On Monday, Microsoft released an out-of-band security patch to address the .LNK vulnerability. This affects Windows XP, including Windows XP SP2. Here's the problem: there's no patch for Windows XP SP2. Extended support for Windows XP SP2 ended July 31, 2010. Since this patch released August 2, 2010, it wasn't covered. If you're on Windows XP SP3, you're covered. But not SP2. And not surprisingly, right after the patch released, there were emails on the patch management lists I'm on asking if the patch installed on SP2. It didn't. And there were some folks asking what to do next. There's a registry hack, but it's not pretty. It's effects aren't very user-friendly, either. But if you're on SP2, that's your only real recourse (other than upgrading to XP SP3). Interestingly, not many folks are screaming at Microsoft. Here's why:
Basically, Windows XP SP3 has been available for over 2 years. Earlier this year, my organization's Microsoft contacts sent a barrage of emails reminding us that Windows XP SP2 support was coming to an end. We got the same barrage of emails when Windows 2000 support was ending, and a similar barrage for SQL Server 2000 SP3. Microsoft has been very good about sending out reminders as well as giving customers enough time to make the transition to a new service pack. It used to be you got 1 year. So if we look at those dates, that would have meant May 6, 2009. But Microsoft gave a year plus extra on Windows XP SP2, just as they did with Windows Server 2003 SP1. So what happened? And their reminders came out months ahead of time, which should have given everyone enough time to get SP3 in.
What likely happened in a lot of organizations is the service pack got pushed back because it was maintenance. Maintenance often gets kicked to the back of time. Maintenance doesn't earn you extra money; it costs you money. Money and time. And so a lot of organizations probably took the attitude of "We'll get to it." Unfortunately, the first major bug patch came just after extended support for Windows XP SP2 ended. And now there are quite a few security and systems people stuck between a rock and a hard place. They want to keep the systems secure, but they weren't allowed to execute SP3 testing and deployment in a timely manner. And now there's exploits out there taking advantage of this vulnerability that completely compromises the system.
Maintenance isn't sexy. It never will be. But it's an absolute necessity, especially when it comes to security in this day and age. With over two years after SP3 released as a buffer as well as the release of two new client-based operating systems (Vista and Windows 7), there were options and there was time. But the operations staff needs the go ahead from management to do the testing, plan the deployment, and execute. Maintenance is a lot like training. There's rarely a convenient time. But it's part of the cost of doing business, to borrow an appropriate cliche. Therefore, it must be planned for. It must be put in the timeline and done. Otherwise, key systems are left exposed and businesses are vulnerable.