Slashdot Mirror
WinXP SP2 Sacrifices Compatibility for Security
goldragon writes "TechRepublic is reporting that "Microsoft is pulling out all the stops to improve security. So much so, in fact, that it will cause many problems because SP2 will de-emphasize backward compatibility with legacy systems and code for the sake of security." One small step forward for Microsoft, one giant leap backwards for mankind?"
Let's face it, you can't remain compatible with old software forever.
Especially spyware.
I've found, that if you go into IE's securty preferences (TOOLS > INTERNET OPTIONS > SECURITY > CUSTOM LEVEL) and set all of the options that are set on "prompt" to "disable" keeps a PC from contracting spyware (that propagates through web browsing).
I've found that this is a better solution than telling my father-in-law to use the power button when he encounters a web page that LOCKS a user into picking YES when prompted with that ActiveX security warning garbage.
What will the slashdot community do when Microsoft fixes all of their problems? If they execute the antivirus and spyware solutions properly, It'll be a while until I look back.
Life is the leading cause of death in America.
I've been looking at XP SP2's release canadidate for a couple days now, and it's pretty obvious that it will cause nightmares for Windows admins for quite a while. However, it looks like they're making steps towards better security, which will be better in the long run.
Anyone who works in Windows shops knows the proliferation of COM-based software that was thrown together in Visual Basic, and this software often performs critical functions. It will take lots of testing/planning to make sure SP2 doesn't break these extremely fragile apps. There are many, many in-house applications that are still chugging along, even in compatibility mode, because they simply can't be replaced easily. Unfortunately, Microsoft can't test these in-house apps.
We'll see what happens...
DOSBox is available for Windows, too. From their screenshots, it looks like they've gotten Windows 3.1 to run under it. Dunno if you can install something like Win95, though.
tasks(723) drafts(105) languages(484) examples(29106)
I'm running the public early release of SP2 and Visual Studio 6 won't install. There will be more applications that break besides viruses and trojans.
The NX flag was only announced 18th March, so I'd say that was 'quickly', not 'finally'. It only made it into Linux 20 days ago
WinXP by default starts 36 services. I doubt any one user needs more than 10 of those.
http://www.winnetmag.com/Windows/Article/Article ID/40722/Windows_40722.html
dinner: it's what's for beer
yeah, but similar move from 680x0 to PPC trashed a lot of small applications (utilities and similar). I really did not like the situation, although I was aware that PPC was better way to go.
No sig today.
Better yet, you can set up the less technically-inclined with Mozilla and sidestep the spyware problem altogether. My parents and grandparents have been running it for a while now, and I've heard no complaints...machines that had been clogged with worms and spyware are now clean and have stayed clean.
20 January 2017: the End of an Error.
The WinXP article is dated June 7. The link points to a Silicon.com article about a security flaw in OS X, and that article is dated May 26.
It was on June 7, the same day, that Apple released a second Security Update that fixed the remaining vulnerabilities.
~Philly
OpenBSD has has NX for about a year now, and Solaris on Sparc has had if for much longer than that.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
The only issue I've had with Classic is that it let developers drag their feet on new versions, since their old wares could run just fine in Classic. That, and for the life of me, I can't get a consistent set of fonts working for OS X and Classic, and I've tried Suitcase, Font Book, and even violent physical abuse. It's kind of annoying that fonts that are installed on my system and even installed for Classic through font book don't get recognized by pagemaker.
do not read this line twice.
I agree completely. It's the supid-ass comments posted with the headlines that reveals Slashdot for what it is: Anti-MS Zealots Central.
I don't care if comments like that are posted, but they should be kept off the front page in my opinion. If your trying to be a semi-serious news site, then do it, which means keeping crap like that out of the headlines. If you just want to be a community of Microsft haters, that's fine, but get rid of your grandiose tagline because it doesn't apply.
About the news itself... Geez people, hate Microsoft all you want, there's plenty of good reason. But even they deserve SOME level of fairness applied, and as the parent here posted, they are damned if they do, damned it they don't, in the eyes of this community anyway. That's unfair, and even THEY deserve some degree of fairness.
If a pion (n-) collides with a proton in the woods & noone is there to hear it, does lamdba decay into the source pa
That was DOS 2.0. I guess that makes me an old fart.
Far too many Windows applications require that the user be logged in as Administrator. So many apps unreasonably require admin privledges that many users opt to be permanently logged in as Administrator. This in itself is a huge security hole.
Microsoft needs to close this hole and improve the application install/uninstall process. Many of the other fixes in XP sp2 are just window dressing without these necessary loopholes being closed.
-- "Most people prefer a popular myth to an unpopular truth"
dunno about OpenBSD, but the UltraSPARC processor supports it (and that's really old). FYI it's enabled by adding:
/etc/system
set noexec_user_stack=1
set noexec_user_stack_log=1
into
Fast User Switching is a nifty toy for home, but it's nothing more than a crippled subset of the virtual consoles that have been a standard part of PC-based UNIX (Linux, FreeBSD, even SCO) for over a decade. For Jobs to copy it instead of just taking advantage of the virtual console capability that's inherent in the OS Apple based Panther on is a wonderful example of the triumph of style over reality.
XP's "faster boot time" is an illusion. It takes XP a long time to complete booting... it just brings up the login dialog and lets you start logging in before it's finished booting. This can cause problems when you need services that don't get started until later from the users' login script... we always tell our users to wait for it to stop beating on the disk before logging in.
previous versions of NT were not meant to be mainstream desktop products
Sure they are. They weren't intended to be "game engines" for home, but they were definitely targeted at the office desktop, otherwise NT 4.0 would have been significantly different: there's absolutely no reason to put GDI in the kernel on a server.
Have you been following any of the recent virus and spyware debacles at all?
Well, yes, I banned Internet Explorer, Outlook, and all products derived from them at work almost a decade ago... that's how long I've been fighting viruses and spyware on the Windows platform. If Microsoft was interedted in making the system safer for naive users, they'd have cut down the clutter in C:\ and backed away from the integration of IE and the desktop instead of leaving all the dangerous stuff around with cigarette-packet disclaimers that people are quickly trained to ignore.
to open ports IN ICF[Internet Connection Firewall]. (Emphasis mine.)
No, you don't need to be an admin to open a socket. But you do need to be an admin (rightly so) to blow open holes in your firewall.
Or, under the new system, you can tell the system, as a non-admin, to let the program open the port, but to take care of closing and what not, rather than trusting the app to do the right thing.
Vintage computer games and RPG books available. Email me if you're interested.
Really? In what way? I have been using XP here at work for the last 6 months, and didn't see any real leaps forward. It just looked different, and took me a little while to get it looking like I wanted it (i.e. like Win2K). I was forced to upgrade, because that is the "corporate standard". As a desktop OS, I haven't seen anything better than Win2K.
And at home I use Linux. Not because it is an alternative to Windows, but because I like it better. It does more of what I want it to do. Windows can't "win me back" because I was never really there. I never preferred Windows, it was what I used because there essentially was no alternative. Now I see Windows as an alternative to Linux. I only boot my Win98 machine when I need to burn a DVD or play a game. That is maybe once every couple of weeks.
My beliefs do not require that you agree with them.
The first is the NX bit on AMD64 and EM64T. This will be applied to all code, including legacy 32-bit code. Windows has required all applications that execute on the heap to mark such regions as executable for some time already, but there was no enforcement until now. There will likely be compatiblity fixes for some applications, but there will probably be others that break.
The second thing is the new lockdown for Internet Explorer. This will break quite a few websites and web applications. Spyware that runs using ActiveX controls will get a nasty shock from this, but so will a lot of custom applications that run as ActiveX controls and websites that depend upon scripting.
There are also minor bug fixes and implementation changes that will break applications relying on buggy or undefined behavior in Windows, but that's normal with patches and updates, and will get the standard Microsoft compatibility treatment.
Firewall is on by default with XP SP2.
>You have absolutely no evidence to support your claim that SP2 is causing your machine to access hotmail.com.
You are correct, I have no evidence. I only know that it "happened" to occur as I was running Windows Update and that Windows Update "happened" to stall until I permitted the connection. I agree this is circumstantial at best, but interesting nonetheless.
>In fact, it was probably a virus your machine got earlier that is making it act as an email relay. You're just aware of it now.
First off, AVG scans daily and Adaware gets run once/week. Second, the "hotmail" machine in question isn't an MX server and won't accept connections on port 25 (SMTP). The connection attempt was on port 80 anyway.
Third, and most important, http://law15-f93.law15.hotmail.com:80/ redirects to http://windowsupdate.microsoft.com/.
Joel Spolsky recently wrote an *excellent* article on this very topic called How Microsoft Lost the API War. Like almost everything he writes, it's well worth a read.
/big/ thing. He cites VB.NET and Longhorn as two examples, but it looks like Microsoft just gave him another big one.
One of his major points is how MS is breaking with it's past, from when backwards compatibility was a
-Bill
SlashSig Karma: Excellent (mostly affected by moderatio
But for the average home user, XP's predeccesor WAS Win98 (or maybe WinME). Maybe a few used some NT variant at work. For them XP IS a giant leap.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
You're partially correct about the "faster boot time". It is an illusion, but it's not because services get started from login scripts. Everything is chained, so usually only a service, or a reparse point set to trigger a service (like the IMAPI service) can start a service. Users don't have the permissions to start and stop services. So you're really just waiting for started services to start the next services, and random just to finish paging in and out of memory (I find the best thing to help with actual boot time is to have more memory, if you're going to use more junk).
Of course, only about two dozen people that use windows know how to configure an operating system, and everyone else logs on as a local administrator. Kinda tends to let you break everything at once any way.
funny munging
"also allows some applications to run as a regular user instead of administrator."
Huzzah. Probably 90% of the Windows app.s that "need to run as administrator" are that way seemingly because the designer never saw a secure system and doesn't know how to code for one. Of course, reading the Logo Requirements would cure a number of bad habits, but that would extend your time-to-market by almost a day....
I've lost count of the number of "must be administrator" products that run just fine after minor changes to one or two ACLs. Or even just redirecting their internal bookkeeping to an *appropriate* place for users to be allowed to write.
Let's hope that some Third Parties notice this and do likewise.
Intersting... I've got a 4-year old apple laptop, which can easily run OS X 10.3.4 without any singificant problems (a bit slow, but still reasonable performance from a G3 400 MHz). Nuff said. As for compatibility with older systems, I think Apples approach is better - I can run >90% of my "classic" (pre-OSX) apps in fast emulation. With no crud holding back the new operating system.
The DoD makes their contractors use a 16-bit windows app to submit bids. I know this because I just installed it on a PC here.
Jaysyn
There is a war going on for your mind.
For Example; if you're running XFree86, find the file(s) "Xaccess" and change the "#*" and "#* CHOOSER BROADCAST" to "!*". This will reject any requests for a logon window (which is maybe where you get the assumption that the login service is exploitable via the network).
I don't remember how to do it anymore, but I used to have that port closed as well. It seems that X will happily use Unix-domain sockets (i.e. tied to the filesystem and therefore not networked). This means that you can run a Linux workstation with no ports open.
This is all a moot point to me these days since I use a router. However, in my recent dabblings with Fedora, I noticed that it now blocks all but a few ports with iptables and provides a handy clickable interface to select which services you want to offer. I think that qualifies and pretty close to the ideal, although I don't know for sure what's turned on by default, not having done the actual install.
I know I'm feeding the Troll[...]
The trollish "mistake" here is failing to distinguish background processes ("daemons") with network-accessible services. Most of the essential Linux services don't touch the networking system at all.
FYI... The word is spelled "hypocrisy." Have a nice day.
What's your beef with services?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I'm not sure which DOS apps you are thinking about, but I can think of many, many DOS apps that don't work in WinXP, and, as the insightful readers out there have already guessed, I am talking about DOS games!
A few quick examples:
- Star Control 2
- Ultima 7
- Wing Commander 3
(basically anything that Origin ever made was always broken on the next OS upgrade hehe...)
Maybe the simple text DOS apps can still be run in WinXP, but you'll be hard pressed to find many games that still run. DOOM _might_ still run, I'm not even sure about that one. (I know it ran in Win9x)
If DOS compatibility wasn't an issue, then projects like http://dosbox.sf.net wouldn't exist...
I found this article on MSDN a while ago.
It points out that most registry access by software is not necessary and can be avoided.
They are also finally catching up to the idea of Least-Privelege users in Longhorn. It's about time.
Opportunities multiply as they are seized. --Sun-Tzu
What? Classic unusable? You must be a Windows or Linux user.
Yes, every vendor was under pressure to produce native versions of their apps ASAP, but that's because you get a better application running native than under Classic because it can take better advantage or the new OS. The big reason why Apple pushed people to upgrade their apps was the new Aqua UI, which the Classic environment doesn't give you.
Now the very early versions of Classic were still very good, but there were some minor problems with it as a few people reported. Personallly though I never had any problems at all, and every single application I have tried to run under Classic has worked flawlessly.
The only class of software that I know of that is not guaranteed work under Classic are OS extensions. Even some of those actually work.
XP's "faster boot time" is an illusion. It takes XP a long time to complete booting... it just brings up the login dialog and lets you start logging in before it's finished booting.
I don't agree with this. Windows 2000 does the same thing (starts a shitload of stuff after you've logged in), in addition to a much slower boot time. And all services in Windows XP do start before the login. That's the whole point with services as opposed to stuff in Autorun.
Beware: In C++, your friends can see your privates!