'Critical' XP flaw patched

Microsoft released a "critical" fix on Thursday for a security issue left unresolved by the Windows XP Service Pack 2.

Gary Schare, director of product management for Windows, said the configuration change closed a hole in the Windows firewall settings that could open up PCs to attack if the machines had been set to share files or a printer with the local network.

"The changes we made in Service Pack 2 were better than before, but they could be narrowed even further," he said. "We told people [in September] that we would issue a software update and now we have."

The hole could allow anyone to access a PC that has its file sharing exceptions set up in the Windows XP SP2 firewall. The problem affects only those who use dialling software to connect to the Internet, Microsoft indicated in a Knowledge Base article on its website.

Microsoft did not classify the configuration issue as a software vulnerability and so did not distribute the configuration update with the patches it released earlier this week, Schare said. In fact, the security group did not handle the issue; the Windows product group did.

"We didn't do as good a job as we intended getting this out," he said. "This fell between the teeth. The security team said it wasn't a vulnerability, so we don't handle it, and the product people said they are not used to meeting the monthly update schedule."

Windows XP users who use Windows update will automatically download the configuration changes.