Developers, IT department workers and early adopters have begun to report on their experiences installing Microsofts Windows XP Service Pack 2, and while most say they have had no serious problems installing the update, it hasnt all been smooth sailing, either. Early experiences suggest that the security-oriented upgrade will need extensive testing before IT managers can feel confident that they understand all of the side effects.
In Weblog postings and interviews with eWEEK.com, users have reported everything from unproblematic installs to complete system failures. In between, difficulties varied from confusing user interface changes to broken applications to performance slowdowns. Many said SP2s features improved their confidence in the platforms security; others said they continue to be surprised by minor issues.
"Overall Im still not convinced of SP2s stability, and I keep expecting to find issues with my other applications," wrote developer Kulvinder Maingi in a Weblog post.
One major change with SP2 is the introduction of Windows Firewall, which replaces the old Internet Connection Firewall. It is enabled by default and executes before other programs in an effort to ensure that most Windows users will be protected at the desktop level. Some individual users found the firewall irritating, with its warnings and the need to configure some programs to work with it.
Others felt the firewall was an improvement, including one user who attempted to execute a copy of the Bagle virus. "SP2 blocked the installation of the malicious code with not one but two separate warnings. Someone would have had to go to a lot of trouble to choose to install this virus," wrote author and Windows pundit Ed Bott.
On the other hand, Windows Firewall has a more serious shortcoming, according to critics such as Zone Labs, maker of the ZoneAlarm firewall: It can be turned off by a third party. ZoneAlarm, McAfees Personal Firewall Plus and Symantecs Norton Personal Firewall are all being updated to disable Windows Firewall when they are installed, and switch it back on when they are uninstalled.
And if another firewall or an administrator can switch Windows Firewall off, so could an attacker, argued Zone Labs. Critics also said the firewall should have included outbound blocking, used to stop malicious code from being used in a distributed denial-of-service attack or to send spam, for example.
Microsoft admitted that the firewalls manageability means a malicious user could turn it off in some situations. "But youre in a compromised state if youre at that point," said Microsoft technical specialist David Overton. "Windows Firewall is there primarily to stop unsolicited communications with a PC. It is a management process, not a silver bullet." He said other tools, such as perimeter packet inspection, were more appropriate for stopping malicious outbound packets.
Broken applications were among the most common issues users reported with SP2—something Microsoft has been warning users about for several months—often an effect of changes in Windows XPs security settings. Symantec this week released patches for its Norton anti-virus products enabling them to work with Windows new Security Center. Microsoft has said that some of its own products, such as its customer relationship management software, will need patching to work with SP2.
Users also discovered conflicts with a number of other applications. For example, a peer-to-peer program called eMule is slowed down by an SP2 feature that limits the number of simultaneous TCP connections a program can make to different IP addresses—something that would have blocked worms such as Sasser from spreading, according to Microsoft. Currently, the only fix appears to be a complicated workaround to change Windows TCP/IP parameters.
DivX 5.2 and Dr. DivX 1.0.5, which support DivX-encoded video, dont install properly on SP2 systems; a new feature called Data Execution Protection, designed to eliminate buffer overflows, must be temporarily turned off before running the DivX installer.
Other applications that users reported problems with included remote debugging in Visual Studio.Net 2003, Microsoft Access 2003, Novell BorderManager, Style XP, the Thief III game, Radio Userland, Crimson Editor 3.60, the Tablet PCs OneNote application, the Skype IP telephony program, MSN Messenger and the ATI graphics control panel.