Microsoft Tuesday confirmed that Windows XP SP3 (Service Pack 3) omits a critical security update issued by the company in November 2006. The company acknowledged the omission while attempting to clarify the impact XP SP3 has on existing installations of Flash Player, an add-on that Microsoft bundled with Windows XP when it first shipped in 2001. Microsoft has patched Flash Player in the past using Windows Update, notably with the security update MS06-069 it issued Nov. 14, 2006.
MS06-069, the AWOL update, patched five vulnerabilities in Adobe’s Flash Player, and was rated “critical” by Microsoft, the company’s highest threat ranking. Microsoft did not explain why the patch is missing from the service pack, which it has billed as including “all previously released updates.”
Flash Player has made security news of late; last week, for example, researchers revealed that hackers were actively exploiting Flash Player 220.127.116.11, an edition released by Adobe in December 2007. On Monday, Computerworld reported that Windows XP SP3 shipped with that out-of-date and vulnerable version, rather than the newer and more secure Flash Player 18.104.22.168, which Adobe issued in early April, about two weeks before Microsoft wrapped up the service pack and began distributing it to OEMs.