Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Subscribe
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Subscribe
    Home Cybersecurity
    • Cybersecurity

    Windows XP SP2: Trouble Ahead for Developers, Users

    Written by

    Larry Seltzer
    Published June 15, 2004
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      The major security changes in Windows XP Service Pack 2 mean big trouble for developers and users, a fact highlighted by Microsofts introduction this week of the packs second release candidate—the last major test before it hits the streets.

      Microsoft has a history of major releases with understated names, and Windows XP Service Pack 2 (SP2) is no exception. Windows for Workgroups 3.11 was a major technical upgrade over Windows for Workgroups 3.10 or Windows 3.11. Windows NT 3.51 had huge changes compared with Windows NT 3.50—a version you didnt want to run.

      So it is with Windows XP SP2 and the parallel Service Pack 1 to Windows Server 2003. Like those earlier .01 Windows updates, it implements large changes in the internals of Windows.

      But SP2 also adds major new user features. SP2 changes are largely but not exclusively related to security enhancements, with a few nonsecurity touches thrown in, such as a new Bluetooth stack (golly gee, just what I was waiting for).

      Release Candidate 2 (RC2) of SP2, released this week, should be the last extensive trial run before SP2 hits the streets in late July, or so the plans go now.

      Will XP SP2 cause problems for users and developers? You can bet your last dollar it will. If the security changes in Service Pack 2 were not going to cause problems, they would have been done long ago. Most of them, anyway.

      Applications will break. Network connections will fail, or appear to fail. Users will be forced to upgrade programs and devices that may not be under active support. This is something Microsoft tries not to do.

      But even in forums reflexively hostile to Microsoft, there is a general recognition that SP2 will make Windows XP a more secure product. Microsoft has done some things that are basically invisible but will make a difference, such as recompiling large amounts of the operating system with compiler options that prevent most buffer overflows.

      (Actually, the options the company uses should prevent most stack overflows. Heap overflows are generally more difficult to exploit but wouldnt generally be fixed by this option.)

      Next Page: A security wizard will greet users with a freshly installed SP2.

      Security Wizard

      But the big thing most people will notice is that part of the OOBE (out-of-the-box experience) when you turn on a new PC or an old one with SP2 freshly installed is that you have to go through a security wizard.

      The first thing it does is to recommend that you turn on Automatic Updates. You can still leave it off, just as you can walk through a bad part of town flashing a roll of bills, but its on you if you do.

      There was speculation at one point that Microsoft would default Windows XP in SP2 to have Automatic Updates on, but choosing instead to force the user to make a decision is the right way to go. Lets just hope that the only people who say no are the ones who know enough to apply the updates themselves.

      The user is then sent to the new Security Center, a central place for managing security settings in Windows and some third-party security software. From here, you can manage the Windows Firewall (formerly known as the Internet Connection Firewall or ICF) as well as third-party firewalls and anti-virus products.

      /zimages/2/28571.gifFor insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

      In many ways, the most important security change in SP2 is on the Security tab of Internet Properties, or rather what is not on it: There is no longer a My Computer zone to edit; it has been locked down. Many security experts have complained about the My Computer zone for some time, as it has been used as a conduit for a large number of attacks through Internet Explorer.

      Its always been possible to lock down the My Computer zone—see this article from Microsoft and Qwik-Fix from Pivx—but with SP2, by default, attackers will no longer be able to use “cross-zone” scripting bugs to trick IE into executing code.

      The big deal is the firewall: If you had been running ICF version 1, you would be immune to Blaster and lots of other attacks, but you probably turned it off because it interfered with applications and local networking and was almost completely unconfigurable.

      /zimages/2/28571.gifClick here to read about Microsofts efforts to get IT departments testing Windows XP SP2 right now.

      Windows Firewall is much better and more like third-party firewalls—and its on by default. Is it as good as prominent third-party firewalls from companies such as Zone Labs and Sygate? No, and I dont think Microsoft would claim it.

      Next Page: Providing a secure firewall versus foreclosing a third-party market.

      Third Parties

      This is a good example of how Microsoft has been forced into the security business. Its in a classic damned-if-you-do, damned-if-you-dont position. If it provides a good firewall as part of Windows, then its using its “monopoly power” to foreclose a third-party market.

      If it doesnt, then its providing an insecure operating system. The trick is to make Windows Firewall good enough that users can run it without problems, while still leaving a clear competitive advantage for third parties.

      I asked Zone Labs about the gaps between Windows Firewall, and it has plenty of arguments to make. The biggest one is that Microsoft claims its firewall is much more sophisticated about outbound protection, which means protection against outbound communication by potentially unauthorized software on your system.

      Windows Firewall does have some protection against this, but it also comes configured with exceptions for some prominent applications, such as Internet Explorer. Doubtless there will be many testing stories soon looking at the practical differences in real-world use.

      Manageability can be another big difference. Windows Firewall will be manageable through group policies in Active Directories, but other firewalls, such as the Sygate Secure Enterprise personal firewall, have much more powerful management features and are not tied into Active Directory—although AD integration is good for a lot of people.

      Too bad that just by providing an adequate firewall, Microsoft is foreclosing third-party markets to some degree. People are cheap, and some number of users wont buy a third-party firewall because the Windows one is good enough.

      This is bad for everyone in a way, but in the big picture its just necessary that a good firewall—but not too good—come with Windows.

      Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

      Check out eWEEK.coms Security Center at http://security.eweek.com for the latest security news, reviews and analysis.

      Be sure to add our eWEEK.com developer and Web services news feed to your RSS newsreader or My Yahoo page

      More from Larry Seltzer

      Larry Seltzer
      Larry Seltzer
      Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement— He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.