Without XPdite, Microsoft's Patch, or XP's Service

Click any of the images above for a full size view.

What is going on?
Ever since its original release, Windows XP has contained a critical flaw that could be trivially exploited at any time by any malicious hacker. By causing any Windows XP system to process a specially-formed URL (web-style link), the XP system would obediently delete all or most of the files within any specified directory. (That's not good.)

This flaw is considered critical because these malicious URLs could be delivered to any XP user through any means: via an eMail solicitation, a chat room, a newsgroup posting, a malicious web page, or even processed automatically without the user clicking anything by merely visiting a malicious web page. (That's bad.)

Microsoft was informed of this easily-demonstrated, quite significant, and easily fixed Windows XP defect back in June of 2002. But they chose not to proactively address the significant vulnerability created for their users until the September 9th, 2002, release of Windows XP's first service pack.

Since Windows XP Service Pack 1 repairs many more security, stability, and compatibility problems than just this critical exploit, XPdite should not be considered a replacement for the installation of the whole Service Pack 1. However, reports are that XPdite is much safer to use than Service Pack 1 (see Service Pack 1 caution below) so it may be wise to approach the installation of Service Pack 1 with some caution.

Since the immediate installation of the huge Service Pack 1 may not be feasible for all Windows XP users, or because its installation may cause serious side-effects, and since this vulnerability is so trivially exploited and creates a significant risk to all Windows XP users, I wrote this tiny, quickly and easily downloaded vulnerability patch utility which can be used to instantly patch and secure any Windows XP system against this vulnerability.

The story continues . . .
Microsoft's original response to people (myself vocally among them) suggesting that they should offer a separate patch for this vulnerability was:

This assertion by Microsoft was called into question by the fact that I wrote XPdite in half a day. XPdite completely cures this vulnerability and protects XP users from its exploitation. I didn't develop any "significant technology" to do it - I just changed one insecurely designed file. That's all Microsoft had to do if they had wanted to.

What may have really happened . . .
I believe that someone at Microsoft was probably too busy dealing with the many demands they face, and they simply screwed up. Despite the crushing responsibility they carry, they're only human. If we assume that this was simply an oversight, at this point liability concerns probably prevent them from admitting that they goofed. They may know this internally, but we'll never know whether they know, which makes trusting them just a little bit more difficult today than it was yesterday - especially if this original decision was deliberate.

The take away-lesson from this is: We need to watch our own backs. Microsoft will do what it can, but that won't be enough. And when asked afterward what happened, they won't be able to tell us the truth.

One month later . . .
Presumably due to pressure put on Microsoft by my creation of XPdite, which demonstrated for the entire world how easily this serious vulnerability could actually be fixed, coupled with all of the serious problems being experienced after XP's Service Pack 1 was installed, Microsoft officially reversed their earlier position and released a separate security patch to address this problem: