Microsoft Debuts First Windows XP Security Pack

Update Rollup 1, which has been in beta testing for the past month, is being positioned by Microsoft as a more convenient way for users to deploy patches they might have missed when the original vulnerabilities -- and associated security bulletins -- were posted on the company's Web site.

When discussion of the Rollup first started, analysts saw it as an attempt by Microsoft to provide an interim pack of security updates prior to the release of a second Service Pack for Windows XP, which at that point wasn't expected until the middle of 2004.

As recently as last week, however, Microsoft CEO Steve Ballmer, in a wide-ranging talk about Microsoft's security plans, repeated that Service Pack 2 (SP2) would not release until the half-way point of next year. This week, however, Richard Kaplan, a vice president of content at Microsoft, told an audience at the Citrix Forum in Florida, that SP2 would be available by the end of the year.

No matter what the time frame for SP2, the recently-released rollup meets only half of the criteria that analyst Michael Cherry, of Directions on Microsoft, a research firm that tracks Microsoft's moves in the marketplace, thinks is necessary for success.

"The rollup should be a single installer -- which it is -- but Microsoft should also try to distribute it in newer ways," Cherry said. "It's not as helpful if it's distributed through the normal channels [of download and WindowsUpdate]. I would have liked to see Microsoft put it on a CD, and make that CD widely available."

Such a CD would be a better way to get the 9MB rollup out to customers, such as consumers and small business users, who access the Internet through slow dial-up connections.

One way that the rollup may be used, he added, would be by OEMs, which could conceivably add it to their Windows XP distributions they pre-load on new PCs.

Update Rollup 1, however, is already obsolete, for its nearly two dozen fixes don't include the most recent patches, such as those released Wednesday. Users who deploy the rollup will still need to apply additional patches individually.

The Update Rollup can be downloaded from the Microsoft Web site, or retrieved using Microsoft's WindowsUpdate service. On the latter, it's designated as critical update 826939.

The rollup adds another element to the shifting Microsoft security strategy. In his speech last week at the company's Worldwide Partner Conference in New Orleans, Ballmer announced that the Redmond, Wash.-based developer would switch to a monthly schedule for non-critical security updates, replacing the sporadic Wednesday bulletins and patches.

"It's a non-issue," said Cherry in describing his take on the scheduling shift, "because we're talking about non-critical patches here." Microsoft has said it would continue to release fixes for critical vulnerabilities outside the monthly schedule on a case-by-base basis.

Even so, he took Microsoft to task.

"What Microsoft is saying is that their enterprise customers told them that weekly was too frequent. But the right way to handle the complaint is not to change the duration, but to change the quality of software so that fewer patches are needed."

This story courtesy of TechWeb .