Senate approves $1.9 trillion stimulus bill Meghan Markle and Prince Harry with Oprah International Women's Day Apple to discontinue iMac Pro Tom Cruise deepfakes Raya and the Last Dragon

Glitch allows free XP preview--again

A security hole in servers run by Microsoft's Web hosting partner allows people to download a testing version of Windows XP without paying for it for the second time in two weeks.

A security hole in servers run by Conxion, Microsoft's Web hosting partner, allowed people to download a testing version of Windows XP without paying for it for the second time in two weeks.

The glitch, reported Monday by people attempting to download the software and confirmed by CNET, underscores ongoing problems Microsoft has encountered in delivering preview versions of the new operating system to more than 100,000 testers. Those people paid between $10 and $20 for the right to get the software.

Microsoft launched the Windows XP Preview Program on July 2 and ran into trouble right away. A problem discovered during the first week of the program created a back door that allowed free downloads of Windows XP for about 30 hours before it was patched.

The timing isn't exactly good for Conxion either. Delivery of the Windows XP preview is the first time the company has had exclusive responsibility for distributing Microsoft software. Though Conxion has been Microsoft's preferred provider for about five years, the software maker previously operated some of the servers involved in the delivery process.

"In the last 24 hours, unauthorized users exploited a vulnerability in the servers distributing the downloads of the (Windows) XP Release Candidate 1," said Conxion spokeswoman Megan O'Reilly. "The vulnerability, which consisted of an inconsistency in filtering user access, has been removed as of 12:30 p.m. PDT." O'Reilly said the glitch did not affect those making legitimate downloads. Conxion has not yet tabulated the number of illegal downloads.

"This private beta of Windows XP...has turned into a worldwide beta, apparently," said Donny Kavanagh, a Windows XP tester from Ottawa. "Now either Microsoft or Conxion, depending on who configures the servers, are having a hard time keeping it out of the hands of anyone with a Web browser."

The preview program is viewed as an important first step in getting Windows XP ready for its Oct. 25 launch. Previewers receive Windows XP Release Candidate 1 either by download or on a CD, paying $10 or $20, respectively. Release candidates are near-final versions of software before it is released to manufacturing and PC makers.

Typically those choosing the download option receive an e-mail from Conxion with a username, password and download instructions. The Windows XP previewer then links to a Web page where he or she inputs this information and retrieves Conxion's Digital Delivery Manager 2.1 software used for downloading Windows XP.

But CNET successfully downloaded Windows XP Release Candidate 1 on Monday using a standard Web browser without the need for a username, password or the download manager software.

Still, downloading the release candidate doesn't guarantee it can be installed. Official beta testers, or those paying for the preview release, receive a 25-key code for installing the software. More importantly, Windows XP's activation technology requires people to connect to Microsoft servers to "lock" the software to the hardware.

"Unauthorized users who downloaded this distribution still require an authentication key to activate the software," O'Reilly said. "That key is only legally available to authorized users who register and pay for the software."

But several "cracks"--or software code circumventing the activation technology--are available on Internet newsgroups.

"This shows that Microsoft has some more work to do shoring up its activation technology, which is to fight piracy," said Gartner analyst Michael Silver. "If it doesn't fight piracy, it inconveniences honest users."

Office XP and Windows both require product activation, which in part Microsoft uses to thwart software piracy.

Kavanagh believes it is only a matter of time before someone breaks the product activation, after a German a copy-protection company last week disclosed how the technology works. Besides activating over the Internet, people can contact Microsoft to receive a one-time-use, 44-key code for unlocking the software.

"Soon there will be utilities to take the number that Windows XP activation creates for you when you are going to call a Microsoft representative to register over the phone...and generate the same key," Kavanagh said.

Silver agreed that this could happen.

As Microsoft grapples with problems delivering Windows XP Release Candidate 1, several PC makers said the next testing version remains on track. Last week, Microsoft changed its licensing agreements with PC makers, giving them more flexibility customizing the Start menu and offering consumers the option of removing access to Internet Explorer 6.

Those changes will require last-minute tweaking before Microsoft issues Release Candidate 2, which computer manufacturer sources said appears to be on track for July 25 delivery. The gold--or final--Windows XP code is expected a month later.