Slashdot Mirror


Windows XP SP2 Could Break Some Applications

Denver_80203 writes "An article from InfoWorld states that the upcoming Windows XP Service Pack 2 could break some 'unsecure applications.' In a quote from Tony Goodhew, a product manager in Microsoft's developer group says 'It doesn't really matter how long it is going to take you to do the work; security is an important issue and developers need to start doing that work now.' Or: 'The great bulk of applications will not be affected by memory protection. The number one that leaps to mind is execution environments with just-in-time code generation. The .Net Framework is one.' Fortunately for us, they are offering a course to guide the unsecure masses."

13 of 513 comments (clear)

  1. You cannot make an omelet without breaking eggs. by Kalroth · · Score: 5, Insightful

    I really like the direction Microsoft is heading.
    Granted it was needed as their reputation, in regards of security, has always been low to none.

    I really hope this will rid Windows XP of future remote exploits, since that's still the biggest threat Windows is facing.
    Having said that, this wont fix all security problems, there will always be the luser that executes whatever is mailed to him/her, but it's still a step in the right direction.

  2. 'Tis a gentle touch of irony... by jkbuha · · Score: 5, Insightful

    ...when one realises that most of this effort is fruit of a tiny 5kb worm which actually had asked mr gates to repair his software... I'm still working on my sig

  3. Re:Great! by mcx101 · · Score: 5, Insightful

    It's hardly new for Windows to drop backwards compatibility in areas. Many applications which are partly 16-bit and partly 32-bit won't run on Windows XP, but do run on Windows 95/98/ME for example

    Windows XP has application compatibility features which allow you to set the OS version to previous releases and provide compatibility with older registry layouts, for example. That kind of compatibility feature is unlikely to help with stricter security controls of course (unlesss there's an option simply to turn off the new security features).

    --
    My operat~1 system unders~1 long filena~1 , does yours?
  4. This may affect Linux as well as MS by Azureflare · · Score: 5, Insightful
    But unfortunately with many apps that run on Windows, you don't have the source code for those apps for a recompile if they do get broken. Sorry Anonymous Coward, we have to bag MS on this one. They are going to cause a lot of grief by doing this, and a lot of companies will not upgrade to SP2 to avoid that grief. Anyway I think people should stay with windows 2000 as an operating system of choice in a business type environment.

    In the past, MS has broken Windows 95/98 applications, but Windows XP/2000 had compatibility modes available for the older applications. If it is as they say, and newer apps will be intentionally broken without any way of going into a compatibility mode, this will be bad.

    I have difficulty believing MS would not include some kind of compatibility mode, however. It'll be interesting to see what they do. It won't really affect me though, I don't use XP and can't stand that OS (Windows 2000 is still my favorite Microsoft OS; Windows XP is just 2000 with some pretty GUI changes and some compatibility fixes.)

  5. Memory protection only on 64-bit platforms for now by Eponymous+Cowboy · · Score: 5, Insightful

    Actually, only the Itanium and AMD K8 are affected by this immediately; Microsoft isn't yet marking memory nonexcutable by default on the good old x86 processors that we all use.

    Regardless, it is trivial for developers to update their code for things like JIT compilers, with a simple function like this:

    void MakeMemoryExecutable ( void* buffer, int lengthInBytes )
    {
    DWORD op;
    VirtualProtect(buffer, lengthInBytes, PAGE_EXECUTE_READWRITE, &op);
    }

    I added that piece of code to my company's JIT compiler some years ago, just to ensure that the proper flags were set. I figured Microsoft would eventually switch to nonexecutable data and stack segments, much like the OpenWall project has done with their Linux patches. Glad to see Microsoft is finally taking the first steps.

    --
    It's hard for thee to kick against the pricks.
  6. Good by quantum+bit · · Score: 5, Insightful

    Microsoft has pandered to broken applications for far too long. Maybe if they finally get over their "backwards compatibility at all costs" attitude, they'll get around to fixing some of the fundamental flaws in their OS.

    I highly doubt that Linux authors would think twice about breaking buggy apps to force the issue.

  7. Microsoft just can't win by Neillparatzo · · Score: 5, Insightful
    Windows apps suffer from buffer overflows, Slashdot bags on Microsoft for having buffer overflows.

    Windows adds NX security to prevent buffer overflows, Slashdot bags on Microsoft for breaking a few apps in the process (apps which were arguably broken in the first place, just the spec was never enforced).

    I understand there's a slight bias on this site, but Jesus Christ you guys.

  8. Re:Lets not bag on MS by TRACK-YOUR-POSITION · · Score: 5, Insightful

    I don't see how Visual Studio .net and .Net Framework users can be considered a small minority. The thing is, Microsoft releasing a service pack that breaks everything is very different from a linux distribution breaking when the use decides to try to compile and install new software completely on their own--Microsoft is the equivalent of the whole open source community of programmers and distributors combined, so a new service pack isn't analagous to a new major release of the Linux kernel, it's more like a new minor release of a Linux distribution. And I'm not sure it's even like that, since a service pack upgrade is supposed to be a lot easier to do then installing a Linux distribution release--so it's more like an distro-released security fix. Which isn't supposed to break everything. I don't know anything about the specifics, but there are memory-protecting kernel patches out there for linux, like PAX and grsecurity and probably a bunch of others. You have to disable them when running Java and X, so I imagine Java will be effected by this update.

  9. Microsoft's Long-Term Perspective by Jonathan+Quince · · Score: 5, Insightful
    .NET is a FAILURE (apart from the most stupidist name ever)

    You evidently don't understand how Microsoft works as a business. Unlike most software shops, they take the long-term perspective. Many of their competitors have learned this the hard way. (E.g., "Internet Explorer is a failure." As of version 3, it was a failure in terms of market penetration, but MS didn't care.) Full Microsoft product cycles typically take about ten years.

    Every major new Microsoft product or technology takes the better part of a decade to take over the desktop. By about 2007-2008 or so, once there starts to be a large installed base of Longhorn machines (which will have .NET preinstalled), .NET will really start to take off for shrinkwrap applications. Five years down the line from there, it will be just about ubiquitous. In the meantime, programmers are learning it and it's becoming a familiar feature of Visual Studio (an excellent IDE).

    --
    Microsoft Windows is, fittingly, the official Desktop OS of Olig
  10. Re:I like it by AndroidCat · · Score: 5, Insightful
    Hopefully they're cracking down on all the apps that have to run as admin. If all those users who open up strange attachments didn't have authority to play with the %windows% directories, there'd be a lot less 0wn3d boxes on the net.

    I bet that most of the things broken should have been fixed back in the NT5 guidelines pre-Win2000.

    --
    One line blog. I hear that they're called Twitters now.
  11. Re:I like it by Spoing · · Score: 5, Insightful
    1. Personally, I think this is a Very Good Thing(tm). Microsoft may finally be "Getting it"

    While I agree, I'm becomming a strong advocate for looking at the world from the point of base motivations.

    Microsoft is primarily motivated to keep stock prices going up -- or at a minimum -- stable.

    If these changes become too painful for those who don't care about security, it will cause a decrease in the deployment of Windows XP and XP-specific programs.

    If this happens -- or may happen -- Microsoft will do something to make people happy...even if that means back stepping.

    That said, I can see them putting out XP SP2 (forcing the app vendors including MS themselves to deal with security) and then offering a variety of moderately painful workarounds. Ideally, the workarounds would break with each minor update, forcing the security issue.

    Putting the changes in XP only, though, does fit with Microsoft's motivation to get people to upgrade. Now they can say "well, W2K is not nearly as secure as XP", even though they could back port the changes to W2K -- though there is no motivation to do so.

    From motivations, though, it's hard to beat OSS on security. The code is there, and if something is not secure it will be made secure because the developers are personally driven to make it so.

    (ObDisclaimer: Keeping in mind that security is always a process not a product. Tools can be handy or even critical, though how they are used and why is much more important.)

    --
    A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
  12. Imagine the other headline by spideyct · · Score: 5, Insightful

    You have to bag on MS for this?
    Ok, imagine this alternate Slashdot headline:

    MS sales buries secure XP
    Itoldyouso writes - A leaked memo indicates that the Microsoft developers created a much more secure version of their flagship operating system. However, because it would have caused problems with a small number of applications that were designed insecurely, the Sales & Marketing teams vetoed the new secure version, in an attempt to avoid a customer backlash. It is now official - Microsoft's commitment to trustworthy computing is a complete joke.

    I have a feeling that post would rile a lot more people here.

    1. Re:Imagine the other headline by drooling-dog · · Score: 5, Insightful
      You're probably right about the hypothetical headline, but the problem - as others here have pointed out - is a fundamental one with closed-source software. Whenever compatibility is broken, users are forced to upgrade apps to restore compatibility with the OS. Since users are unable to do this themselves, vendors can (and do) exploit it as a revenue opportunity. It is also a drag on the development of the OS, because Microsoft is forced to kludge back-compatibility in order to make new Windows versions acceptable to customers with irreplaceable legacy software.

      In the Open Source world you can just recompile, or download new binaries from someone who's done it for you. I've been running Linux for something like 10 years now. Upgrading has never slowed me down for more than a day or so, and I have never lost the use of any software that I needed or wanted to continue using.