integrate nearly two dozen previously-released patches.

"This update consists of 22 previously released critical and security updates for Windows XP rolled into one convenient package," said Microsoft in the e-mail. "Installing this item provides the same results as installing the individual updates."

The full version of the security service pack -- which Microsoft is calling Update Rollup -- will include all 22 security fixes since Windows XP originally released in October, 2001. The express edition will include only those patches distributed by Microsoft since XP Service Pack (SP) 1 debuted in September, 2002.

The test period for the update is just two weeks -- from Wednesday, September 10, to September 24 -- giving fuel to speculation that the Redmond, Wash.-based developer is pushing to get the rollup out the door as quickly as possible.

Michael Cherry, an analyst with Directions on Microsoft, a research firm that specializes in following Microsoft's moves, thought an interim pack was a step in the right direction to mollify users frustrated with the plethora of security fixes. Earlier, Cherry had criticized Microsoft for the long lag between service pack releases for Windows XP.

"I just think they're now trying to get a handle on [security issues]," he said, and applauded the interim release, if only because "security fixes are such a large component of service packs."

Most analysts had expected to see Service Pack 2 (SP2) appear sometime this year, based on past gaps between packs on other operating systems out of Redmond.

The Update Rollup will only download and install patches which have not been previously installed on a machines, so Windows XP users won't be forced to do double downloads, said Microsoft. The original 22 individual security updates will continue to be offered through Microsoft's Auto Update mechanism, as well as its WindowsUpdate Web site.

However, neither the full nor the express versions of Update Rollup will be tied to the Auto Update process, forcing users to manually download and install the Rollup.

"The question, however, becomes what customers' expectations should be [of the Rollup]," said Cherry. "Does it imply an increase level of testing, or just a repackaging? Hot fixes, the kind released on Wednesdays by Microsoft, are done fast, with minimal testing, but a Service Pack should be tested like a product," he said.

"Where do we put this rollout?" he asked. "If there's a bad patch in there, we'll all be mad at them."

By all indications, the Update Rollup will be more of a repackaging than a service pack with extensive testing behind it.

Among the proof: The patch for the vulnerability disclosed by Microsoft only Wednesday is among the 22 fixes.

Also included in the collection is the patch closing the vulnerability that the MSBlaster worm exploited in August, an attack that plagued more than half a million computers worldwide, according to security firm Symantec, and which forced some companies and organizations, including numerous universities, to temporarily shut down their networks while they insured that all systems had been patched.

In August, Microsoft published a road map to upcoming Service Packs for its various versions of Windows, XP included. At that time, the road map indicated that SP2 for Windows XP wouldn't release until around the middle of 2004.

At that time, a spokeswoman for Microsoft defended the long span between Service Packs by touting WindowsUpdate, the company's patch-providing service. "WindowsUpdate has been a great delivery mechanism between service packs," she said.

But with the MSBlaster attacks, and new vulnerabilities being disclosed almost weekly, Microsoft has come under pressure to deliver a more coherent patching mechanism, as well as improve the overall security of Windows. The Update Rollout could be Microsoft's answer.

"They're really struggling with this," said Cherry. "But the Windows guys are trying to figure this out."

Microsoft did not respond to calls for comment Thursday on the impending release of the interim security Update Rollup.

This story courtesy of TechWeb .