Slashdot Mirror


Windows XP SP2 Could Break Some Applications

Denver_80203 writes "An article from InfoWorld states that the upcoming Windows XP Service Pack 2 could break some 'unsecure applications.' In a quote from Tony Goodhew, a product manager in Microsoft's developer group says 'It doesn't really matter how long it is going to take you to do the work; security is an important issue and developers need to start doing that work now.' Or: 'The great bulk of applications will not be affected by memory protection. The number one that leaps to mind is execution environments with just-in-time code generation. The .Net Framework is one.' Fortunately for us, they are offering a course to guide the unsecure masses."

17 of 513 comments (clear)

  1. Java? by 0tim0 · · Score: 5, Interesting
    The great bulk of applications will not be affected by memory protection. The number one that leaps to mind is execution environments with just-in-time code generation.

    Is this supposed to mean that Java will stop working?

    --t

    1. Re:Java? by smallpaul · · Score: 3, Interesting

      How do you think you do compilation without code generation? Compilation is the conversion of code in one format (in this case Java bytecodes) to code in another (e.g. x86 assembly).

  2. some funny quotes by stonebeat.org · · Score: 3, Interesting

    From the article @ Windows XP SP2 could break existing application
    according to Tony Goodhew, a product manager in Microsoft's developer group:

    "SP2 will break some applications because they are insecure," he said. "Security is important, and it is not just a Microsoft problem but a developer community problem. We all need to work together to create a more secure computing environment."

    "It doesn't really matter how long it is going to take you to do the work; security is an important issue, and developers need to start doing that work now," Goodhew said.

  3. Here's more info on what SP2 is about by ClippyHater · · Score: 4, Interesting

    Microsoft has a nice bit of info for developers. All in all, I'm pretty impressed with the work and thought they've put into this SP--should make the world just a little bit safer for computing (of course, only for the folk running XP, the rest of their offerings don't have any of this as far as I know).

  4. Where do you get the Beta by mpn14tech · · Score: 5, Interesting

    I read an article about this yesterday and wanted to test it against some apps where I work, but could not find the download for it on the Microsoft website. Do you have to have an MSDN subscription to get it. Seems rather rather screwy that if I want to make sure my app works with Microsofts OS I pay to them an extra $500 for the privilege. Maybe this is the new money making model. Profits are down this quarter, lets go break some code and charge them for how to fix it.

  5. Sounds like... by Khan · · Score: 5, Interesting

    ...IE will continue to be broken then :-)

    Actually, I'm very interested to see if the SP2 pop-up ad blocker will actually work in IE since MS has dragged their feet on this issue. Half the battles we have been fighting lately at work involve IE and pop-ups that install crap without any notification.

    --

    "Klaatu, verada, necktie!" -Ash

  6. Re:.NET framework by Xoder · · Score: 4, Interesting

    He's not a programmer. This is important. From the end-user perspective, .NET is just a ill-formed buzzword. I do not doubt the idiocy of MFC (although I've never used it), and the improvement that .NET brings (although I've never used it), but as a Windows user, not developer, I can't see the difference or the point in installing the .NET framework.

    --
    The previous sig has been removed due to /. protecting your best interests
  7. Re:These are a few insecure programs that won't wo by Helvick · · Score: 5, Interesting
    Rest easy bud (or maybe not) - QT, RealPlayer and Firefox certainly won't break, I use 'em and have a beta of SP2. No issues, at least on my setup, with these or any other of my apps. All Windows Service Packs break "some" applications, and the same applies to other OS's, the difference here is that MS are providing tools to help developers identify and rectify them in advance - that's certainly a good idea.

    The real problem is that the benefits it (should) bring will not get deployed to the bulk of systems that need it - at 210Mb I can't see the majority of systems out there that really need it getting the whole thing downloaded, at least not within any reasonable time frame. Hopefully by the time it is actually released they will have a lite version on Windows update that can push the security improvements in a much smaller package.

    Their decision to at least try to implement some long overdue fundamental improvements to the security of the architecture is to be welcomed no matter how over due it is. However despite that their decision not to add any outgoing filtering capability to the ICF doesn't make any sense to me and seems, well, just stupid really.

  8. Pain in the ass, but a step in the right direction by keath_milligan · · Score: 5, Interesting

    Backward compatibility has been a bit of a sacred cow in Windows for too long. Much of Windows' excess complexity and security deficiencies can be directly attributed to compromises made for the sake of compatibility with old applications.

  9. Sun Hot Spot by codepunk · · Score: 4, Interesting

    Sounds like a rather nice way of introducing stability and or compatibility problems to java by not allowing Sun's Hot Spot just in time compiler to work correctly.

    --


    Got Code?
  10. Re:.NET framework by Xyrus · · Score: 5, Interesting

    I know, I know. Don't feed the troll. You may think .NET is a failure, but there are a lot of companies who do not think so. And if it was such a failure, why are the programmers in the open source computing community devoting the time and effort to make a linux version (mono, etc.). And the same applies to java. "Download my free 175 KB java app" that requires a hefty download from sun. And that's just for one language. However, I will agree that .NET is a really lame name. ~X

    --
    ~X~
  11. Re:Uh oh by FuzzyBad-Mofo · · Score: 5, Interesting

    From the developer's guide. Emphasis mine.

    The security technologies included with Service Pack 2 will allow for better protection against network-based attacks.. Windows Firewall is now turned on by default and all ports are closed except when they are in use.

    I hope their firewall doesn't open ports automatically, or it's nothing more than swiss cheese.

  12. Re:Uh oh by DrSkwid · · Score: 4, Interesting


    hehe

    I also like :

    Work continues with microprocessor vendors to help Windows support hardware-enforced "no execute" (NX) on microprocessors that support the feature. This feature allows the CPU to enforce the separation of application code and data, preventing a component from executing program code that a worm or virus inserted into a portion of memory marked for data only.

    So now MS and 3rd party programmers will think to themselves "aw well, if my pointer arithmetic is poor the CPU will catch any over runs".

    Apparently MS hasn't learned the ancient ninja technique of heap redirection or return-to-lib.

    So new hardware security features will lead to *more* exploits!

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  13. Re:"Insecure Applications"? by Slack3r78 · · Score: 3, Interesting

    Look at what you just wrote. Service packs fix the operating system. What I see this as meaning is it will break applications that were written in an insecure manner, most likely using undocumented APIs.

    In the past, when MS has updated the OS, they've often worked kludges in to make sure they don't break applications that were doing things that they weren't supposed to be doing. With the new focus on security, Microsoft has likely put an end to such kludges and things are going to break. I'm not surprised, and it doesn't really bother me.

    Really, most of the posts I'm seeing are giving Microsoft a hard time about this, but how is it any different from the kernel developers refusing to freeze a driver API, which in turn occassionally causes drivers for some hardware to break? It happens, and it's really out of Microsoft's hands if they're focused on building a more secure OS than what they have now. I'm sure Microsoft's own products will be patched at the same time SP2 is released, and so long as they provide a changelist which would allow developers to fix apps that might break, what's the problem?

  14. The Emperor has no clothes by the_skywise · · Score: 5, Interesting

    My Norton Internet Security currently interferes with my Visual Studio .NET remote debugging. So I can disable it while debugging or I can configure NIS to track when the program is running and let it use those ports.

    Now MS says, with their new firewall, I don't *have* that option? Now anybody who wants to write an app to use a port must first notify MS that it wants to use that port.

    Doesn't this mean that malicious programs will just quietly open up firewall ports on their own without notifying the user?

    Secondly, what does this mean:

    "Another product that Microsoft needs to update is the .Net Framework. The new memory protection features in SP2 require developers of certain applications to mark their code with memory execution permissions. If they don't, the protection features could interfere with the application, according to Microsoft.

    "The great bulk of applications will not be affected by memory protection. The number one that leaps to mind is execution environments with just-in-time code generation. The .Net Framework is one," Goodhew said. "

    Translation:
    Mostly only unmanaged C++ programmers will be affected by these security changes. If you had just programmed the Microsoft way to begin with and used .NET like we told you, you won't be affected. (But .NET apps are going to have to be modified to switch on memory protection)

    Memory protection only occurs on NEW processors. The vast majority of the world runs Windows on NON-SECURE processors.

    Stranger still, Microsoft has had buffer overrun checking BUILT IN to Visual Studio .NET. (Which, last I checked, was the only way to make .NET objects that run on Windows). Without that flag turned on, the .NET object is marked UNSECURE.

    Lastly, Microsoft's greatest security problems are not buffer overruns or firewall holes. They're AUTOMATIC ACTIVEX control installation from malicious pop ups to install spyware. They're wide open access to the email address box and a by-default scripting system that allows malicious emails to respawn themselves. They're bugs in the Internet Explorer control that allow malicious URL's.

    NONE of these "security innovations" even take a crack at stopping those!

    What DO these security innovations do?

    Destroy a previously lucrative software market for antivirus tools.

    Take the firewall OUT OF THE CONTROL of the user and put it firmly inside the OS to determine what's good for you. (Remember DRM? Isn't it interesting that the main thing broken from this portion of the update are peer-to-peer apps and FTP sharing?)

    Further entrench .NET into the programming paradigm and making Microsoft Programming Languages THE programming languages. (Programmer mindshare... if you're busy keeping up with Microsoft, you're not programming for something else or making reusable code to port to other platforms.)

    I'm all for security, and now these boxes will be secure... But no moreso than the typical user installation out there today that uses a third party antivirus/firewall solution and keeps their system up to date with the latest patches.

    This is about as effective at what MS did with Outlook XP and *by default* turning off the ability to get attachments out of your email. You had to setup a profile configuration OR edit your registry settings to get that feature back.

    Y'know, there comes a point where you have to say, I can ride my bicycle without training wheels.

    I understand that MS is fighting a bad PR image. But if this is how Microsoft "innovates"... Well, might as well just have lightweight users use Macs (which will hold their hands) and pro users/developers can use Linux.

  15. Re:Uh oh by dildog · · Score: 4, Interesting

    I think you missed the point. This is fundamentally similar to 'stackguard' and has been circumvented for some time using the following technique: (and others, mind you)

    When you overwrite the stack pointer, you don't have to point to code that's on the stack.

    For example, I can overflow with a 'command-line string' on the stack, and have the overwritten stack pointer point to the address of a library function, such as 'system()', or something, and then it won't be executing any code from the stack, just taking arguments from the stack like usual.

    This can't be blocked with a conventional non-executable stack.

  16. Java vs. C (again) by Ratbert42 · · Score: 3, Interesting
    Try a well written app like azureus...

    While the SWT is pretty, it eats 120 megs of memory on my machine and a significant amount of CPU. The old standard BT client (whatever it's called) is more like 15 megs and much lighter on the CPU.

    Actually, at work recently we've had a bit of a shootout among various XML DOMs. Our C++ code runs about 4 times slower than (my) tighter C code. But the amazing thing is that some Java code, with a highly optimizing JVM, has beaten my C by about 50%. Of course, we aren't counting startup time, but still, that sucker is fast. We think it comes down to the JVM being optimized for the P4 while the best I can do with Microsoft Visual C++ is optimizing for the Pentium Pro.