Microsoft clears up extra patch confusion

A fix distributed to some Windows XP systems earlier this week is a preventative measure and not a new issue, according to Microsoft.

On Tuesday night, the software giant's WindowsUpdate and AutoUpdate systems applied a patch to many Windows XP systems to fix an issue that originally was patched in November. The patch surprised Microsoft customers - and even some of the software giant's employees - because the company previously had said that there would not be any fixes coming in December.

"Frankly, it was a lack of communication - human error," said Sean Sundwall, a Microsoft spokesman. "At no point was someone vulnerable because of this error."

Microsoft changed a parameter in how the update services decide whether a system needs the fix for the FrontPage Extensions flaw released in November, Sundwall said. Only systems that run Microsoft's web server software, Internet Information Service (IIS), are threatened by the flaw, so the company originally decided to patch only Windows XP systems that had the service running. However, in December, the detection code was changed to expand the patch to the majority of Windows XP computers that weren't running the web server software.

That change resulted in widespread distribution of the fix, Sundwall said. He added that anyone who installed IIS after the November patch would have received the fix through the automated update procedure.

"This patch was totally effective, and everyone who needed it got the patch," he said.

The software giant has updated its security bulletin on the flaw to reflect the change.

Microsoft previously said that it would attempt to make its patching process more intuitive and easy to use. The company moved to a fixed schedule of monthly patches to make the process more predictable for network and system administrators.

Robert Lemos writes for CNET News.com