Slashdot Mirror
Evaluating Windows XP Service Pack 2 RC2
dncsky1530 writes "Information Week has a good evaluation of Windows XP SP2, excerpt: "The code for release candidate 2 finally looks like a real release candidate. And sure enough, it will help you big-time with security. But what sorts of headaches will the eventual final version mean for IT shops? We'll take it piece by piece... Remember when Microsoft said service packs wouldn't deliver any new functionality? That lasted for about six months back in 1997. Windows XP Service Pack 2 is jammed-packed with both invisible and visible improvements to Windows XP. The biggest boon is that the free update, which will probably ship some time in September, does in fact make Windows XP far more secure""
Mainstream Web sites that employ unsigned ActiveX applets, downloads, pop-up windows, browser helper objects, and other code- or scripting-based functions may encounter difficulty with SP2 version IE 6. Most of these activities are prevented by default, and until thousands of Web sites and Web-based applications are upgraded to more gracefully deal with the new IE's many security precautions, a lot of Web stuff is going to be broken--or, at least, temporarily halted.
While a lot of people here are going to say, "wow, everyone is going to go to Mozilla/FireFox." I have serious doubts that we will see that. All we are going to see is a bunch of broken websites and people complaining. The solution is going to be to turn off the default security options and go back to browsing like they did before.
Microsoft just isn't that interested in upgrading Internet Explorer's feature set. As a result, it's unlikely we'll see tabbed browsing before Longhorn, and it's not even guaranteed for that release. No wonder so many people are jumping ship for Mozilla Firefox and Opera.
Nah, I really doubt that the single reason people are moving to Mozilla FF and Opera are for tabbed browsing. I surf daily and probably at greater lengths than the average person and I don't find tabbed browsing to be my #1 concern.
I found it particularly interesting that the "Windows Security Center (WSC)" didn't detect NAV or ZA for virus or firewall... While they assured the author that they would be detected by the time that XP SP2 comes out I just have to wonder why MS would force them to rewrite their software to work w/WSC. If MS was so concerned w/third parties being able to protect Windows users you would think that they would work with the companies to get it to work, not the other way around.
Microsoft also is working on the 5.0 version of Windows Update, its Windows-updating Web site, which handles a lot more than just critical updates. It's primarily a user-interface update, but one of the underlying improvements is that you'll no longer be required to restart your computer so often after applying updates.
Honestly, most of my most recent XP updates have been installed without a restart. It's really not a huge deal to *ME* and I am sure it's not a huge deal to most other non-technical users as they probably restart their computer almost daily because of various unknown reasons.
All in all, I look forward to it but I wonder how many will install it. Will it make a difference when it comes out? Will 100% of the XP users out there upgrade and stop the vunerabilities from spreading? I doubt it. We are going to suffer through this same shit because Windows users aren't the smartest bunch out there.
Amen to that! I work at a computer shop and 90% of the repairs we do end with us giving a lecture about spyware.......Our record is 1300 infected spyware files.
-Will
its great that microsoft is trying to make windows more secure... but that's what they've been trying to do for a while, and it seems like a new exploit comes out every day that will allow people to do nasty things to your computer... although this is a step in the right direction, how many steps in the right direction does windows need to become reasonably secure? but don't get me wrong, I think it's great that they are trying to improve their security, and I commend them for at least putting in the effort, I am just wondering whether or not it will be enough... just my two cents
You actually worry about cleaning it? I just recommend reformatting :p. It's got 2 big advantages:
:).
1) It's easier to do (even if it takes longer there's no guesswork/trudging through the registery)
2) It tends to be such a big deal for the relative (backing up etc) that I tend to get asked less
Then again, doesn't Adaware do a good enough job as it is?
Oh well. It's a step in the right direction. These rollouts are planned and hardening XP, and protecting the vast majority of n00bs around the world. Outlook express attachment management, ActiveX control panel, etc.
For people crying about enterprise application dependancy, etc.. Piss off, you get paid to work out these bugs. If you're going to cry every single time you've had a "problem" at work, give your job to Kumar or Arvin. I'm sure they'll be more than happy to do your job, at half the price.
You are not the only one with a test network. I once updated my system and then the enterpriseware suddenly quit working. On all the production systems. Boss was angry. I spent the whole night regressing the software until I realized that the software was incompatible with the ICF in WinXP. I announced that to the company's CS and they updated their website Knowledge Base with that tidbit.
From then on, I ran all upgrades through a three system network with one masquerading as the "server". In addition to software status, all configuration data is recorded as well. I wonder if I'm violating my licensing agreement this way. Oh, well.
A NYC lawyer blogs. http://www.chuangblog.com/
I do wonder though if there might be any money to be made by MSFT shipping RC2 on a disk and charging you say $1.00, postage included....What am I saying...I'm sure if there's money to be made, they'll do it.
Nothing great was ever achieved without enthusiasm
Out of curiousity, what stops the malware/spyware from clicking the "Yes, let this program access the Internet." button when it pops up? If you have to type a password, what stops it from waiting until you type it for another program, sniffing it, then typing it in automatically when it tries to run?
You got that wrong. XP's firewall blocks programs from listening on ports--incoming traffic. XP SP2 does not block outgoing traffic, for example a web browser that establishes an outgoing TCP connection will get through just fine, no special configuration required. There is no special whitelist entry for IE, as you'll notice that Firefox or Opera get through fine as well.
ZoneAlarm does much more in that it can block outgoing traffic on a program-by-program basis. But ZoneAlarm also asks questions that are impossible for most users to answer without a course in Windows XP internals, like "Do you want to allow SVCHOST.EXE to access the Internet?" I can see why Microsoft decided to leave this functionality out.
The best outcome would be if programs like ZoneAlarm coordinate their work with the built-in firewall and extend its functionality. I don't think they are in danger of becoming obsolete. Similarly, Windows has bundled a defragger since Win95 but that hasn't stopped a half-dozen companies from writing better ones.
Personally I think bugfix/security update CDs should be sent as free "under warranty repairs".
Sure, they can do that but that's the long way around if it has admin privileges on the box already. Instead they can just add themselves to the whitelist using the Windows Firewall API, or they can infect a program that already has access. It depends on how stealthy they want to be.
In the middle of typing something? Just hit enter right at the moment that the reboot reminder box pops up? Tough - you're rebooting whether you relike it or not! Poor poor POOR UI design there, Bill...
This happens quite often with Windows. Not just in this case, or with dialogue boxes, but just generally with windows containing an error message. I'm not that excited about a task completing or a page not being found that I'm interested in stopping writing my email or entering a URL or whatever to click on an OK on a box with no other options. Is there a registry setting anywhere for Windows as a whole - something to the effect of a `Take focus away from user to report an error` boolean or something? Do other operating systems handle this problem another way?
There is a very important change to version five of Windows update. If you have a corporate product key it compares it to Microsoft's list of keys that have been sold. It won't let you update without a valid key. It makes the key generator worthless, and will create a black market in legitimate corporate keys.
The service pack itself doesn't seem to care, and there will still be other methods like Windows update catalog, but they are closing the big loophole.
Havoc Penington, the bane of my Linux desktop.
On the otherhand, it could be the death knell for many kinds of easy exploit beloved of script kiddies everywhere. The same script kiddies that hang out extensively on IRC and haven't a clue how to root a box without a point and click tool to do it for them. If you were in their boat, wouldn't you be telling anyone who would listen that it sucks and not to install it? I mean, they might, like, actually have to *learn* how to hack a box themselves or find some other way of pissing in the pool... And we all know how the clueless noobs like to spread bogus security information and click on the nice patch that total stranger sent with the information.
UNIX? They're not even circumcised! Savages!
The features that will cause the most headaches are the component protections in IE and the firewall. I recommend highly that this be tested thoroughly ahead of time, and managed centrally from AD so this does not have to be tuned individually at each end-user system. System policies can be applied across the network so that the common apps in use can be automatically allowed through the firewall and any required ActiveX type controls can be pre-authorized for use. This can even be done for each OU if the apps in use are that different between departments.
"Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
I'm one of a handful of people in my company who are even aware of OSS, Linux, and the like. My boss (System Administrator of my building) is afraid of anything that doesn't have Bill's seal of approval. But when my boss saw how much more efficiently I could research something on the web using tabbed browsing, and the built-in (customizable) search bar, he did a double-take. He installed it and started using it about 25% of the time. After the CERT warning came out, he dumped IE and issued a warning to the building that they need to be using Opera, Firefox or similar non-MS browser.
While I have yet to see anyone complain about it, I can easily imagine the reason for all the complaints.
Aside, from the annoyance that the update on IE brings (*), the firewall activated by default will give alot of headaches with the DCC transfers. Since alot of users on IRC use those on a regular basis, and since 99% of'em have absolutely no idea as to how a firewall works, what a "port" is, or
how to configure it, they'll be complain' about it night and day 'till someone finally explains them how to solve their problems.
(*) The fact that it is usefull as well as necessary, will NOT distract any users from what they will believe to be its new main "feature": BEING ANNOYING.
I am a speak english. Do you not? - Saroto
I hit 3000 on a computer in the computer lab at the high school I work at.
X(7): A program for managing terminal windows. See also screen(1).
Umm, no.
My point was that this is an abnormal IRC channel, where most of the users know little more than the Average Joe. If THEY don't like the service pack, then Joe User isn't going to either.
Unfortuantly you are totally wrong about poor ui design.
When a unasked for popup comes up the first reaction of the average user is to get rid of it. There are statistics which proove that 75% of all users will hit enter to any dialog box without reading it in your average run the mill office.
Don't take this lightly. This is the very reason for most of the problems we have in the internet today. Norton antivirus used to default to "read anyways" when it detected a email virus.
This was realized by microsoft a while ago and now all dialog boxes default to the secure option instead of the least intrusive. Since windows only wants you to restart if it couldn't apply the patch to the machine during installation ( e.g. applications which were to be patched were running / files were in use ) it makes perfect sense to default to reboot. If there is a big exploit in IE it needs to be fixed as fast as possible. Who really tourns off their pc nowadays ? Even after receiving the patch you might run your unpatched ie for a week.
I don't think it will kill the product.
...) and the programs that was doing it (WinZip/..., Nero/EasyCD/..., Windows Blind) are still having good sells.
Up to now, Windows XP tried to kill many products with "features" (Zip processing, CD burner program, Theme manager and windows decorator,
So I don't think people trusting ZoneLabs and their software, as well as Norton and other products will stop using them. Fidelity to a company when a user trusts it is strong.
Of Code And Men
Gosh, you mean that Microsoft's past is no indicator of current or future offerings? You are right about reading the article though. When we do, we see each of your points proved in detail. I'll take the trouble to pick through the five individual advert burdened pages for you. Let's watch!
Looks like more of the same from M$ to me. More heartache with no real result or benefit for the end user.
Friends don't help friends install M$ junk.
"Out of curiousity, what stops the malware/spyware from clicking the "Yes, let this program access the Internet." button when it pops up?"
Nothing whatsoever. It's a security problem inherent to ANY software firewall.
I wrote a little trojan a while back, and I knew that the guy I wanted to send it to was using zonealarm. I just grabbed that version of ZA, used Spy++ to find the right hWnds for the "Accept" and "Always repeat this choice" buttons, sent it a WM_CLICK event, and ZA was worthless.
From a design standpoint this is just flat-out stupid:
It's designed to check whether an antivirus program is installed, whether that program is running, and whether it's updated with the latest antivirus definitions. When any of the security checks for antivirus, firewall, or critical Windows updates aren't met, Windows Security Center alerts you with system tray pop-up notifications that open the large WSC Control Panel
How long before proper functionality with a core OS component is leveraged against vendors? From a business standpoint it's pretty shrewd. But from the OS design standpoint it's flat out stupid. The OS provides a platform for userspace apps. The OS is not supposed to wrap around userspace apps.
"You don't have MS approved anti-virus checker installed. Please enter a credit card number for the $129.95 fee, the #39.95 yearly maintenance agreement, or we will disable your Windows update key within 2 days."
+++ATHZ 99:5:80
To add to this, quoting from TFA:
Even so, Windows Firewall's intrusion prevention and outbound monitoring are not as robust as those of some other firewalls. In RC2, Windows Firewall also has a tendency to turn itself on after system updates, system restores, or in conjunction with the Windows Security Center
(emphasis added)
What kind of bullshit is that? I can't wait tp have to manage thirty users of THAT!
I've not seen it mentioned anywhere, so maybe it's just a drive incompatibility issue, but when I installed SP2 RC1, I could no longer play DVDs - I would receive an error telling me that the TV OUT on my card must be disabled first.
I rolled back to SP1 and bingo, everything would play fine again.
You might try RC2. I had the same problem with my Intel VPN client. Works fine under RC2 though.
That's not just annoying; it's also a security hole. All a malicious site has to do to own your system is convince you to type a word containing the letter 'y' and try to install software when you type the previous letter.
The shareholder is always right.
He aint going answer, cause it is probably just a troll. No one just gets though a firewall, unless there is a huge flaw in it.
I think it is kind of a good thing, it is making inroads for .
.
.
.
.
.
.
.
.
.
.
open source products by showing all the preplanned back doors
into the OS that are wide open
Bill meant it to be used for businesses to track customers, etc etc
Motivation being greed, but it has been perverted like alot of
other back doors and has become an anethma
Talk about shooting yourself in the foot
My standard practice is now, to remove all I can with Adaware,
Spybot, and manually removal
reboot, go another round with it
After google searches, registry searches, and looking at active
processes and using a live registry trace tool, I get it all
removed EVENTUALLY
It does take longer on some machines than a reinstall which is sad.
After I do all of this I essentially remove EVERY like to IE and
tie all automatic browsers launches to Mozilla
Then I tell them to never ever use IE again as long as they live
After the hours of weeding thru the muck they respect my wishes
M$ has shot itself on the foot with all these spyware/malware/adware
back door holes and all they are doing is promoting open source
God Bless Them !!! LOL
Peace,
Ex-MislTech
google "32 trillion offshore needs IRS attention"