CERT Recommends SP2 But Urges Caution

While the U.S. Computer Emergency Readiness Team cites "significant changes to improve the security of Windows XP," it also advises users to back up data and consult with manufacturers on compatibility issues.

The U.S. Computer Emergency Readiness Team, known as CERT, this week recommended that Windows XP users install Service Pack 2 (SP2) using Windows Update or Automatic Updates from Microsoft Corp. CERT cited "significant changes to improve the security of Windows XP" in making its recommendation.

But with computer manufacturers issuing hardware and driver update advisories, and Microsoft itself noting the negative impact SP2 has on various programs and Windows functionality, CERT also suggested backing up important data and consulting manufacturers for compatibility notices and software patches prior to installing SP2.

In its recommendation, CERT cited noteworthy improvements in Outlook Express, Internet Explorer security and the Windows firewall. CERT also "highly recommends" that users enable Automatic Updates.

/zimages/5/28571.gifThe new firewall is "in your face," Security Center Editor Larry Seltzer writes. Click here to read more.

"Its an interesting recommendation because CERT didnt make direct reference to previous notes on Internet Explorer vulnerabilities," said Michael Lipham, a research analyst at Robert Francis Group Inc. in Westport, Conn. "Its kind of contradictory."

Lipham said it was a positive step for Microsoft but that he didnt think it would have a significant effect in encouraging average users to upgrade to SP2. And like most analyst firms, Lipham said Robert Francis Group is recommending that enterprise clients wait for more feedback and testing before they upgrade.

Michael Cherry, lead analyst at Directions on Microsoft, an independent firm in Kirkland, Wash., said he is recommending the upgrade. "Security is always about making trade-offs," he said. "Because of the security value these new features add, it outweighs the smaller issues youll have."

On the hardware side, Dell Inc., Hewlett-Packard Co. and Sony Corp. all now outline a series of updates users should make prior to installing SP2. Though both Microsoft and CERT suggest using Automatic Updates to install the operating system, the computer makers said that without their own updates, "unexpected results" and compatibility issues could arise.

Besides reiterating known software issues, HP found that SP2 causes problems with its Media Center and Image Zone software, and it has made updates available.

Meanwhile, Dell issued driver updates for its TrueMobile 300 Bluetooth internal cards and ATI Technology Inc.s Mobility Radeon 9800 video card.

IBM has not issued an advisory regarding SP2 to customers, but the company reportedly sent a memo to employees asking them not to install the update. Also, a brief search of IBMs support site revealed readily available documentation outlining procedures to ensure that various applications, servers and databases function appropriately in the SP2 environment.

Numerous other software compatibility issues remain with SP2, which was made available Aug. 6. Microsoft Knowledge Base originally listed about 200 programs that "lose functionality" when running on an SP2-based computer. That number now stands at about 40 programs, but its not clear whether Microsoft is making those improvements.

Lipham said most of those fixes have come from the third-party software vendors and likely not from Microsoft. Microsoft was unavailable for comment.

Meanwhile, Cherry at Directions on Microsoft said its a combined effort and that, after shipping, Microsoft has worked closely with ISVs to resolve any issues theyve found.

Microsoft also posted roughly 50 programs and games that "seem to stop working" and require manual adjustments to run properly. As of its latest Knowledge Base update Aug. 25, that number remained the same.

Most notable are remote control or printer sharing problems with Symantec Corp.s AntiVirus Corporate Edition 8 and 9; versions of Computer Associates International Inc.s eTrust; McAfee Inc.s NetShield 4.5; and popular video games "Unreal Tournament" and "Need for Speed."

/zimages/5/28571.gifCheck out eWEEK.coms Windows Center at http://windows.eweek.com for Microsoft and Windows news, views and analysis.


Be sure to add our eWEEK.com Windows news feed to your RSS newsreader or My Yahoo page