The configuration change closed a hole in the Windows firewall settings that could open up PCs to attack if the machines had been set to share files or a printer with the local network, said Gary Schare, director of product management for Windows.
"The firewall that we shipped in Service Pack 2 was much better than before, but security could be tightened even further," he said. "We told people (in September) that we would issue a software update and now we have."
The hole could allow anyone to access a PC that has its file sharing exceptions set up in the Windows XP SP2 firewall. The problem affects only those who use dialing software to connect to the Internet, Microsoft indicated in a Knowledge Base article on its Web site.
Microsoft did not classify the configuration issue as a software vulnerability and so did not distribute the configuration update with the patches it released earlier this week, Schare said. In fact, the security group did not handle the issue; the Windows product group did.
"We didn't do as good a job as we intended getting this out," he said. "This fell between the teams. The security team said it wasn't a vulnerability, so we don't handle it, and the product people said they are not used to meeting the monthly update schedule."
Microsoft's Schare said some users complained that the posting of the configuration change wasn't obvious. The company will likely better highlight such bulletins to Windows users in the future.
"We have a process in putting these up," Schare said. "We followed the process, but now we are looking to see if we can do more."
Windows XP users who use Windows update will automatically download the configuration changes.
...
