Microsoft began to talk about the upcoming Service Pack 2 for Windows XP at its recent There was a time when service packs were mostly just bunches of individual patches consolidated into a single program. Sure, there were new features in them but they were subtle features, like a new tab on a dialog box.
Windows XP has had an odd history with service packs. SP1, in addition to the usual consolidation of patches, added the court-ordered Set Program Access And Defaults applet, which allowed anyone to switch their Web browser, instant messaging and media player defaults. Of course, this gave competitors an even playing field and now Internet Explorer has vibrant competition (ha-ha!).
On the other hand, Service Pack 2 will make significant and noticeable differences in the behavior of the operating system in the interest of locking it down for security purposes. The changes—as they stand now many months before the release of SP2— are detailed in a paper on Microsofts developer site, MSDN. As we reported a few months ago, SP2 is scheduled to release in the 3rd quarter of 2004. Some of the significant changes include:
Network Lockdown: Several changes will restrict access to and from the network.
- The Internet Connection Firewall will be enhanced and turned on by default. ICF will be more configurable through a user interface and through group policies.
- Currently, a small gap is present during boot time between the loading of the network stack and when ICF is functional. This gap creates the possibility of an attack slipping through. SP2 will add an extra driver to protect against this.
- Similar to many fuller-featured personal firewalls, ICF in SP2 will include an application white list. Users will be able to decide that applications on the list should have network access, and the necessary ports will be open to those applications while they are running.
- The RPC and DCOM interfaces, both the targets of many recent and serious attacks, will be limited and run with lesser privileges.
- Remote systems making calls on the RPC interface will have to be authenticated, which doesnt eliminate the possibility of attack, but makes it much harder.
- DCOM changes will also add more permission checking and allow administrators to control access more precisely to COM servers.
- "Shielded Mode" allows users to block all inbound access to the computer temporarily. Its meant for situations where the user believes he has been compromised and is awaiting a patch, or perhaps just if a vulnerability has been announced and a patch not yet applied. Users have been able to block access before, but Shielded Mode relieves then from having to reconfigure the firewall and change settings to do so.
Buffer Overflow Protection—Stack-Checking Code:By now even your Aunt Minnie must heard of buffer overflows. Even though they have been a high-profile general problem in Windows for years, Microsoft hasnt been able to stamp them out.
SP2 will attempt to remove as many as possible through automated techniques built into the newest compilers, meaning that large parts of Windows will be recompiled. Im sure there is still some assembly code in Windows and other areas not amenable to automated stack protection, and perhaps they are scrutinizing these further.
Buffer Overflow Protection—NX Pages For The Stack:Some of the very latest processors have the ability to mark areas of memory, called pages, as not executable (NX). The general theory of a buffer overflow is to fill a variable on the stack beyond its boundaries with executable exploit code. To address this issue, Microsoft will attempt to mark the stack as non-executable. If done right, this should eliminate a very large percentage of buffer overflows.
The Microsoft paper gives the impression that this protection will extend to other data areas, such as the heap. The only processors capable of this now are Advanced Micro Devices K8 and Intels Itanium Processor families. Microsoft expects that newer versions of older processors will include this feature, no doubt at Microsofts behest.
You might ask why its going to take so long to bring something so important to users, but these changes will be considerable. In addition, expect them to break a lot of third-party software, especially device drivers. So, Im hoping that part of the very long test period for SP2 will include a widespread beta test. Im also assuming that these changes will be made available for Windows Server 2003.
It would be great if these changes were also be made available for Windows 2000, but Im not holding my breath. This is a major core reworking of Windows XP, and I doubt Microsoft will be all that keen on undertaking a major redevelopment effort on a last-generation product.
Once again, users and developers shouldnt underestimate the scope of this project. Windows XP with SP2 may as well be a new product. Consider the level of testing that will be necessary after the entire core of the OS is recompiled after making subtle changes throughout. These changes will be mostly the type that shouldnt make a difference for programs. But some differences will always crop up.
Of course, some of the changes, such as the use of NX pages, will cause problems with some programs, resulting in necessary redevelopment for a number them.
For example, consider that a Java Virtual Machine with a Just In Time (JIT) compiler builds native code on the fly based on the Java code it interprets. The JIT compiler will have to use new facilities provided by Microsoft to mark pages in the native code correctly or they will not execute.
Im personally expecting quite a few problems will have to be addressed by ISVs.
Given all of these issues, Im not surprised that Microsoft envisions a long lead time for Service Pack 2, although I wish it were otherwise. Perhaps if we just agree to call it Windows 2004, the wait wont seem quite as long.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer