Slashdot Mirror
Evaluating Windows XP Service Pack 2 RC2
dncsky1530 writes "Information Week has a good evaluation of Windows XP SP2, excerpt: "The code for release candidate 2 finally looks like a real release candidate. And sure enough, it will help you big-time with security. But what sorts of headaches will the eventual final version mean for IT shops? We'll take it piece by piece... Remember when Microsoft said service packs wouldn't deliver any new functionality? That lasted for about six months back in 1997. Windows XP Service Pack 2 is jammed-packed with both invisible and visible improvements to Windows XP. The biggest boon is that the free update, which will probably ship some time in September, does in fact make Windows XP far more secure""
Unfortunately, it doesn't really do a lot to protect against spyware. It's mostly a pretty front end to remind you to a) install a virus checker, b) install a firewall (or enable the default Windows firewall - and given the Microsoft security track record, who in their right mind would rely on that?!) and c) reboot your machine after you've installed an update. This last reminder is particularly annoying as it pops up from the system tray approximately every 10 minutes, with the default dialog option set to reboot. In the middle of typing something? Just hit enter right at the moment that the reboot reminder box pops up? Tough - you're rebooting whether you relike it or not! Poor poor POOR UI design there, Bill...
Sunday you're Thinking Different, Monday you're a huge tool, paying too much and waiting to think like everyone else.
It does checking on pre-allowed programs. I used a beta version of the PC Satisfaction Trial which the code from this SP is based on. When I upgraded MSN Messenger it saw it as a different progam and asked if I wanted to allow it. I realize there may be still some gaps in this, but isn't quite as bad as it might seem.
Hoyty
Three things strike me about the release:
1. The firewall's on by default. This is a huge shift for Microsoft and I am glad to see it happen. This alone will stop a ton of worm infections.
2. Browser security. From what I can tell, these enhancements are going to go a long way toward stopping the problems that CERT and everyone have been complaining about.
3. Email security. OE is getting hardened in a way similar to IE, and this also is a very much welcomed move.
Between worm propogation and the two most common ways for a user to infect themselves, if they were to even modestly improve in all three of these areas it would make a significant impact on the security posture of people running the update.
I applaud them in advance for even trying.
dmiessler.com -- grep understanding knowledge
Tabbed browsing was actually one of the main reasons I stuck with mozilla (first used it on Windows pre 1.0 - probably the early 0.9 versions).
Security concerns, standards support and do on only entered the equation later as I learned of them. IE soon found itself blocked at the firewall. Any operations that required IE just didn't happen.
Funnily enough, mozilla was a catalyst in my eventual adoption of Linux. A simple comparison of the quality of proprietary, closed software and open, Free software.
But what started it all was how impressed I was with tabbed browsing - I usually consume sites like the inquirer and
If you paid $300 retail or even the $40 or so from an oem, you should be entitled to a free update CD with no shipping cost.
Hmm, like this free CD available directly from Microsoft? You don't even need to show a proof of purchase.
Javascript, PDF and Flash all work like a charm in Firefox. About the only reason I or any of my friends revert back to IE is to run Windows Update.
Also, IE and Netscape/Mozilla/Firefox usually detect when a plugin is needed and tell you to click to install it. And, in most cases, the plugin functionality is immediately available, without restarting the browser. What more do you need than that?
Pain is merely failure leaving the body
Your question should be answered here: Windows XP Service Pack 2: A Developer's View.
Et cetera.
If this wasn't an anti-Windows rant it would be modded as an obvious troll by now.
To have a right to do a thing is not at all the same as to be right in doing it
At last check, that functionality is present. There is a "never trust" option in a drop-down on the ActiveX plugin download dialog box. Although most (unsigned?) BHOs and plugins are already silently blocked.
Did you miss the previous months worth of Internet Explorer trojans and malware? No firewall will stop a drive by installation via. an unpatched Internet Explorer hole.
I ask this really simple question, Ma or Pa sees a pop-up that says 'this' program would like to access the internet, allow or deny. How many people are just going to say Allow to be done with the dialog. I have put a firewall on my XP box, for my neice, and she got sick and tired of all the pop-ups that came up, I got tired of always going over and looking to see if they were ok, In the 3 weeks of running the firewall, I never saw anything that was bad, I removed it. I bet most people will do the same thing. Now before anyone says anything, I am very strict on the XP box, no email, and I am behind a hardware firewall and with the latest monster hole I.E. is now replaced with FireFox. So I know I am a little safer. Also the trojen writers will just get better at naming their programs so the firewalls show some program that the user expects to access the internet. I mean they just could change the process table to always say I.E. So I think most people will turn off the firewall within 2 months. I don't think Microsoft turning on the firewall an hoping that will help stop the spread of viruses, tojens and other nasty things are going to help. To me they have a very bad security model in their product and I don't believe they can fix them without breaking most of the applications out there. They have invented a OS that is designed around one application (Virus) gaining control of another application and modifying it.
2. v5.windowsupdate.microsoft.com is the new windows update and i personally think it sucks. You have to have two services running (Automatic Updates & Background Intelligent Transfer Service) which i had turned off as unnecessary. Oh and Automatic Updates doesn't just need to be running, it needs to be set to Automatic, you can't just turn it on and off manually. My biggest problem is that they don't show you what you're installing by default! They hide it away behind small print that says "Details" with an inverted ^ to its left. Right below that is a nice wide button that says "download and install now". v5 looks prettier, but once again, MS is trying to hide the details away from you. Under v4 i have 13 not-so-critical updates that aren't installed because i bothered to browse through and see what i was getting into.
but thats all just me
[Fuck Beta]
o0t!
Absolutely. TweakUI used to allow turning on 'don't move focus', but I'm not where the associated registry key is located.
In addition to the issues already raised by other posters, there is another problem that the article does allude to but doesn't explain: The firewall keeps turning itself on!
I have run SP2 since the first release candidate. I don't use the windows firewall since I already have hardware + software firewalls. XP SP2 detects the software firewall correctly (mcafee). But at least once every other day Windows turns on the damn XP SP2 firewall. It's a pain in the ass and the real problem is that you don't know it's on. You only realize it's turned itself back on when it announces that it has blocked a connection.
Repeat after me, "I WILL NOT TRUST MS SOFTWARE FOR SECURITY."
Now go and keep your 3rd party hardware firewall + 3rd party software firewall (on EVERY box, of course) up and running.
HARDWARE:
- Cheap Linksys box: Ugg but better than nothing.
- Cheap Netgear box: Better.
- Expensive Nethear box: Very nice IMO, around $300 USD with 802.11g too.
- *BSD Box you build yourself: Awesome, but too geeky, if you have life+job and want somehting to plug in and forget, buy a firewall appliance.
- Very Expensive Cisco/Bay Networks: The one you stole from the NOC on your last job as any good BOFH would do: Best.
SOFTWARE
-Free Zone Alarm: Ugg but better than nothing.
-Sygate Personal Firewall Pro: VERY VERY nice IMO around $50
- *BSD/*nix s/w: Aso very geeky, better know your shit or else. Stick with vendor stuff to mostly install and forget.
This is Adobe's fault; the PDF Netscape plugin sucks in ways that the PDF ActiveX control does not.
.PDF, and open PDF files in the real Acrobat Reader instead. Tools/Options/Downloads/Plug-Ins, uncheck PDF. Then when you next click on a PDF file, you'll get a box from which you can select to open directly with Acrobat or save to disk. Choose whichever you prefer.
Best way around it? Stop Firefox's plugin infrastructure from handling
It still does. It's under General>Focus.
I'm sure you're counting the cookies. They're not really spyware, and unless you turn cookies off you're likely to have a few from Doubleclick.
Gamingmuseum.com: Give your 3D accelerator a rest.
Most of us don't really need persistent cookies anyway, since there are probably more sites that abuse the system than otherwise.
Of course, if you're running IE you're on your own, and deserve to be. :-D
Ummm, if TweakUI can change the setting, it means there MUST be a registry setting for it.
In this case it's:
HKEY_CURRENT_USER\Control Panel\desktop\ForegroundLockTimeout
The value, in milliseconds, is the amount of time after any user input which programs will not be allowed to steal focus for.
In fact with Windows 2000 and later it's set to 20000, which means that programs cannot steal the focus while you are using the computer.
XP SP2 is still annoying. The reboot reminders don't actually pop up in front, so hitting enter at the wrong time won't cause you to accidentally reboot. However since they keep popping up in the background, sooner or later you will see the message and click the default button before even realising that it's "reboot" and not "bugger off".
I decided to try out SP2 RC2 on my computer, boy... was that a mistake
Here's the hardware i have to give u a heads up... AMD 3200+, DFI NFII Ultra Infinity Motherboard (nForce 2 chipset) nVidia FX 5700, 1GB RAM, DVD+-RW, and 2 hard drives....
Here's what happened...
After removing SP2 RC2... everything works fine....
DarkMantle I been bored, so I started a blog.
On my Windows (corp -usual story), you can install the SP2 fine. Afterwards, however, windowsupdate will not work. I guess that means they've done enough to XP to make it secure enough to be left alone...
TweakUI
My biggest problem with SP2 is that it is incompatible with the Cisco VPN Client. I need to use that to work from home or the road, and as such it was impossible for me to do work when I installed SP2RC1. Until Microsoft and Cisco work that out, I don't think many of the laptops and tablets at my workplace will get this update.
Lack of eloquence does not denote lack of intelligence, though they often coincide.
If they do such a poor job as Netscape did, then fair enough... Let's not make Netscape out to be some sort of betrayed jesus or something. Netscape made crappy software, and they lost out because of that single fact.
> Where do I find General? Is this under Settings, > control panel, the registry, and app..? Throw me > a bone here! You need to run TweakUI, it is listed in there. If you don't have TweakUI for WinXP get it here... http://www.microsoft.com/windowsxp/downloads/power toys/xppowertoys.mspx
Here where I work, they use Outlook, and until I turned it off, it had a default setting to bring up a notificatioon box when a new email came in. It was "You have new mail. Would you like to read it now?" YES | NO
YES was the highlighted box, of course, so a space bar would bring up the new message instead of the email I was typing. The time I remember, though, was when I was typing, and I saw it flash on the screen for a split second and disappear. I looked at where I had just been typing and it had stolen the "n" out of one of my words to answer that dialog box.
We may experience some slight turbulence and then...explode. -Capt. Mal Reynolds
I have the new keygen and it works with sp2+wu-v5.
IT's only in Beta, so be warned. Don't upgrade a critical machine. http://v5.windowsupdate.microsoft.com/ to upgrade a windows box (remember to go there in IE)
Nothing great was ever achieved without enthusiasm
"Unfortunately, it doesn't really do a lot to protect against spyware."
Are you kidding!!!!
XP SP2 ELIMINATES drive-by downloads. IE is set, by default, NOT to prompt to install ActiveX controls (e.g. Gator). Instead, it pops up a little bar at the top of the screen. It now takes three clicks and a much improved security dialog to install spyware.
"This last reminder is particularly annoying as it pops up from the system tray approximately every 10 minutes, with the default dialog option set to reboot."
Of course it is annoying! It's supposed to be annoying! The patch isn't applied until you reboot, so it is is essential that you reboot *as soon as is reasonably possible*.
"or enable the default Windows firewall - and given the Microsoft security track record, who in their right mind would rely on that?"
The Windows Firewall has proven to be as effective as any hardware firewall. It does not, however, block outgoing traffic.
Oh, and SP2 isn't just a "front end". It is a new version of IE which is immune to all of the IE holes posted on securityfocus. It is a new security-zones system which should eliminate nearly all cross-zone flaws (currently the #1 security flaw in IE). It is an IE with a popup-blocker. It is an IE that prevents drive-by downloads. It is an IE that warns users when they are about to download a dangerous file. It is an Outlook Express that prevents users from opening dangerous attachments or from being subjected to spam "bugs". It is a service pack that takes advantage of no-execute (on AMD64 CPUs) to prevent buffer-overruns from becoming security holes. It is a service pack that includes recompiled versions of system DLLs - versions compiled with a compiler that is designed to eliminate most buffer overrunns.
XP SP2 is the single largest update to (consumer) Windows since the introduction of Windows XP. It is not just a "front-end".
How come I have XP SP2 RC2 build 2149 running in VMware with a 640 key made by the old keygen and tested by XPKeyID? People have known about this 640 thing since at least June of 2002 (before SP1 even). That is when XPKeyID was released, for the purpose of checking Blue List keys for a 640 PID. With the old XPKey, you needed to make up to 200 keys by odds to find a working 640. (Only half of the keys worked and only 1% had a 640 PID.) After 2 cycles checking 999 keys, I got lucky and hit a 640 key. All in a night's work, running 2 threads of the program at once.
Now there's a new keygen called MSKey4in1.exe (or zip or rar). Just Google it. If there are no hits, try "Windows 4in1" and look for sites in Chinese. MSKey4in1 generates 640 keys by default. You can select the PID range or an exact PID for Windows XP and Office XP. It also works for Windows 2003 Server, but you can't set the PID. (Probably due to recent changes in the algorithm.) Using a 640 key on a Retail copy of Office XP converts it to volume licensing - no activation, it will say it has already been activated.
And no, there is no master list of VLKs contained in XP SP2. If there was, the crackers would just decode that list (Microsoft's private keys for XP have already been cracked, for those here who are paying attention.) It's doubtful if they check it for Volume License customers - only retail & OEM needs to be activated. Also, you can prevent that
information being sent using certain tools which make Microsoft think it's already been sent.
The crackers are always several steps ahead of M$ and other companies. Those steps can be measured in weeks, months, or years. Zero-day hacks are a best-case scenario. Only a company of one person could ever prevent their code from leaking like a sieve and being cracked and keygened to hell.
Share or Be Shared.