XP Service Pack 2 Awarded High Marks

Microsoft Corp. is betting heavily that changes it has made to Windows XP in Service Pack 2 will prove the company is sincere in its security efforts.

Microsoft Corp. is betting heavily that changes it has made to Windows XP in Service Pack 2 will prove the company is sincere in its security efforts.

The improvements, which include an upgraded Windows firewall, more memory protection and changes to the way Outlook treats attachments, are getting high marks from security experts, who have often criticized Microsoft for making superficial changes at the expense of deeper, more meaningful improvements to Windows.

Officials at the Redmond, Wash., company said some changes in the service pack will negate backward compatibility with some applications but said security must now take precedence over functionality.

"Im a big fan of what theyve done. The great thing is, theyre actually causing developers to think about security," said Gary McGraw, chief technology officer of Cigital Inc., in Dulles, Va., an expert on software security and frequent critic of Microsofts efforts. "Developers wont like the fact that their old designs dont work, but they should be looking at those designs [for security problems] anyway."

By Microsofts estimate, SP2, which is in beta now and is due by the end of next quarter, is among the companys most important updates ever. Company Chairman and Chief Software Architect Bill Gates devoted much of his keynote speech at the recent RSA Conference in San Francisco to SP2. Still, some customers remain unmoved.

"As far as Outlook attachments [are concerned], even here in a corporate environment, we use registry entries to allow all files," said one SP2 beta tester, who requested anonymity. "We are tight here on firewall and virus scanning and have never been hit in the last four years. But having attachments blocked is a giant pain, and we bypass that feature. Same with the firewall features. We have our own and will never trust anything [from] Microsoft."

McGraw and other experts credited Microsoft for a new execution protection feature that helps prevent attackers from using certain portions of memory to execute code. Known as NX (no execute), the feature designates all memory locations in a given process as nonexecutable, unless a location specifically contains executable code. The addition of NX is aimed at the problem of buffer overruns, a technique through which attackers can insert their own code into a block of memory by overflowing a buffer.

Among the other major modifications coming in SP2 is a change in the way Outlook Express handles attachments in e-mail. The client will have a set of APIs, known as the Attachment Execution Service, that can prevent users from opening dangerous attachments.

"Im surprised that the compatibility issues werent as big as we thought," said Neil Charney, Microsofts director of product management for the Windows Client Group. "We wanted a long beta program to make sure all of the changes are working."

—Dennis Fisher and Mary Jo Foley, Microsoft Watch