Windows XP SP2 Could Break Some Applications
Denver_80203 writes "An article from InfoWorld states that the upcoming Windows XP Service Pack 2 could break some 'unsecure applications.' In a quote from Tony Goodhew, a product manager in Microsoft's developer group says 'It doesn't really matter how long it is going to take you to do the work; security is an important issue and developers need to start doing that work now.' Or: 'The great bulk of applications will not be affected by memory protection. The number one that leaps to mind is execution environments with just-in-time code generation. The .Net Framework is one.' Fortunately for us, they are offering a course to guide the unsecure masses."
Is this supposed to mean that Java will stop working?
--t
I read an article about this yesterday and wanted to test it against some apps where I work, but could not find the download for it on the Microsoft website. Do you have to have an MSDN subscription to get it. Seems rather rather screwy that if I want to make sure my app works with Microsofts OS I pay to them an extra $500 for the privilege. Maybe this is the new money making model. Profits are down this quarter, lets go break some code and charge them for how to fix it.
...IE will continue to be broken then :-)
Actually, I'm very interested to see if the SP2 pop-up ad blocker will actually work in IE since MS has dragged their feet on this issue. Half the battles we have been fighting lately at work involve IE and pop-ups that install crap without any notification.
"Klaatu, verada, necktie!" -Ash
The real problem is that the benefits it (should) bring will not get deployed to the bulk of systems that need it - at 210Mb I can't see the majority of systems out there that really need it getting the whole thing downloaded, at least not within any reasonable time frame. Hopefully by the time it is actually released they will have a lite version on Windows update that can push the security improvements in a much smaller package.
Their decision to at least try to implement some long overdue fundamental improvements to the security of the architecture is to be welcomed no matter how over due it is. However despite that their decision not to add any outgoing filtering capability to the ICF doesn't make any sense to me and seems, well, just stupid really.
Backward compatibility has been a bit of a sacred cow in Windows for too long. Much of Windows' excess complexity and security deficiencies can be directly attributed to compromises made for the sake of compatibility with old applications.
I know, I know. Don't feed the troll. You may think .NET is a failure, but there are a lot of companies who do not think so.
And if it was such a failure, why are the programmers in the open source computing community devoting the time and effort to make a linux version (mono, etc.).
And the same applies to java. "Download my free 175 KB java app" that requires a hefty download from sun. And that's just for one language.
However, I will agree that .NET is a really lame name.
~X
~X~
From the developer's guide. Emphasis mine.
The security technologies included with Service Pack 2 will allow for better protection against network-based attacks.. Windows Firewall is now turned on by default and all ports are closed except when they are in use.
I hope their firewall doesn't open ports automatically, or it's nothing more than swiss cheese.
My Norton Internet Security currently interferes with my Visual Studio .NET remote debugging. So I can disable it while debugging or I can configure NIS to track when the program is running and let it use those ports.
.Net Framework. The new memory protection features in SP2 require developers of certain applications to mark their code with memory execution permissions. If they don't, the protection features could interfere with the application, according to Microsoft.
.Net Framework is one," Goodhew said. "
.NET like we told you, you won't be affected. (But .NET apps are going to have to be modified to switch on memory protection)
.NET. (Which, last I checked, was the only way to make .NET objects that run on Windows). Without that flag turned on, the .NET object is marked UNSECURE.
.NET into the programming paradigm and making Microsoft Programming Languages THE programming languages. (Programmer mindshare... if you're busy keeping up with Microsoft, you're not programming for something else or making reusable code to port to other platforms.)
Now MS says, with their new firewall, I don't *have* that option? Now anybody who wants to write an app to use a port must first notify MS that it wants to use that port.
Doesn't this mean that malicious programs will just quietly open up firewall ports on their own without notifying the user?
Secondly, what does this mean:
"Another product that Microsoft needs to update is the
"The great bulk of applications will not be affected by memory protection. The number one that leaps to mind is execution environments with just-in-time code generation. The
Translation:
Mostly only unmanaged C++ programmers will be affected by these security changes. If you had just programmed the Microsoft way to begin with and used
Memory protection only occurs on NEW processors. The vast majority of the world runs Windows on NON-SECURE processors.
Stranger still, Microsoft has had buffer overrun checking BUILT IN to Visual Studio
Lastly, Microsoft's greatest security problems are not buffer overruns or firewall holes. They're AUTOMATIC ACTIVEX control installation from malicious pop ups to install spyware. They're wide open access to the email address box and a by-default scripting system that allows malicious emails to respawn themselves. They're bugs in the Internet Explorer control that allow malicious URL's.
NONE of these "security innovations" even take a crack at stopping those!
What DO these security innovations do?
Destroy a previously lucrative software market for antivirus tools.
Take the firewall OUT OF THE CONTROL of the user and put it firmly inside the OS to determine what's good for you. (Remember DRM? Isn't it interesting that the main thing broken from this portion of the update are peer-to-peer apps and FTP sharing?)
Further entrench
I'm all for security, and now these boxes will be secure... But no moreso than the typical user installation out there today that uses a third party antivirus/firewall solution and keeps their system up to date with the latest patches.
This is about as effective at what MS did with Outlook XP and *by default* turning off the ability to get attachments out of your email. You had to setup a profile configuration OR edit your registry settings to get that feature back.
Y'know, there comes a point where you have to say, I can ride my bicycle without training wheels.
I understand that MS is fighting a bad PR image. But if this is how Microsoft "innovates"... Well, might as well just have lightweight users use Macs (which will hold their hands) and pro users/developers can use Linux.