Real Problems

By Larry Seltzer  |  Posted 2004-07-19 Print this article Print

Of course, there are real problems, and Ive been a victim of one of them myself. A Web-based application I use regularly breaks under Windows XP SP2. The developers havent figured out the exact problem yet—I dont have the source, so it would be difficult for me to figure out the problem—but I wouldnt be at all surprised to find out that what it was choking on was something the developer really didnt want to do, like overflowing a buffer.

Users of SP2 get a lot of warnings, especially early on in using it, when they try to run programs that break policy. Rarely are you actually prevented from doing anything, just warned and asked to make a conscious decision to engage in activity that could be insecure.

Microsoft has developed extensive tools for managing the deployment and management of SP2 on a managed network, and I agree with TruSecures Cooper that enterprises will likely use these tools to roll SP2 out in a relatively crippled state.
Consider this paper on managing the Windows firewall on a network. They can then turn on features as they are more thoroughly tested, or turn them off if they cause problems in the real-world deployment.

For all the whining Microsoft is getting now, theres no serious argument to make that these changes arent necessary. The next year or so will be a busy one for Microsoft support, but things will get better thereafter.

And a willingness on Microsofts part to break these old, dangerous applications is more important than just cleaning up an existing mess. Its also a break with the past and with Microsofts enthusiasm for letting developers make programs that do whatever they want. Security means that programs need to have bounds, and those bounds need to be enforced. It must be a scary thing for Microsoft, but its an important moment, and they need to move on with it.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms Security Center at for security news, views and analysis.

Be sure to add our security news feed to your RSS newsreader or My Yahoo page:   More from Larry Seltzer

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel