Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Boo Hoo Hoo for Victims of XP SP2

    Written by

    Larry Seltzer
    Published July 19, 2004
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      If youve ever wondered why major software releases such as new operating systems take so long, one of the biggest contributing factors is backward compatibility. Microsoft is especially sensitive to this, and especially with its largest customers. It works very hard not to break old applications.

      But with Windows XP Service Pack 2 (SP2), expected to be finalized in the next month, the standard has changed somewhat. The big point about XP SP2 is security, and toward that end, application compatibility must suffer. Some ISVs and other developers are mad. Others not only arent mad, they see it as a good sign.

      Russ Cooper, senior scientist at TruSecure and moderator of the respected NTBugTraq Security mailing list, goes so far as to say, “I hope it breaks more things than its already broken.”

      For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

      If you look carefully at Microsofts guide to Windows XP SP2 for developers, you can see that the things it bans are generally things developers shouldnt be doing anyway, such as automated download prompts and files with extensions that dont match their content-type value. This is the point that Cooper is making.

      Many vendors have already slipstreamed in upgrades to applications to comply with SP2. According to testers in Microsofts Application Compatibility Support newsgroup, for example, Symantec PCAnywhere works from version 10.5.1 up, including the 11.x versions.

      Problems in the debugger in Borlands Delphi in Release Candidate 1 were fixed quickly, although another tester reports that multiple applications under SP2 cannot access the Borland Database Engine.

      And like all bug databases, problem reports on XP SP2 have a large share of inaccuracy and overstatement. There were, for example, reports that Apples iTunes for Windows 4.6 worked if present on a system onto which SP2 was installed, but would not install afresh on an SP2 system.

      I tested this myself and had no trouble installing it on an SP2 system. Its entirely possible that iTunes does fail on some SP2 systems, or perhaps the problems observed had nothing to do with SP2. Well know a lot more after the service pack goes final.

      And some ISVs are publicly complaining about the problems. RealNetworks, for example, says, “The changes Microsoft is proposing for SP2 will have serious negative consequences on the consumer experience of many applications and Web sites.” Of course, its not surprising to hear Real complain about Microsoft, nor is it always a meaningful or accurate complaint.

      Next page: The real problems.

      Real Problems


      Of course, there are real problems, and Ive been a victim of one of them myself. A Web-based application I use regularly breaks under Windows XP SP2. The developers havent figured out the exact problem yet—I dont have the source, so it would be difficult for me to figure out the problem—but I wouldnt be at all surprised to find out that what it was choking on was something the developer really didnt want to do, like overflowing a buffer.

      Users of SP2 get a lot of warnings, especially early on in using it, when they try to run programs that break policy. Rarely are you actually prevented from doing anything, just warned and asked to make a conscious decision to engage in activity that could be insecure.

      Microsoft has developed extensive tools for managing the deployment and management of SP2 on a managed network, and I agree with TruSecures Cooper that enterprises will likely use these tools to roll SP2 out in a relatively crippled state.

      Consider this paper on managing the Windows firewall on a network. They can then turn on features as they are more thoroughly tested, or turn them off if they cause problems in the real-world deployment.

      For all the whining Microsoft is getting now, theres no serious argument to make that these changes arent necessary. The next year or so will be a busy one for Microsoft support, but things will get better thereafter.

      And a willingness on Microsofts part to break these old, dangerous applications is more important than just cleaning up an existing mess. Its also a break with the past and with Microsofts enthusiasm for letting developers make programs that do whatever they want. Security means that programs need to have bounds, and those bounds need to be enforced. It must be a scary thing for Microsoft, but its an important moment, and they need to move on with it.

      Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

      /zimages/5/28571.gifCheck out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.

      /zimages/5/77042.gif

      Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: /zimages/5/19420.gif http://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo2.gif

      More from Larry Seltzer

      Larry Seltzer
      Larry Seltzer
      Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement— He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×