The fix to Windows XP Service Pack 2's (SP2) bundled firewall was outlined in a Knowledgebase article, but not mentioned in any of the security bulletins. Microsoft labeled it a "Critical" vulnerability, which is the most dire of its four security warnings. None of the flaws disclosed Tuesday were rated higher than "Important," the second-highest alert.
According to Microsoft's advisory, "after you set up Microsoft Windows Firewall in Microsoft Windows XP Service Pack 2 (SP2), you may discover that your computer can be accessed by anyone on the Internet when you use a dial-up connection to connect to the Internet."
Oops. That could pose a problem for some users, needless to say.
The gaffe lies in the way that SP2's firewall interprets local subnets when the "My network (subnet) only" option is used. The firewall may then interpret the entire Internet to be a local subnet, letting anyone anywhere access the shared drives on the system when it's connected via dial-up.
Users who have Windows XP SP2 set for auto updating will pull down this fix automatically, but others should visit the Windows Update site, where the fix has been posted, or download the patch directly from here.
When asked to explain the lack of a security bulletin for the fix, a Microsoft spokesperson said that "it is not an update that addresses a software code vulnerability, and therefore does not have a bulletin associated with it."
Semantics aside, Microsoft has other resources to explain the problem in SP2, including this article on the dangers of file and print sharing within Windows XP SP2.