Slashdot Mirror
Microsoft Releases Changelist for Upcoming XP SP2
kylef writes "As we know from independent sources, Microsoft is busy readying Service Pack 2 for Windows XP. They have published on their website a changelist document (link goes to TechNet download page) detailing the nature of the security-related fixes and updates. The document is targeted towards XP admins and covers some interesting things such as the new Internet Explorer Pop-up Manager and various security policy changes. Some other juicy tidbits from the document: Internet Connection Firewall will be enabled by default, and there will be new support for something called "Execution Protection" which allows developers to make use of the NX (no execute) page guard flag on Intel's Itanium and newer AMD processors. An interesting read."
> detailing the nature of the security-related fixes
DMCA violation.
Expert in software patents or patent law? Contribute to the ESP wiki!
Go read the doc. before you post.
IE has a popup manager in SP2
Looks like MS is finally doing somethin intelligent for once. We'll have to wait to see how intelligent though.
We tend to become like the worst in those we oppose. --Bene Gesserit Coda--
Did you RTFA? (I hate saying that, it makes me feel .. like all the other assholes who say that)
...
Internet Explorer Pop-up Manager
Q. What does Pop-up Manager do?
A. Pop-up Manager blocks most unwanted pop-up windows from appearing. Pop-up windows that are launched when the end user clicks a link will not be blocked.
End users and IT administrators can let specific domains launch programmatic pop-up windows. Developers will be able to use or extend the pop-up functionality in Internet Explorer for applications hosting Internet Explorer.
Q. Who does this feature apply to?
A. For end users, browsing the Web will be less annoying, because unwanted pop-up windows will not automatically appear.
For Web developers, Pop-up Manager affects the behavior of windows opened by Web sites, for example, by using the window.open() and showHelp() methods
For application developers, there is a new user interface: InewWindowManager.
Applications that use the rendering engine in Internet Explorer to display HTML can choose to use or extend the Pop-up Manager functionality.
"wordpad.exe has generated errors and will be closed by Windows.
You need to restart the program.
An error log is being created."
nice.
this Service Pack doesn't break anything 'useful'... *sigh*
With WinXP I got into some serious trouble with my computer and trying to play games. At first everything worked as it should then after a weekend not a single game would play, black screen on launching a game.
After A LOT of work the conclusion was that quickfix 'SP2 Q328310', which had been auto download from MS, did something which stopped a lot of games which need 3D support from working.
Now I always gets a message when I start windows, about 'new updates available': -Yeah sure! It's still buggering me to download the patch.
This really helps MS too, I'm so much more willing to download updates/patches when I know that a quickfix to lets say notepad, might break something totally unrelated; like the ability to shut down WinXP >:(
Was that the sound of the personal firewall market dying?
READY.
#
Thanks again for the .doc format.
Why not put such documents in a more Portable Document Format? Even assuming I have Word Reader or Openoffice, why on earth would you dissemante information via a word processor document format?
I really wonder if there will be undocumented securityfixes included in this Service Pack. I recently heard a director of Microsoft say that when Microsoft finds a security vulnerability, they don't disclose it, but just fixed it in a service pack. I hope I misinterpreted him, but it makes me wonder if a pre SP build of some Microsoft products might have something under the hood for bad guys to use.
Use Adsense for Charity
The file is in the "OpenOffice.org MS Word doc" format. Wordpad does it's best to open this OpenOffice.org format but it' can't be expected to keep up with the regular format changes.
Expert in software patents or patent law? Contribute to the ESP wiki!
The 32-bit version of Windows currently leverages the "no-execute page protections" processor feature as defined by Advanced Micro Devices (AMD). This processor feature requires that the processor run in Physical Address Extension (PAE) mode.
Although the only processor families with Windows-compatible hardware support for execution protection that are currently shipping are the AMD K8 and the Intel Itanium processor families, it is expected that future 32-bit and 64-bit processors will provide execution protection.
This sounds nifty, too bad x86 CPUs don't support it (barring AMD's x86-64 offerings). However, doesn't PAE mode result in significant I/O performance degradation?
Executio Protection
Old man Saddam could use feature that right about now.
Only to idiots, are orders laws.
-- Henning von Tresckow
You must be new here.
This feature is a great idea, it means that if, for example, Acrobat Reader is causing IE to crash then at least I know who is to blame and can uninstall or upgrade it.
Mozilla Firebird works quite well too, and isn't shareware either. And I heard you get a browser that's better than IE as a special offer! :-D
Beware: In C++, your friends can see your privates!
Bleh, troll, or did you just skim the file? Either way. . . .
What this new feature does (and it IS rather nifty) is detects which piece of spyware loaded up with IE is causing crashes, and lets the user disable said spyware.
Nice actually. ^_^
Need help treating your acne? Come here!
I just read through that thing - there are a lot of good fixes in there. For one, they've apparently made a lot of changes to IE that will make it less of a pain in the ass to use. Some major changes to popup windows in general - they're making it much harder to trick users with popups.
They also seem to have made a lot of changes to the firewalling stuff - firewalling is on by default, too. They also made it so that the File Sharing and Networking ports only work in the local subnet -this means people won't be able to hit you with Windows Messenger spams from the 'net anymore, or access your RPC ports... good stuff.
Maybe, just maybe, MS will eventually get security right. This Service Pack appears to be a sizable step in the right direction.
using namespace slashdot;
troll::post();
>Doesn't the blocking of ads violate the terms of use of some sites?
Possibly. Who cares? I don't agree with such limitations - you put a site on the web for people to read, free of restrictions. I've yet to agree to anything on my computer other than EULAs. Reading a website does not signify I consent to anything.
I think you misunderstand:
HTML writers - web page authors - cannot just bypass the pop-up manager changes. The new interface they reference is for applications that use IE to render HTML. This new interface is part of the Win32 API essentially, and cannot just be called willy-nilly from a webpage (just like any piece of Win32 API).
The little FAQ snippet makes this distinction bu but not very clearly. For app-developers this means that instead of using a little piece of Javascript to open a window they will have to hitch into the API to create a new window.
Basically its just a move to allow app-developers to still use the renderer in an effective way with minimal code changes. Most developers I know however do not use the HTML engine to open new windows. They instead create a new window with API or a language construct and then assign a new instance of the IE activex object to that handle. It's a much more reliable way of opening new HTML windows in applications.
Preferences->Homepage->exclude stories->Microsoft.
I'm sure an enterprising geek could write a script to do that for them. You could even cron job it to give MS free days/weeks.
Now, that's marketing.
As an aside, when is Windows going to include multiple desktops in their shell? I've used a number of third party pagers, but each has its drawbacks and flaws, probably because it's not written with the privilage of truly understanding the Windows code.
Who mediates your information?
Don't be such a troll. I've written thousands of pages of documentation in Word for my job and I honestly haven't seen corruption problems since Word 97. These days, 99% of people dumping Word for Latex are either doing it for political reasons or because they've lead a sheltered life and don't want to learn the Microsoft way. And no, I don't have to write mathematical formuals very often, so Word suffices. Then again, most of other people don't either.
the funny part is everyone who doesnt use outlook as a mail client has had safer email for years.
I wish they would fess up and tell the truth... they are making outlook safer to use.
My unix email clients never have opened and executed a virus, as it is still stupid to allow someone to execute an attachment without forcing them to save it ti a location first.
also, have they disabled the stupid "feature" to hide file extensions? this one thing is one of the worst securtiy holes in existance.
Do not look at laser with remaining good eye.
one word: activeX
Ie is just too insecure. Look at all the spyware that utterly rapes it. With Mozilla as mature and stable as it is, there is just zero excuse to use ie for daily surfing. Sure there are the rare occasional times you need it for crappy sites that refuse to run on standard compliant browsers, but 99% of your surfing time should be in Moz (or opera or anything else).
Lawyers, MBA's, RIAA? A jedi fears not these things!
This will be corrected in Service Pack 2, you'll have to wait ...
wtf.n0x.org
I've switched to Firebird, finally. I got sick of finding that my HOSTS file, favourites, and start page were being rewritten by malicious web pages.
On the other hand, Firebird doesn't use the MS JVM, it uses the Sun JVM, which occasionally decideds to use 99% of my system resources. It behaved the same way when I tried to use it for IE as well.
On the other, other hand (what, three hands???) I love tabbed browsing, though I haven't yet adjusted - I keep dragging the cursor towards the taskbar looking to switch processes before redirecting to the tabs.
On the fourth hand (this is getting weird) I now see the effects of all the tiny errors in my hand-coded HTML that IE was running - and a proper browser is refusing to display. I actually like that, since forcing compliant coding on me makes my work accessible to more browsers than just IE... of course since they're just vanity pages for me and the wife, it was never critical which is why the errors were never checked for before.
I'm out of hands, now.
Alternately:
-- They knew about it, and management wouldn't let them do shit about it.
-- They knew about it, but addressing it would take significant time and effort, so they opted to defer that to a later release. After all, a million people running a mediocre firewall is better than a million people running no firewall at all.
-- They didn't actually realize it until later on. Are you psychic, or do you just happen to have a buddy who was on the ICF dev team?
But I suppose those angles would just mess up a good troll.
Slashdot quality declines as the number of hot grits posts decreases. - Provolt's Law, Apr-09-2005
Since it's in MS Office format, has anyone found any intering meta info in it yet? :-)
zWhat would an EWOULDBLOCK block, if an EWOULDBLOCK could block would? -- me
Who cares about pop-up blocking in IE? How about: _you_ will care, when you start seeing pop-ups in Mozilla or Opera.
The whole "IE is inferior because it can't block popups" charade existed only _because_ the dominant browser didn't block those. Most people were content to make their pop-ups IE only.
Now that IE has changed, let's think like one of those dishonest marketers. So you were making money serving on-load pop-ups. They no longer work. What next?
How about looking at a little detail: IE, just like Mozilla and Opera, will not block stuff resulting from a user click.
Does it give you ideas yet?
If still not: Want to bet how long until you'll see sites where all links are done with JavaScript that also opens a pop-up window? Where every single drop-down and button and link is accessible only through JavaScript, which incidentally also opens a pop-up or three?
But wait, surely people will start blocking pop-ups completely, right?
Again, let's think like a slimeball some more. Remember, the goal of this exercise is to think not like the user annoyed by those pop-ups, but like the slimeball who pushes them onto you.
He doesn't care if you're annoyed, nor how annoyed. He just wants to make a buck. That's all that matters. He's really got the same moral standards as the spammer filling your inbox with V14GR4 ads.
So in that state of mind: Hmm... what to do against those users still blocking your valuable pop-ups, even when they're triggered by a click?
Well, blimey, make the whole site unusable or crippled without pop-ups. E.g., if you have to log in or fill a form, stuff it in a pop-up window. E.g., all the links to other sites are surely best opened in a separate window, via JavaScript. (All in the name of convenience for the user, of course;) E.g., the site-map, search, articles, etc, surely are best viewed in a separate window opened through JavaScript.
So there you go. Now the whole site is unusable unless the user disables pop-up protection.
Fat lot of good did that pop-up blocking do, eh?
A polar bear is a cartesian bear after a coordinate transform.
This already exists - Ingo Molnar has written something called the exec-shield patch which implements this functionality in a slightly different fashion. Here is a link to one of Ingo's patch announcements.
SCREW THE ADS! http://adblock.mozdev.org/ Proud user of teh Fox of Fire - Registered Linux User #289618
So there you go. Now the whole site is unusable unless the user disables pop-up protection.
A site that broken, run by someone with that little regard for his users, is a site I have zero interest in visiting anyway. So what's the problem?
God, IE could really use some better CSS handling. I'm disappointed they didn't add any with this service pack.
Don't be such a troll.
..corruption problems since Word 97.
Oh dear. My original post was supposed to be "tongue in cheek humour"
I've written thousands of pages of documentation in Word for my job...
If by that you mean ten or so documents of ~100 pages or so with a few pictures then yes, you will probably be ok. (Despite using a style sheet, you will probably end up with structural problems but that's another issue)
If on the other hand, you had written a "thousand page document", including a couple of hundred graphs, tables few hundred bibliographic entries, equations and cross refereces all with a rigourously inforced style (otherwise known as a large book) then I would sit up and take notice.
The basic issue appears to be memory limitation. On a 256MB machine once you get beyond about 200 pages with ~100 equations or so you will start getting "issues" with Word (based on a friends thesis).
Can't comment on the XP version but this is on Word 2000. In a similar manner to the original parent post (regarding Wordpad crashing) memory "issues" should result in a nice friendly error message telling you to "buy more memory" [*] rather than a resulting cataclismic failure.
These days, 99% of people dumping Word for Latex are either doing it for political reasons...
Is this the result of a long process of statistical testing; or like 80% of all statistics did you just make it up on the spot? [*]
And no, I don't have to write mathematical formuals very often, so Word suffices.
Good for you. If you did have to write equations often (several hundred or so) then you would see what I mean.
------
[*] Yes this is supposed to be moderate cheesy humour.
Be nice to people on the way up. You will meet them again on your way down!
I read the document and apparently the pop up blocker is crap. Here's why
ustomers will still see pop-ups launched in the following cases:
The pop-up is opened by a link which the user clicked.
The pop-up is opened by software that is running on the computer.
The pop-up is opened by ActiveX controls that are instantiated from a Web site.
The pop-up is opened from the Trusted Sites or Local Intranet zones.
I sense an increased use of ActiveX by ad-ridden websites in the future. What this is really, is not a way for MS to help out the user by eliminating annoyance. It is a strategy to get everyone who wants pop up ads on their site to use ActiveX. And hopefully when they're using ActiveX they'll make important parts of their site with it. Like say, the navigation bar. I'll stick to Firebird tyvm.
The GeekNights podcast is going strong. Listen!
Firstly, the firewall stuff is good.
.rar file, winrar might be specified, if no applocation is registered to handle this, it wont display this option. Also, anything thats executable e.g. *.bat, *.pif, *.scr, *.exe, *.com wont be allowed to execute and must be saved to disk and/or opened with a seperate application. And, certain things like the program that runs *.vbs scripts would be banned so that they dont appear in this list and you cant say "open with this app by default")
Especially things like "by default, only local machines can talk to the windows network messenger (a.k.a. winpopup), windows file sharing and etc ports".
But, its still not a good substitute for a server-based firewall solution (e.g. a linux box with ipchains/iptables) or for a firewall box like the "firewall+DSL modem+router+switch/hub+nat+etc boxes" that are popular with home broadband networks.
Execution Protection is a good feature, I am surprised that intel didnt add support for marking pages as "execuatble" or "not execuatble" way back when with the 386,486, pentium or whatever.
Given the number of Internet Explorer addons in the lists of Spyware programs like Ad-Aware and Spybot Search & Destroy, the Add-on Manager is something thats long overdue. This should at least prevent those who are clued up enough to check it once in awhile from being hit with Spyware addons.
As for the Java stuff, I think the best thing would be for MS to modify all future operating systems and service packs to completly remove the MSJVM if it is present and to install the sun Java VM instead (I expect that as long as they were shipping it unmodified and shipping as recent a version as possible, sun would just love this)
The MSJVM is a piece of garbage that should disappear for good, along with any lame-braned sites/content/software designed to work with it and only with it.
Now, the MIME type handling stuff.
IMO, the best solution is for IE to completly ignore the file extention and contents if it has a MIME type.
Basicly, if it gets a MIME type, it uses that and ignore both the extention and the content. If it doesnt have a MIME type (e.g. local disk file or FTP server, it should use the extention only and ignore the content).
If the MIME type it has is for something like text/plain or image/png or text/html or something else that IE can handle, it should handle it.
If the MIME type is one for which a system program has regisered itself (for example, ms word could register itself for application/x-msword-document), it gets handed off to that.
Otherwise, windows will display a dialog box asking the user to select from:
1.open with the application registered to handle the extention passed in (for example, if its a
2.open with an application of the users choice.
or 3.save to disk
With an option to save this as the default action for this file extention (and the case of no mime type) and a way to remove that "save as default" and re-specify later on, this would be the ideal solution. Plus, unlike what the MS proposal says, it would actually force web-servers to do away with the "send text/plain as default for anything we dont understand" features and configuractions. The right response (IMO, I havent read the RFCs or anything) is to send no MIME type at all for files that you dont have a specific MIME type for.
As for pop-up manager, here is what MS should do:
1.turn off any features in HTML that allows the changing of the "z-order" of windows (e.g. to make a window move to the back like with a pop-under)
and 2.turn the pop-up blocker on by default
But personally, I think the fault lies with the idiot that invented window.open() in the first place. What legitimate use is there for being able to open a new browser window in this maner?
Many web-sites use links that use the TARGET attribute of the tag to create a new window with content in it and thats pefectly fine.
The only uses for window.open() that I know of are:
1.popups, popunders
Why, why, why no full IE PNG support?
Argh.
May we never see th
Marques Johansson
I work at a custom shop and we don't patch anything either - DUR - we install XP SP1 OEM. I'm sure we'll be using XP SP2 OEM discs before too long.
Is it me or are they actually beginning to shape up? I know it's blasphemy to praise MS, but after reading that document I was quite impressed. A few times I was surprised and uttered, "Wow, they actually fixed that!" to myself as I was reading.
...but what's the catch? Seems too good to be true.
Perhaps there is some remote code that manipulates pixels on your screen to subliminally flash messages to you thus making you relinquish your spiritual ownership and connection to your soul. You are now one of them.
We have secretly replaced these Slashdot mods' sense of humor with a rusty nail. Let's see if they notice!!
"Execution Protection" (NX) has nothing to do with TCPA. NX means the heap and stack are not executable unless you take specific measures to make them so. NX should make it MUCH more difficult for worms and viruses to execute arbitrary code via buffer overruns. Unfortunately, NX is not possible on current 32-bit Intel processors.
"Internet Connection Firewall will be enabled by default..."
About damned time. I just hope that DHCP works through it by default, because right now it doesn't, and if it blocks DHCP, all of those broadband users who connect the PC right to the cable/dsl "modem" will deactivate the firewall to get online.
Of course, what we really need is for ISPs to include a user-manageable firewall in the damned devices in the first place.
With *TeX, it's what I call a true WYCIWYG (what you code is what you get) program; unlike Word which isn't a true WYSIWYG program --- formatting pictures/charts/etc. and positioning them is a pain in any Word document beyond 50 pages. Apart from the inevitable memory-hog slowdown that people mentioned; I've "edited" a 300+ page "magazine" that was full of charts/pictures and found the whole frame idea an increasing pain. I too had to do it in 20-page sections.
LaTex is much more structured; and to be honest, if you've ever done any sort of programming, it's a dead ringer for use in making any large, multipage document. And it's free, open-source,... all that goodness.
Also, keep in mind that having a running firewall is going to break a lot of apps and cause a lot of pain. I predict the number of calls to MS phone support (and to XYZ company's phone support) will explode after this service pack rolls out.
Suddenly gamers won't be able to host multiplayer games, for one. People's distributed file sharing clients won't let them share anything. etc...
I suspect that this anticipated user pain is the reason the ICF was not on by default at XP ship time.
That is absurd. Microsoft wants to kill ActiveX on the web just as much as you do.
I can't remember the last time I read an article on MSDN or any other MS developer website where it was suggested you should use a client side ActiveX component to provide a rich interface.
They have already recognized its major shortcomings (notably "all or nothing" trust of components) and are now pushing new alternatives to a rich web experience (.NET smart clients, Avalon XAML apps in Longhorn, etc).
The reason they can't block ActiveX controls is that an ActiveX control can do whatever it wants if the browser allows it to execute. There is no fine grained control over what it is allowed to do.
No conspiracy here.