The First XP SP3 Security Vulnerability

The third and final service pack for Windows XP is not even out, and Microsoft is already hammering away at it plugging security soles. Although it debuted in full development alongside Windows Vista SP1, Windows XP Service Pack 3 is yet to be finalized with the delivery planned by mid-2008. Since the end of March 2008, Microsoft managed to sweep XP SP3 under the rug, but until the past month, the service pack was very much still a work in progress.

Case in point the first security vulnerability affecting XP SP3, fixed even before the service pack was finalized. Sometime between late February and the end of March, the Redmond company solved an issue in the Windows graphics device interface. When it released Microsoft Security Bulletin MS08-021 labeled with a maximum severity rating of Critical, Microsoft stated that despite the fact that all Widows operating system, either on the server or on the client's side were affected, XP SP3 was not.

The reason for this, spotted by ComputerWorld over on the Microsoft Forum is the fact that update 948590 had already been integrated into XP SP3 when the company released Release Candidate 2 Build 5508. Microsoft's Shashank Bansal, answering to an user report of failed integration of KB948590 with XP SP3, revealed that the "issue happens with 3311 build of XP SP3. RC2 Refresh build 5508 does not encounter this issue. It happens because KB948590 stops installation of SP3 version of gdi32.dll on the system due to file version differences."

The security bulletin designed to patch the GDI vulnerabilities affected a wide array of Windows operating systems including Vista SP1 and Windows Server 2008. Also XP SP3 RC2 Build 3311 seems to have been vulnerable, but the issue was solved with the release of XP SP3 RC2 Refresh Build 5508. "The KB mentioned was released post 3311. As 3311 build carried updated released till the date it went public, the new KB was not included. The KB carried a version of gdi32 higher than 3311 (as it was released later). This caused the difference," Bansal added.

Windows XP Service Pack 3 Release Candidate 2 Refresh can be downloaded from here.

MORE RELATED ARTICLES: The Evolving DirectX 10.1 in Vista SP1 RTM Plus 10.1 Capable Hardware The Only Way for Windows XP SP3 Is Down Updated Automated Installation Kit for Vista SP1 Available, XP SP3 Ignored Windows XP SP3 Build 5573 – XP SP3 RC2 Refresh Goes Back in Time From XP SP3 to Vista RTM/SP1 – All Pirated, Yet Microsoft Claims Anti-Piracy Progress XP SP3 RC2 Refresh Leaves Vista SP1 RTM in the Dust Onward to Beta 2 – The Second Wave of IE8 Beta 1 Downloads Is Here Windows XP SP3 Gets Its First Taste of Vulnerabilities Microsoft Got Windows on ASUS Eee PC, but not XP SP3 or Vista SP1 2009 – 2010 - Windows 7 from Milestone Builds to the Beta and Final Versions