The appearance and disappearance of a Windows XP installation snafu indicates that Microsoft patched a critical vulnerability in XP's still-unfinished Service Pack 3 (SP3) weeks before it fixed any other version of Windows. The glitch, which sent some PCs into an endless round of reboots, was strangely similar to one faced by Vista users in February.
Attackers have already tried to exploit that bug, which was patched last Tuesday -- as it turned out, two weeks after the newest build of Windows XP SP3 was released with the flaw fixed.
According to reports from multiple users on a Microsoft support newsgroup, PCs began rebooting immediately after they had been updated to SP3. "I have just updated my pc from xp sp2 to sp3," said a user identified as "yaojinglin" in a message to a SP3 support forum last Thursday. "The installation was successful, but when I reboot my pc after the installation finished, my pc started to reboot again and again."
Nearly two months before, some Windows Vista users experienced similar endless rebooting after an update designed to prepare machines for the upcoming Service Pack 1 (SP1) locked up PCs. It's believed that the similarities are a coincidence.
An explanation emerges
On the XP SP3 support threads, a Microsoft representative named Shashank Bansal stepped into the rebooting discussion, which was beginning to seem as endless as the rebooting itself. Bansal asked for more information, then offered an explanation: "This issue happens with 3311 build of XP SP3. It happens because KB948590 stops installation of SP3 version of gdi32.dll on the system due to file-version differences."
The 3311 build of Windows XP SP3 was released to the general public February 19, and dubbed "Windows XP SP3 Release Candidate 2" by Microsoft. It was superseded by the public release of "Windows XP SP3 RC2 Refresh" on March 25; that version was pegged as Build 5508.
"Using a later SP3 build (5508) would ensure the issue would not happen," Bansal told users whose PCs had been rebooting. He also said that the problem could be solved by booting with a Windows installation disc, selecting the Repair option, then copying the "gdi32.dll" from one directory to another.
That GD... I
The support document that Bansal referenced covers one of the eight security bulletins Microsoft issued last Tuesday, and spells out a pair of critical vulnerabilities in Windows' GDI, or graphics device interface, a core component of the operating system. Within 48 hours of Microsoft patching the GDI, however, attackers had crafted an exploit and were using it in attempts to infect PCs, said Symantec.
Ironically, SP3's endless reboot problem and Bansal's response on the support newsgroups confirmed that the service pack -- which is still in development -- was not only the one version of Windows that did not require a GDI patch, but also that it was patched 14 days before any supported edition of Windows.