Ive seen reports of people who are shocked! Shocked to hear that there are applications and network configurations that fail to function under Windows XP Service Pack 2.
After years of complaining about security problems in Windows, Microsoft finally does the right thing and plugs many of the holes even at the cost of breaking functionality of software.
I, for one, am not shocked to see them criticized for doing just that. Of course, its almost the point of XP SP2 that it breaks these configurations. We shouldnt be surprised to find issues with Service Pack 2. We shouldnt take too much time in adopting SP2. But we should test it.
If youre responsible for a large number of Windows XP systems and you dont have an explicit test network, you should already have designated a small sample of typical systems as guinea pigs for the release candidates, and therefore the changes in the program should be no surprise to you. Move on to the release code on these systems for final testing and then to a staged deployment.
Its entirely possible that youll find issues in testing. They may not be big problems; the firewall may be blocking a port you use and you might just open it. In other cases you might take the opportunity to rethink an application. Ive seen one program (DivX video) that breaks on SP2 on systems with support for SP2s Data Execution Protection, the ability to detect buffer overflows. Their solution? Turn off the protection, at least for their programs. Does this seem worth it to you? In fact, this is the perfect example of the kind of program that will have to change.
How should you deploy SP2? Microsoft has been recommending to consumers to turn on Automatic Updates and let SP2 install on its own. This may be the best way for business networks too. Set up a Windows SUS (Software Update Services) Server, free for those with a license to the Windows 2000 and Windows 2003 Servers on which they run, and use group policies to point the Windows XP clients to it for their updates.
Some have suggested on security mailing lists that this is irresponsible, I guess because Microsoft has typically not allowed service packs to be installed through automatic updates. I have to wonder why not. Automatic Updates is a statement that you are trusting Microsoft to install software on your system to make it safer, and thats what SP2 is all about. Is a service pack, especially one that has been so thoroughly tested, really that much more dangerous to install this way than any of the smaller fixes that normally go through Automatic Updates?
If youre a single user and you dont like what SP2 has done to your system, you can get rid of it. There is an explicit uninstall option in Add/Remove programs. You can also use System Restore to put the system state to where it was before SP2.
I just tested this and its slow, but works. You dont even need to be able to boot. I booted into Safe Mode With Command Prompt (after pressing F8 during Windows boot) and ran system restore by typing %systemroot%system32restorerstrui.exe (where %systemroot% is probably c:windows). Follow the program and youll find a restore point named “Installed Windows XP Service Pack 2”.
Some smaller business networks run Automatic Updates in client PCs for the smaller Windows security updates it provides, but dont want to pull in the massive SP2 without further testing. But Microsoft has promised to deliver tools to let you temporarily disable and then re-enable delivery of Windows XP SP2 via Automatic Updates and Windows Update. This will give you a chance to do your testing first. The tools, along with a ton and a half of information on deploying SP2, will be found on Microsofts SP2 TechNet page. (Theyre not there yet.)
If youre a network administrator, you should already be testing SP2 deployment. Youve had lots of time to investigate on the release candidates. The longer you wait, the longer you leave your users in a more vulnerable state than they need to be.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:
More from Larry Seltzer