Microsoft patched critical Windows bug in XP SP3 early
- 15 April, 2008 08:42
The appearance and disappearance of a Windows XP installation snafu indicates that Microsoft patched a critical vulnerability in XP's still-unfinished Service Pack 3 (SP3) weeks before it fixed any other version of Windows. The glitch, which sent some PCs into an endless round of reboots, was strangely similar to one faced by Vista users in February.
Attackers have already tried to exploit that bug, which was patched last Tuesday -- as it turned out, two weeks after the newest build of Windows XP SP3 was released with the flaw fixed.
According to reports from multiple users on a Microsoft support newsgroup, PCs began rebooting immediately after they had been updated to SP3. "I have just updated my pc from xp sp2 to sp3," said a user identified as "yaojinglin" in a message to a SP3 support forum last Thursday. "The installation was successful, but when I reboot my pc after the installation finished, my pc started to reboot again and again."
Nearly two months before, some Windows Vista users experienced similar endless rebooting after an update designed to prepare machines for the upcoming Service Pack 1 (SP1) locked up PCs. It's believed that the similarities are a coincidence.
An explanation emerges
On the XP SP3 support threads, a Microsoft representative named Shashank Bansal stepped into the rebooting discussion, which was beginning to seem as endless as the rebooting itself. Bansal asked for more information, then offered an explanation: "This issue happens with 3311 build of XP SP3. It happens because KB948590 stops installation of SP3 version of gdi32.dll on the system due to file-version differences."
The 3311 build of Windows XP SP3 was released to the general public February 19, and dubbed "Windows XP SP3 Release Candidate 2" by Microsoft. It was superseded by the public release of "Windows XP SP3 RC2 Refresh" on March 25; that version was pegged as Build 5508.
"Using a later SP3 build (5508) would ensure the issue would not happen," Bansal told users whose PCs had been rebooting. He also said that the problem could be solved by booting with a Windows installation disc, selecting the Repair option, then copying the "gdi32.dll" from one directory to another.
That GD... I
The support document that Bansal referenced covers one of the eight security bulletins Microsoft issued last Tuesday, and spells out a pair of critical vulnerabilities in Windows' GDI, or graphics device interface, a core component of the operating system. Within 48 hours of Microsoft patching the GDI, however, attackers had crafted an exploit and were using it in attempts to infect PCs, said Symantec.
Ironically, SP3's endless reboot problem and Bansal's response on the support newsgroups confirmed that the service pack -- which is still in development -- was not only the one version of Windows that did not require a GDI patch, but also that it was patched 14 days before any supported edition of Windows.
"The KB  mentioned was released post 3311," said Bansal, talking about the GDI fixes. "The KB carried a version of gdi32 higher than [the version included in] 3311 (as it was released later). This caused the [file version] difference."
The file version conflict caused the reboot error, but affected only users who had patched their copies of Windows XP SP2 with the GDI fixes, then subsequently tried to upgrade to SP3 using an older build of the service pack.
As Bansal had hinted, upgrading with XP SP3 Build 5508 would not create the endless reboot problem, because its version of gdi32.dll was the same as that rolled out last week as part of Patch Tuesday. Comparison of the gdi32.dll files showed as much: the file included with XP SP3 Build 5508 was called version 5.1.2600.5508 and date-stamped as February 28. The patched version issued last week by Microsoft for the 32-bit edition of Windows XP SP2 was called version 5.1.2600.3316 and dated February 20.
Earlier last week, Microsoft's MS08-021 security bulletin -- the one which explains the GDI vulnerabilities -- noted that "Windows XP Service Pack 3 is not affected by this vulnerability." But on Friday, after Microsoft was asked for more information about why XP SP3 was not affected by the GDI bugs, the company yanked the reference to XP SP3 from the bulletin.
A Microsoft spokeswoman said the mention had been a mistake. "The inclusion of Windows XP SP3, which is still in beta, was an editorial oversight," she said in an e-mail. However, she did not provide an explanation why other recent operating system updates -- notably Vista SP1 and Server 2008 -- had not been patched prior to their release.
The simplest explanation, said Andrew Storms, director of security operations at nCircle Network Security, was one of timing. "I prefer to stick with the simplest possibility -- Microsoft already knew about the vulnerability and had already delivered [the patch] as part of SP3," Storms said Friday.
That turned out to be true, as XP SP3 Build 5508 -- with the patched gdi32.dll -- was made available two weeks before Microsoft patched the component in the rest of its Windows portfolio.
However, according to the date stamps of the gdi32.dll files included with last week's patches, fixes for Vista SP1 and Server 2008 were finished February 21 and February 22, nearly three weeks after both operating systems were designated as RTM (release to manufacturing), and shipped to OEMs and duplicators.