Windows XP SP2 Plugs Security Holes

By Jason Brooks  |  Posted 2004-08-23

Windows XP SP2 Plugs Security Holes


Executive Summary

Two and a half years after the initial release of Windows XP, Microsoft Corp.s Service Pack 2 advances the state of Windows security: The update plugs long-standing vulnerabilities in Windows services and modifies key applications, such as its Internet Explorer and the system firewall, to make it easier for users and administrators to monitor and control whats happening on Windows XP machines.

Click here to read the full review of Windows XP Service Pack 2.


Two and a half years after the initial release of Windows XP, Microsoft Corp.s Service Pack 2 advances the state of Windows security: The update plugs long-standing vulnerabilities in Windows services and modifies key applications, such as its Internet Explorer and the system firewall, to make it easier for users and administrators to monitor and control whats happening on Windows XP machines.

With the appropriate amount of testing before deployment to production systems—to identify and work around potential application compatibility issues—eWEEK Labs believes the improvements in SP2 are compelling enough to recommend the upgrade for all Windows XP systems.

That said, work remains to be done on Windows security. Wed like to see Microsoft improve the operating systems user permission controls—its still a hassle to run applications as a regular user without administrative privileges. Also, although Windows Update Version 5, the release of which coincides with SP2, has undergone some nice improvements, wed like to see a unified packaging and software update system on par with the Debian Linux distributions Advanced Package Tool.

Weve been testing SP2 throughout its beta cycle and have found it relatively free of problems. Most of the products with which we tested SP2 had updates available. This is likely due in large part to SP2s long and very public beta program.

Click here to see an SP2 slideshow.

Of course, in the nearly 300MB across which this service pack stretches, theres plenty of potential for application breakage, particularly with networked and Web-based applications that companies have developed in-house. It will be important for companies to test SP2 in their environment before fully deploying the update.

In fact, SP2 brings to light applications developed with lax security. SP2 enforces tighter adherence to the security models within Windows than did the gold or SP1 releases of XP, so a good deal of the breakage we saw resulted from products that werent developed securely in the first place.

SP2 is available for download for multiple-computer installation at Microsofts Web site; individual users can upgrade to SP2 via Automatic Updates.

For more on deploying the service pack, click here.

Microsoft has produced excellent SP2 documentation, and an in-depth overview of what has changed in SP2 is available at

Users wont notice many changes in XP once SP2 is installed, so the update shouldnt require retraining beyond a brief period of familiarization.

Next page: Internet Explorer.

Internet Explorer

Internet Explorer

As the worlds most widely used window to the Web—and the primary platform for many enterprise applications—Microsofts Internet Explorer browser is a vital application for most companies. But its also an all-too-common point of vulnerability.

SP2 brings a set of changes to the Windows browser (available only through Windows XP) that should help make IE safer by granting users more control over and information about its operation.

For instance, in SP2, IE includes an add-on manager that lists all ActiveX controls loaded in IE, alongside information about the digital signatures of these controls and buttons that enable, disable or update the controls. Along similar lines, Windows will provide information about which add-ons were loaded during an IE crash to help administrators determine the cause.

The updated IE also does a better job of alerting users when pages attempt to download and install these controls. Using a new information bar at the top of the Web page, IE provides notification of attempted ActiveX installs, downloads and blocked pop-up windows.

Microsofts decision to build pop-up blocking into IE moves the browser toward feature parity with alternatives such as Mozilla and Opera, and, we hope, will reduce the use of this annoying Web feature on most sites.

We did encounter a problem with IEs new notification bar and pop-up blocking while browsing at a computer game demo download site. The site appeared to launch a pop-up window that tried to install an ActiveX control before closing immediately and opening another pop-up.

In earlier versions of Windows, this wouldnt have been a problem because the IE dialog asking for permission to install the control would have remained open, pending user approval. With SP2, however, the approval prompt closed too quickly for us to approve the controls installation. We had to add the game site temporarily to our Trusted Sites list to use the application.

IE now blocks the privilege elevation that occurs when pages that have been loaded in a particular IE Security Zone, such as the Internet Zone, link to a page in a less restrictive zone, and IE also now enables users to opt never to install code from particular publishers. This prevents users from having to deal with recurring prompts to install controls theyve already rejected.

Next page: Windows Firewall.

Windows Firewall

Windows Firewall

One of the windows features that has been most heavily overhauled in SP2 is Windows Firewall, a facility previously known as Internet Connection Firewall, or ICF.

Managed systems running Windows XP within a company are likely to sit behind a corporate firewall already, but now that the threat of worms has increased, its become important for individual systems to have firewall protection. In addition, the presence of a built-in firewall is important for mobile enterprise users connecting to the Internet from outside the corporate network, and Windows Firewall is considerably improved over ICF.

To begin with, Windows Firewall is active by default on systems running SP2; ICF, by contrast, was shut off by default. All new network connections created on SP2 machines also have firewalls by default, and Windows Firewall plugs the gap ICF left open when network connections on a machine were unprotected for a short period during startup.

During tests, we could use Windows Firewall to open ports statically, to allow application-specific exceptions and to adjust the scope of our exceptions based on a subnet.

Theres an "on with no exceptions" check box in the firewall configuration dialog, which is a good setting to have while using a machine in a potentially insecure environment, such as a hotel room or public hot spot.

We could configure these settings through Group Policy or with a command-line tool called Netsh.

Its not possible to use Windows Firewall interactively, where the firewall requests user approval to allow an application access to a blocked port, unless logged in with administrator privileges. Regular users will see a pop-up directing them to ask their administrator to open the port. However, this message does not include the port number, so it will be of limited aid in filling out a help desk request.

Also, Windows Firewall does not block outbound traffic, which may leave companies looking elsewhere for a more capable alternative.

Next page: Network protection.

Network protection

Network protection

Microsoft has made numerous improvements under the covers in Windows XP, including default disabling of nonvital, often-abused services such as Windows Alerter and Messenger. The Windows Messenger service, in particular (which is different from the MSN Messenger IM client), has been a prime target of spammer abuse.

SP2 features tighter rules governing Windows DCOM (Distributed Component Object Model), in which new access controls ensure that COM applications abide by a minimum security level and do not pose a threat to the system.

SP2 also includes new restrictions on Windows RPC (Remote Procedure Call) service, such as eliminating remote anonymous access to RPC interfaces. Applications that depend on this anonymous access will have to be modified to use RPC security, or administrators must modify the Windows registry to revert to SP1s settings.

In addition, SP2 includes a change to the WebDAV (Web-based Distributed Authoring and Versioning) redirector—the facility that manages access to shares using the WebDAV protocol—that will disallow access if a WebDAV server is not configured to authenticate securely.

Next page: Memory protection.

Memory protection

Memory protection

SP2 provides for DEP (data execution prevention), where areas of system memory, such as those in which data is meant to reside, are marked as nonexecutable. This should help prevent buffer overrun attacks.

DEP in SP2 is enforced by hardware, requiring an Advanced Micro Devices Inc. processor with no-execute page protection or an Intel Corp. chip with the Execute Disable bit feature. SP2 also provides for software enforcement of DEP in core Windows XP code. Administrators can shut off DEP in Windows on a systemwide or per-application basis.

Next page: Wi-Fi and Bluetooth.


-Fi and Bluetooth">

Wi-Fi and Bluetooth

In SP2, Microsoft has re-worked the Wireless Network Connection dialogs to provide more information about available access points. Theres also a new Wireless Setup Wizard that lets administrators configure security settings for multiple machines for use with a wireless network.

Click here to read more about SP2s wireless configuration tools.

SP2 includes native support for Bluetooth, using drivers and configuration tools that are now part of Windows. After installing SP2 on a test notebook, we uninstalled our vendor-supported Bluetooth drivers and switched over to Microsofts Bluetooth software without incident.

Next page: Windows Security Center.


ndows Security Center">

Windows Security Center

Windows XP with SP2 includes a Security Center that lets users check the status of automatic updates, their firewall and their anti-virus application. We tested this feature with a handful of anti-virus applications, and the Security Center did a good job of detecting the presence, virus definition file freshness and on/off state of our anti-virus applications.

In some cases, however, we did have to download patches for use with SP2. For example, after installing SP2 on a system running Symantec Corp.s AntiVirus Corporate Edition 9.0, the Security Center could tell we had anti-virus software installed, but it couldnt determine the softwares state. After installing an update from Symantecs Web site, the feature worked properly.

Senior Analyst Jason Brooks is at

Check out eWEEK.coms Windows Center at for Microsoft and Windows news, views and analysis.

Be sure to add our Windows news feed to your RSS newsreader or My Yahoo page

Rocket Fuel