Slashdot Mirror
Microsoft Releases Changelist for Upcoming XP SP2
kylef writes "As we know from independent sources, Microsoft is busy readying Service Pack 2 for Windows XP. They have published on their website a changelist document (link goes to TechNet download page) detailing the nature of the security-related fixes and updates. The document is targeted towards XP admins and covers some interesting things such as the new Internet Explorer Pop-up Manager and various security policy changes. Some other juicy tidbits from the document: Internet Connection Firewall will be enabled by default, and there will be new support for something called "Execution Protection" which allows developers to make use of the NX (no execute) page guard flag on Intel's Itanium and newer AMD processors. An interesting read."
Looks like MS is finally doing somethin intelligent for once. We'll have to wait to see how intelligent though.
We tend to become like the worst in those we oppose. --Bene Gesserit Coda--
I tried to open the .doc in Wordpad, with the result that Wordpad crashed. Does this happen to anyone else? (I'm on Windows 2000).
this Service Pack doesn't break anything 'useful'... *sigh*
With WinXP I got into some serious trouble with my computer and trying to play games. At first everything worked as it should then after a weekend not a single game would play, black screen on launching a game.
After A LOT of work the conclusion was that quickfix 'SP2 Q328310', which had been auto download from MS, did something which stopped a lot of games which need 3D support from working.
Now I always gets a message when I start windows, about 'new updates available': -Yeah sure! It's still buggering me to download the patch.
This really helps MS too, I'm so much more willing to download updates/patches when I know that a quickfix to lets say notepad, might break something totally unrelated; like the ability to shut down WinXP >:(
BTW, I didn*t find anything in this changelog like the "fixes to known pirate cracks and serial numbers" from SP1. Is it possible that MS gave up ?
Nope. Like most things from MS, the power users and admins will realize that they need more protectin then what is standard. They will then tell their family/friends, and the market will continue like it was.
Now, if that makes sense to anyone, could you please explain it to me? I think I've confused myself.
I really wonder if there will be undocumented securityfixes included in this Service Pack. I recently heard a director of Microsoft say that when Microsoft finds a security vulnerability, they don't disclose it, but just fixed it in a service pack. I hope I misinterpreted him, but it makes me wonder if a pre SP build of some Microsoft products might have something under the hood for bad guys to use.
Use Adsense for Charity
It is kind of strange that they would make it hard for non-Windows admins to read this. You would think they would want non-customers to read this, even if for the market exposure.... hmmmmm. I guess they *can* release something w/o their marketing dept. rewriting it.
Now, if that makes sense to anyone, could you please explain it to me? I think I've confused myself.
The 32-bit version of Windows currently leverages the "no-execute page protections" processor feature as defined by Advanced Micro Devices (AMD). This processor feature requires that the processor run in Physical Address Extension (PAE) mode.
Although the only processor families with Windows-compatible hardware support for execution protection that are currently shipping are the AMD K8 and the Intel Itanium processor families, it is expected that future 32-bit and 64-bit processors will provide execution protection.
This sounds nifty, too bad x86 CPUs don't support it (barring AMD's x86-64 offerings). However, doesn't PAE mode result in significant I/O performance degradation?
Unfortunately, Microsoft hasn't designed a presentational format for documents (not counting PowerPoint as it's more for slideshows).
Until they design their own proprietary closed-source format I think we'll have to live with DOC.
Beware: In C++, your friends can see your privates!
Whenever Internet Explorer crashes, the Add-on Crash Detection program is launched. Add-on Crash Detection is an error analysis program that examines the state of the Iexplore.exe (Internet Explorer) process. It collects the list of dynamic link libraries (DLLs) that are loaded, and the value of the instruction pointer register (EIP) at the time of the crash. Add-on Crash Detection then attempts to find the DLL whose memory range the EIP lies within. This DLL is often the cause of the crash.
So instead of finding the source(s) of the crashes and fixing it, they have apparently given up on that, but now run an add-on to detect the crash and attempt to clean up after that. Way to go, M$!!
Doesn't the blocking of ads violate the terms of use of some sites? MS is very pedantic abut people obeying their own EULA, yet they create a software feature to violate someone elses. Hypocrits.
What I'm hoping is that this will improve ICS DHCP, which is very primitive at present (it absolutely has to be at IP 192.168.0.1, and you can't hardly set any of the info passed out by it).
I saw the XPSP2 document handed out at the LA PDC, and it said there would be unspecified improvements in ICS, as I recall, but I don't recall exactly.
Anyone know a better solution than ICS to do NAT in XP ? (Eg, ipchains -- haha.)
Hopefully this will create some political impetus for Linux to support this too... and hopefully not only on ia-64 and xp-64, but also on x86 and ppc, by adopting and perfecting one or more of various patches that accomplish this (to various extents) and have been around for a while.
Way back in my Comp Sci days, I could have sworn that when a 386 (and to some extent a 286) was running in protected mode, different areas of memory could be marked as 'code' for execution and for 'data' that could not be executed. Trying to read or write to the code area, or execute a data area would result in exceptions. It was many years ago though ...
- Outgoing connection filtering
- Application checksumming (with MD5)
- Protocol level mail attachment scanning
- *Really* detailed logging
- Pop-up ad blocking (OK, this is going to be in IE but is off by default)
- Banner ad blocking (not in SP2 IE at all as far as I can see)
- Cookie control
- Policies for pop-ups, scripting, ActiveX and so on handled on a per-site basis
And the list goes on... This is not the first time this kind of thing has happened; Microsoft used to bundle an Anti-virus product with DOS and Windows, and that didn't kill the market. It still does bundle a disk defragmenter, yet Diskeeper seems to be be doing just fine.UNIX? They're not even circumcised! Savages!
I have "Norton Internet Security" installed on this machine. It is impossible to unintstall. If you unintstall it, your internet connection will be irrepairably harmed, especially when it comes to secure pages. However, with Internet Security enabled, the internet is freeking useless.
The only solution is to load internet security and then disable it after it's running. That, or clean install the operating system.
You might think that this is an isolated problem. It's not. We routinely get support requests on our secure ecommerce sites saying "when I click on (secure link), i get a page error". Our #1 response to this is "have you recently unintstalled norton internet security?" Answer: "yes, by coiincidence i just did that this morning!"
This '12 year technology strategy consultant' wants to know what you think of her view of e-mail list buying. why don't you tell her what you think?
Don't be such a troll. I've written thousands of pages of documentation in Word for my job and I honestly haven't seen corruption problems since Word 97. These days, 99% of people dumping Word for Latex are either doing it for political reasons or because they've lead a sheltered life and don't want to learn the Microsoft way. And no, I don't have to write mathematical formuals very often, so Word suffices. Then again, most of other people don't either.
the funny part is everyone who doesnt use outlook as a mail client has had safer email for years.
I wish they would fess up and tell the truth... they are making outlook safer to use.
My unix email clients never have opened and executed a virus, as it is still stupid to allow someone to execute an attachment without forcing them to save it ti a location first.
also, have they disabled the stupid "feature" to hide file extensions? this one thing is one of the worst securtiy holes in existance.
Do not look at laser with remaining good eye.
AMD grabs key security advantage. The article says it all.
So the implication is that Intel is only supporting this security feature on enterprise servers (Itanium), while AMD is supporting security on desktops and servers. Combine this with "cool and quiet" in desktop chips, like the mobile chip power saving technology, and 64 bit processing and AMD has quite a value proposition.
I've switched to Firebird, finally. I got sick of finding that my HOSTS file, favourites, and start page were being rewritten by malicious web pages.
On the other hand, Firebird doesn't use the MS JVM, it uses the Sun JVM, which occasionally decideds to use 99% of my system resources. It behaved the same way when I tried to use it for IE as well.
On the other, other hand (what, three hands???) I love tabbed browsing, though I haven't yet adjusted - I keep dragging the cursor towards the taskbar looking to switch processes before redirecting to the tabs.
On the fourth hand (this is getting weird) I now see the effects of all the tiny errors in my hand-coded HTML that IE was running - and a proper browser is refusing to display. I actually like that, since forcing compliant coding on me makes my work accessible to more browsers than just IE... of course since they're just vanity pages for me and the wife, it was never critical which is why the errors were never checked for before.
I'm out of hands, now.
http://news.google.com/news?hl=en&ie=ISO-8859-1&sc oring=d&edition=us&q=amd+overflow&btnG=Search+News
This google search turns up a link "Commentary: Working with Microsoft to plug a big hole"
now the funny thing is that this morning the link was called "AMD grabs key security advantage" and that's also in the title bar of the page and in big caption. Interesting how that was replaced with the subtitle that downplays a big win for AMD. I had trouble even finding the link which was obvious this morning. Things that make you go 'hmm.
Why do I have the feeling that Pop-up Manager doesn't sound like Pop-up Killer?
doesn't PAE mode result in significant I/O performance degradation?
No, or at least on older processors it wouldn't, I don't know much about newer processor design. This is done in hardware, and it can be done in parallel with the usual work of the processor. That means it will make the processor an insignificant bit larger, but not slower.
Since it's in MS Office format, has anyone found any intering meta info in it yet? :-)
zWhat would an EWOULDBLOCK block, if an EWOULDBLOCK could block would? -- me
Who cares about pop-up blocking in IE? How about: _you_ will care, when you start seeing pop-ups in Mozilla or Opera.
The whole "IE is inferior because it can't block popups" charade existed only _because_ the dominant browser didn't block those. Most people were content to make their pop-ups IE only.
Now that IE has changed, let's think like one of those dishonest marketers. So you were making money serving on-load pop-ups. They no longer work. What next?
How about looking at a little detail: IE, just like Mozilla and Opera, will not block stuff resulting from a user click.
Does it give you ideas yet?
If still not: Want to bet how long until you'll see sites where all links are done with JavaScript that also opens a pop-up window? Where every single drop-down and button and link is accessible only through JavaScript, which incidentally also opens a pop-up or three?
But wait, surely people will start blocking pop-ups completely, right?
Again, let's think like a slimeball some more. Remember, the goal of this exercise is to think not like the user annoyed by those pop-ups, but like the slimeball who pushes them onto you.
He doesn't care if you're annoyed, nor how annoyed. He just wants to make a buck. That's all that matters. He's really got the same moral standards as the spammer filling your inbox with V14GR4 ads.
So in that state of mind: Hmm... what to do against those users still blocking your valuable pop-ups, even when they're triggered by a click?
Well, blimey, make the whole site unusable or crippled without pop-ups. E.g., if you have to log in or fill a form, stuff it in a pop-up window. E.g., all the links to other sites are surely best opened in a separate window, via JavaScript. (All in the name of convenience for the user, of course;) E.g., the site-map, search, articles, etc, surely are best viewed in a separate window opened through JavaScript.
So there you go. Now the whole site is unusable unless the user disables pop-up protection.
Fat lot of good did that pop-up blocking do, eh?
A polar bear is a cartesian bear after a coordinate transform.
>> detailing the nature of the security-related fixes
>DMCA violation.
I know the comment was made in jest, but you actually raised an actual technical issue. If you were to write a program that relies on some MS dll for a copyright protection scheme and the dll ends up having a serious security flaw, could you sue MS for producing software the circumvents a copyright protection scheme? Afterall, fundamentally it's the dll that's making the copyright protection scheme insecure, providing for the circumvention. An analogy might be that if a law made it illegal to make a device to circumvent a lock to get into a house. and the one major door manufacturer makes doors so fundamentally flawed that all locks attached to it are inately circumventable; doesn't that make the door a form of circumvention device?
Eurohacker European paranoia, gun rights, and h
The rest ist not packetfiltering:
ps: Don't get the impression that i like the SP2 packetfilter - it's really inferior to professional packetfilters.
Don't be such a troll.
..corruption problems since Word 97.
Oh dear. My original post was supposed to be "tongue in cheek humour"
I've written thousands of pages of documentation in Word for my job...
If by that you mean ten or so documents of ~100 pages or so with a few pictures then yes, you will probably be ok. (Despite using a style sheet, you will probably end up with structural problems but that's another issue)
If on the other hand, you had written a "thousand page document", including a couple of hundred graphs, tables few hundred bibliographic entries, equations and cross refereces all with a rigourously inforced style (otherwise known as a large book) then I would sit up and take notice.
The basic issue appears to be memory limitation. On a 256MB machine once you get beyond about 200 pages with ~100 equations or so you will start getting "issues" with Word (based on a friends thesis).
Can't comment on the XP version but this is on Word 2000. In a similar manner to the original parent post (regarding Wordpad crashing) memory "issues" should result in a nice friendly error message telling you to "buy more memory" [*] rather than a resulting cataclismic failure.
These days, 99% of people dumping Word for Latex are either doing it for political reasons...
Is this the result of a long process of statistical testing; or like 80% of all statistics did you just make it up on the spot? [*]
And no, I don't have to write mathematical formuals very often, so Word suffices.
Good for you. If you did have to write equations often (several hundred or so) then you would see what I mean.
------
[*] Yes this is supposed to be moderate cheesy humour.
Be nice to people on the way up. You will meet them again on your way down!
So what if IE crashes on its own? Will it please please please allow me to uninstall it?
My beliefs do not require that you agree with them.
Firstly, the firewall stuff is good.
.rar file, winrar might be specified, if no applocation is registered to handle this, it wont display this option. Also, anything thats executable e.g. *.bat, *.pif, *.scr, *.exe, *.com wont be allowed to execute and must be saved to disk and/or opened with a seperate application. And, certain things like the program that runs *.vbs scripts would be banned so that they dont appear in this list and you cant say "open with this app by default")
Especially things like "by default, only local machines can talk to the windows network messenger (a.k.a. winpopup), windows file sharing and etc ports".
But, its still not a good substitute for a server-based firewall solution (e.g. a linux box with ipchains/iptables) or for a firewall box like the "firewall+DSL modem+router+switch/hub+nat+etc boxes" that are popular with home broadband networks.
Execution Protection is a good feature, I am surprised that intel didnt add support for marking pages as "execuatble" or "not execuatble" way back when with the 386,486, pentium or whatever.
Given the number of Internet Explorer addons in the lists of Spyware programs like Ad-Aware and Spybot Search & Destroy, the Add-on Manager is something thats long overdue. This should at least prevent those who are clued up enough to check it once in awhile from being hit with Spyware addons.
As for the Java stuff, I think the best thing would be for MS to modify all future operating systems and service packs to completly remove the MSJVM if it is present and to install the sun Java VM instead (I expect that as long as they were shipping it unmodified and shipping as recent a version as possible, sun would just love this)
The MSJVM is a piece of garbage that should disappear for good, along with any lame-braned sites/content/software designed to work with it and only with it.
Now, the MIME type handling stuff.
IMO, the best solution is for IE to completly ignore the file extention and contents if it has a MIME type.
Basicly, if it gets a MIME type, it uses that and ignore both the extention and the content. If it doesnt have a MIME type (e.g. local disk file or FTP server, it should use the extention only and ignore the content).
If the MIME type it has is for something like text/plain or image/png or text/html or something else that IE can handle, it should handle it.
If the MIME type is one for which a system program has regisered itself (for example, ms word could register itself for application/x-msword-document), it gets handed off to that.
Otherwise, windows will display a dialog box asking the user to select from:
1.open with the application registered to handle the extention passed in (for example, if its a
2.open with an application of the users choice.
or 3.save to disk
With an option to save this as the default action for this file extention (and the case of no mime type) and a way to remove that "save as default" and re-specify later on, this would be the ideal solution. Plus, unlike what the MS proposal says, it would actually force web-servers to do away with the "send text/plain as default for anything we dont understand" features and configuractions. The right response (IMO, I havent read the RFCs or anything) is to send no MIME type at all for files that you dont have a specific MIME type for.
As for pop-up manager, here is what MS should do:
1.turn off any features in HTML that allows the changing of the "z-order" of windows (e.g. to make a window move to the back like with a pop-under)
and 2.turn the pop-up blocker on by default
But personally, I think the fault lies with the idiot that invented window.open() in the first place. What legitimate use is there for being able to open a new browser window in this maner?
Many web-sites use links that use the TARGET attribute of the tag to create a new window with content in it and thats pefectly fine.
The only uses for window.open() that I know of are:
1.popups, popunders
Pop-up ad blocking, Banner ad blocking, Cookie control, Policies for pop-ups, scripting, ActiveX and so on handled on a per-site basis - content-filtering transparent http proxy (hint: use a more secure browser instead)
Ran into this one when a friend tried to check out my online photo gallery while using Norton "Firewall". Norton happily disabled all Javascript on the page because it apparently didn't like my DHTML.
In my opinion, a "Firewall" has no business interpreting HTML and Javascript. Norton should be taken to task for this, else we risk creating defacto standards.
Marques Johansson
I work at a custom shop and we don't patch anything either - DUR - we install XP SP1 OEM. I'm sure we'll be using XP SP2 OEM discs before too long.
Is it me or are they actually beginning to shape up? I know it's blasphemy to praise MS, but after reading that document I was quite impressed. A few times I was surprised and uttered, "Wow, they actually fixed that!" to myself as I was reading.
...but what's the catch? Seems too good to be true.
Perhaps there is some remote code that manipulates pixels on your screen to subliminally flash messages to you thus making you relinquish your spiritual ownership and connection to your soul. You are now one of them.
We have secretly replaced these Slashdot mods' sense of humor with a rusty nail. Let's see if they notice!!
"The funny part is everyone who doesnt use outlook as a mail client has had safer email for years."
Disclaimer: I absolutly HATE Outlook and Exchange...
But in the defense of MS (yikes) they have managed to cobble together enough bandaid fixes to make Outlook rather sane. In this day and age downloading stuff before you run it simply isn't enough. Of the three near virus problems I've had on the network, people downloaded something that was from someone they didn't know, didn't even have a double extension, and was labeled something suspicous ("sexyfun.exe"? If that doesn't scream virus, I don't know what does).
With the latest update of Outlook 2000, & Exchange 2000 MS simply crippled ALL "dangerous" file formats. At first I was going to re-enable them but thinking about it, I decided not to. There is no reason to send an exe file directly through email, and if you do wrap it in a zip file and save some bandwidth while you're at it.
Obviously if I didn't have to use exchange for mail I could easily filter mail at the server, but I have to work with what I've got. MS has at least taken some steps in the right direction (although it's still not a substitute for designing something with security in mind).
With *TeX, it's what I call a true WYCIWYG (what you code is what you get) program; unlike Word which isn't a true WYSIWYG program --- formatting pictures/charts/etc. and positioning them is a pain in any Word document beyond 50 pages. Apart from the inevitable memory-hog slowdown that people mentioned; I've "edited" a 300+ page "magazine" that was full of charts/pictures and found the whole frame idea an increasing pain. I too had to do it in 20-page sections.
LaTex is much more structured; and to be honest, if you've ever done any sort of programming, it's a dead ringer for use in making any large, multipage document. And it's free, open-source,... all that goodness.
Also, keep in mind that having a running firewall is going to break a lot of apps and cause a lot of pain. I predict the number of calls to MS phone support (and to XYZ company's phone support) will explode after this service pack rolls out.
Suddenly gamers won't be able to host multiplayer games, for one. People's distributed file sharing clients won't let them share anything. etc...
I suspect that this anticipated user pain is the reason the ICF was not on by default at XP ship time.
I just made the same suggestion to my neighbor who just wired up his house for a home network of 5 PCs. You can get a switch/router with DHCP service, NAT, firewall services for under $25 bucks nowadays. One of the reps in CompUSA told him he would need to purchase a copy of Norton for every PC in his house to make sure his network is secure. fscking asshole