Slashdot Mirror
Evaluating Windows XP Service Pack 2 RC2
dncsky1530 writes "Information Week has a good evaluation of Windows XP SP2, excerpt: "The code for release candidate 2 finally looks like a real release candidate. And sure enough, it will help you big-time with security. But what sorts of headaches will the eventual final version mean for IT shops? We'll take it piece by piece... Remember when Microsoft said service packs wouldn't deliver any new functionality? That lasted for about six months back in 1997. Windows XP Service Pack 2 is jammed-packed with both invisible and visible improvements to Windows XP. The biggest boon is that the free update, which will probably ship some time in September, does in fact make Windows XP far more secure""
But there's been quite a bit of reporting that there will be compatibility problems because of the security enhancements. Nonetheless, I'm looking forward to spending less time cleaning up spyware infections on relatives' machines.
Mainstream Web sites that employ unsigned ActiveX applets, downloads, pop-up windows, browser helper objects, and other code- or scripting-based functions may encounter difficulty with SP2 version IE 6. Most of these activities are prevented by default, and until thousands of Web sites and Web-based applications are upgraded to more gracefully deal with the new IE's many security precautions, a lot of Web stuff is going to be broken--or, at least, temporarily halted.
While a lot of people here are going to say, "wow, everyone is going to go to Mozilla/FireFox." I have serious doubts that we will see that. All we are going to see is a bunch of broken websites and people complaining. The solution is going to be to turn off the default security options and go back to browsing like they did before.
Microsoft just isn't that interested in upgrading Internet Explorer's feature set. As a result, it's unlikely we'll see tabbed browsing before Longhorn, and it's not even guaranteed for that release. No wonder so many people are jumping ship for Mozilla Firefox and Opera.
Nah, I really doubt that the single reason people are moving to Mozilla FF and Opera are for tabbed browsing. I surf daily and probably at greater lengths than the average person and I don't find tabbed browsing to be my #1 concern.
I found it particularly interesting that the "Windows Security Center (WSC)" didn't detect NAV or ZA for virus or firewall... While they assured the author that they would be detected by the time that XP SP2 comes out I just have to wonder why MS would force them to rewrite their software to work w/WSC. If MS was so concerned w/third parties being able to protect Windows users you would think that they would work with the companies to get it to work, not the other way around.
Microsoft also is working on the 5.0 version of Windows Update, its Windows-updating Web site, which handles a lot more than just critical updates. It's primarily a user-interface update, but one of the underlying improvements is that you'll no longer be required to restart your computer so often after applying updates.
Honestly, most of my most recent XP updates have been installed without a restart. It's really not a huge deal to *ME* and I am sure it's not a huge deal to most other non-technical users as they probably restart their computer almost daily because of various unknown reasons.
All in all, I look forward to it but I wonder how many will install it. Will it make a difference when it comes out? Will 100% of the XP users out there upgrade and stop the vunerabilities from spreading? I doubt it. We are going to suffer through this same shit because Windows users aren't the smartest bunch out there.
So are we now supposed to congratulate the wealthiest company ever for doing what it should have been doing far better for a while longer and a lot cheaper?
its great that microsoft is trying to make windows more secure... but that's what they've been trying to do for a while, and it seems like a new exploit comes out every day that will allow people to do nasty things to your computer... although this is a step in the right direction, how many steps in the right direction does windows need to become reasonably secure? but don't get me wrong, I think it's great that they are trying to improve their security, and I commend them for at least putting in the effort, I am just wondering whether or not it will be enough... just my two cents
Alas, I'll install this on my little test network before rolling it out throughout the hospital. I gotta feeling that this update is not going to be quite as smooth as the recent few.
Am I the only one that has a little series of computers that I roll out updates before I roll them out enterprise-wide? I know some people have a test system... but for my network (and the sake of the hospital's uptime) I have a small testing network.
I must check for companies that are now posting jobs asking for two years experience in WinXP SP 2. (It goes nicely with the five years .NET experience.)
You actually worry about cleaning it? I just recommend reformatting :p. It's got 2 big advantages:
:).
1) It's easier to do (even if it takes longer there's no guesswork/trudging through the registery)
2) It tends to be such a big deal for the relative (backing up etc) that I tend to get asked less
Then again, doesn't Adaware do a good enough job as it is?
My problem with this is that it didn't ask me to autheticate IE, or other MSFT services. While I agree that this is better for Joe User, and does indeed make the average computer *somewhat* less vulnerable to becoming zombies I actually think that overall it compromises security, because it has the idea of "pre-trusted" programs. So now all a malware has to do to succeed is become trusted, and then it's BEYOND reproof? I'm not sure that that is exactly how this new system works, but more than anything I'm disputing the notion that this is a panacea.
I'm also concerned about companies that make firewall type products. Are they done? Is MSFT going to claim to have all that functionality in the OS? A FALSE sense of security is worse than being unsure. I'd rather people lock down their machines themselves rather than assuming that MSFT has done it for them.
Still, I do think that this is better than nothing.
Nothing great was ever achieved without enthusiasm
This is only good for those with broadband. No one on a modem is going to download this. Service packs are great until you factor in the time to download and install. People who were too lazy to update once a week aren't going to install this service pack for the same reason. Windows, if you patch and use antivirus and a hardware firewall, can be pretty stable and secure. However, without all that you're asking for trouble. I still think the majority of problems stem from ignorant users, not the horribly evil company itself. And why do they charge for mailing these service pack CDs? If you paid $300 retail or even the $40 or so from an oem, you should be entitled to a free update CD with no shipping cost. If AOL can afford to send out millions of those discs, Microsoft can do the same. Hell, they already do it for MSN.
All in all, I look forward to it but I wonder how many will install it. Will it make a difference when it comes out?
Corporate users, at the very least, will install it in droves. The article author said it himself: for businesses, the decision of whether or not to install it "should be a no-brainer":
No matter how annoying or substantively lacking in any real advantage other than increased security, there should be no debate in business or home circles about whether this one should be installed. Just do it. We have enough computer security problems without people getting stubborn about whether this upgrade takes away some of their computer liberties. It really doesn't.
The coolest voice ever.
I do all development and most of my day to day work on linux, I play games on my windows laptop just so all you flamers know I do use both.
Anyway is linux or mozilla more secure? YES.
Why is it more secure? Open Source means better peer review.
Are the "margins" of security between windows and linux really so large? I would have to say NO.
Why you say? The machines being hacked and sending out 80% of the spam in the world are home machines, Why? In general the average user fails to keep there machine up to date, opens up email attachments, or does some other stupid action that causes there pc to get infected. This makes home machines open to direct attack. If a majority of the home machines where linux then you would hear more about linux worms and viruses.
Now due to the way linux is they may not be as bad, patches may be releases faster but with the worlds virus and script kiddies focusing on linux instead of windows there would be problems.
Linux users try to place themselves in such high praise, But they can't, You can't praise yourself until you have truly been subject to the same level of attack and focus as windows.
Personal Website
You are not the only one with a test network. I once updated my system and then the enterpriseware suddenly quit working. On all the production systems. Boss was angry. I spent the whole night regressing the software until I realized that the software was incompatible with the ICF in WinXP. I announced that to the company's CS and they updated their website Knowledge Base with that tidbit.
From then on, I ran all upgrades through a three system network with one masquerading as the "server". In addition to software status, all configuration data is recorded as well. I wonder if I'm violating my licensing agreement this way. Oh, well.
A NYC lawyer blogs. http://www.chuangblog.com/
Three things strike me about the release:
1. The firewall's on by default. This is a huge shift for Microsoft and I am glad to see it happen. This alone will stop a ton of worm infections.
2. Browser security. From what I can tell, these enhancements are going to go a long way toward stopping the problems that CERT and everyone have been complaining about.
3. Email security. OE is getting hardened in a way similar to IE, and this also is a very much welcomed move.
Between worm propogation and the two most common ways for a user to infect themselves, if they were to even modestly improve in all three of these areas it would make a significant impact on the security posture of people running the update.
I applaud them in advance for even trying.
dmiessler.com -- grep understanding knowledge
I don't know if you work in Corporate IT but I have heard here (and in my own personal experience) that Corporate users don't like upgrades.
As a matter of fact, I do work in corporate IT--I'm a sysadmin for a large telco. We dislike having to do upgrades, but we will do them, because we would rather disrupt operations for a little while rather than risk a longer disruption later down the road because we were obstinate about installing something.
The coolest voice ever.
We get paid to fix bugs, true enough. But when somebody else's lack of foresight makes our job so much harder do you expect us to just stand there and say "Thanks for giving me another job to do. That'll keep me busy till your next product comes out."?
If you really think that people are like that, I suggest you wander around with a bag full of rubbish until you find a street sweeper and scatter the bag around in fron of them. Then see if they thnk you profusely, or if the next thing you hear is your proctologist asking just how they fitted the entire broom head up there...
'Don't worry' said the trees when they saw the axe coming, 'The handle is one of us.'
Et cetera.
If this wasn't an anti-Windows rant it would be modded as an obvious troll by now.
To have a right to do a thing is not at all the same as to be right in doing it
There is a very important change to version five of Windows update. If you have a corporate product key it compares it to Microsoft's list of keys that have been sold. It won't let you update without a valid key. It makes the key generator worthless, and will create a black market in legitimate corporate keys.
The service pack itself doesn't seem to care, and there will still be other methods like Windows update catalog, but they are closing the big loophole.
Havoc Penington, the bane of my Linux desktop.
At last check, that functionality is present. There is a "never trust" option in a drop-down on the ActiveX plugin download dialog box. Although most (unsigned?) BHOs and plugins are already silently blocked.
On the otherhand, it could be the death knell for many kinds of easy exploit beloved of script kiddies everywhere. The same script kiddies that hang out extensively on IRC and haven't a clue how to root a box without a point and click tool to do it for them. If you were in their boat, wouldn't you be telling anyone who would listen that it sucks and not to install it? I mean, they might, like, actually have to *learn* how to hack a box themselves or find some other way of pissing in the pool... And we all know how the clueless noobs like to spread bogus security information and click on the nice patch that total stranger sent with the information.
UNIX? They're not even circumcised! Savages!
Except for the 99% of the population who doesn't know what the hell IRC is and has never heard a word of, or about, this "reaction".
2. v5.windowsupdate.microsoft.com is the new windows update and i personally think it sucks. You have to have two services running (Automatic Updates & Background Intelligent Transfer Service) which i had turned off as unnecessary. Oh and Automatic Updates doesn't just need to be running, it needs to be set to Automatic, you can't just turn it on and off manually. My biggest problem is that they don't show you what you're installing by default! They hide it away behind small print that says "Details" with an inverted ^ to its left. Right below that is a nice wide button that says "download and install now". v5 looks prettier, but once again, MS is trying to hide the details away from you. Under v4 i have 13 not-so-critical updates that aren't installed because i bothered to browse through and see what i was getting into.
but thats all just me
[Fuck Beta]
o0t!
I'm one of a handful of people in my company who are even aware of OSS, Linux, and the like. My boss (System Administrator of my building) is afraid of anything that doesn't have Bill's seal of approval. But when my boss saw how much more efficiently I could research something on the web using tabbed browsing, and the built-in (customizable) search bar, he did a double-take. He installed it and started using it about 25% of the time. After the CERT warning came out, he dumped IE and issued a warning to the building that they need to be using Opera, Firefox or similar non-MS browser.
While I have yet to see anyone complain about it, I can easily imagine the reason for all the complaints.
Aside, from the annoyance that the update on IE brings (*), the firewall activated by default will give alot of headaches with the DCC transfers. Since alot of users on IRC use those on a regular basis, and since 99% of'em have absolutely no idea as to how a firewall works, what a "port" is, or
how to configure it, they'll be complain' about it night and day 'till someone finally explains them how to solve their problems.
(*) The fact that it is usefull as well as necessary, will NOT distract any users from what they will believe to be its new main "feature": BEING ANNOYING.
I am a speak english. Do you not? - Saroto
In addition to the issues already raised by other posters, there is another problem that the article does allude to but doesn't explain: The firewall keeps turning itself on!
I have run SP2 since the first release candidate. I don't use the windows firewall since I already have hardware + software firewalls. XP SP2 detects the software firewall correctly (mcafee). But at least once every other day Windows turns on the damn XP SP2 firewall. It's a pain in the ass and the real problem is that you don't know it's on. You only realize it's turned itself back on when it announces that it has blocked a connection.
Umm, no.
My point was that this is an abnormal IRC channel, where most of the users know little more than the Average Joe. If THEY don't like the service pack, then Joe User isn't going to either.
Repeat after me, "I WILL NOT TRUST MS SOFTWARE FOR SECURITY."
Now go and keep your 3rd party hardware firewall + 3rd party software firewall (on EVERY box, of course) up and running.
HARDWARE:
- Cheap Linksys box: Ugg but better than nothing.
- Cheap Netgear box: Better.
- Expensive Nethear box: Very nice IMO, around $300 USD with 802.11g too.
- *BSD Box you build yourself: Awesome, but too geeky, if you have life+job and want somehting to plug in and forget, buy a firewall appliance.
- Very Expensive Cisco/Bay Networks: The one you stole from the NOC on your last job as any good BOFH would do: Best.
SOFTWARE
-Free Zone Alarm: Ugg but better than nothing.
-Sygate Personal Firewall Pro: VERY VERY nice IMO around $50
- *BSD/*nix s/w: Aso very geeky, better know your shit or else. Stick with vendor stuff to mostly install and forget.
The Mongrel Dogs Who Teach
I don't know about you but how does being a serious target for hackers, virus and word authors justify it as being "well engineered"? I would have thought that classified it as being poorly engineered??
It said "windows 98 or better" so I installed Linux
I'm surprised no one in this thread is talking about beta testing this on their network. I'm currently doing tests at my work, so that when SP2 does come out, we can do a 0-day rollout. This is a release candidate, meaning that if it's good, there won't be any changes.
For the vast majority of users, I don't think XP firewall is going to help. These are the same users how have 3000 adware/spyware items (my sister's record) on their machines. If they click yes to spyware/adware pop-ups, they'll probably just click allow on the dialogue boxes for XP firewall.
While a built-in firewall isn't a bad idea, it requires user education in order to be at all effective.
-- Political fascism requires a Fuhrer.
Gosh, you mean that Microsoft's past is no indicator of current or future offerings? You are right about reading the article though. When we do, we see each of your points proved in detail. I'll take the trouble to pick through the five individual advert burdened pages for you. Let's watch!
Looks like more of the same from M$ to me. More heartache with no real result or benefit for the end user.
Friends don't help friends install M$ junk.
All those people who b__ch and moan about getting Grandmother to use Linux must really love this one
"One of the best new features of SP2's Internet Explorer is the Add-On Manager, available from the Internet Control Panel's Programs tab. It gives you a way to enable, disable, and configure ActiveX controls, browser help objects, and browser extensions. The primary purpose of this tool is to provide a user interface for controlling things that have already been added to your Internet Explorer installation. When, for example, you have already said yes to an ActiveX program Information Bar query and later decide you don't want that program on your computer, the Add-On Manager is the tool that solves that problem."
Yeah... Grandma's gonna be thrilled to keep track of unsigned ActiveX controls, browser help objects, and browser extensions. I can see this being turned into an "ACCEPT ALL" policy real quick.
+++ATHZ 99:5:80
From a design standpoint this is just flat-out stupid:
It's designed to check whether an antivirus program is installed, whether that program is running, and whether it's updated with the latest antivirus definitions. When any of the security checks for antivirus, firewall, or critical Windows updates aren't met, Windows Security Center alerts you with system tray pop-up notifications that open the large WSC Control Panel
How long before proper functionality with a core OS component is leveraged against vendors? From a business standpoint it's pretty shrewd. But from the OS design standpoint it's flat out stupid. The OS provides a platform for userspace apps. The OS is not supposed to wrap around userspace apps.
"You don't have MS approved anti-virus checker installed. Please enter a credit card number for the $129.95 fee, the #39.95 yearly maintenance agreement, or we will disable your Windows update key within 2 days."
+++ATHZ 99:5:80
I decided to try out SP2 RC2 on my computer, boy... was that a mistake
Here's the hardware i have to give u a heads up... AMD 3200+, DFI NFII Ultra Infinity Motherboard (nForce 2 chipset) nVidia FX 5700, 1GB RAM, DVD+-RW, and 2 hard drives....
Here's what happened...
After removing SP2 RC2... everything works fine....
DarkMantle I been bored, so I started a blog.
On my Windows (corp -usual story), you can install the SP2 fine. Afterwards, however, windowsupdate will not work. I guess that means they've done enough to XP to make it secure enough to be left alone...
My biggest problem with SP2 is that it is incompatible with the Cisco VPN Client. I need to use that to work from home or the road, and as such it was impossible for me to do work when I installed SP2RC1. Until Microsoft and Cisco work that out, I don't think many of the laptops and tablets at my workplace will get this update.
Lack of eloquence does not denote lack of intelligence, though they often coincide.
If they do such a poor job as Netscape did, then fair enough... Let's not make Netscape out to be some sort of betrayed jesus or something. Netscape made crappy software, and they lost out because of that single fact.
I think that's the only way we can start to generate some user-awareness to spyware. Every time a site tries to install any software or run a script with any elevated priveleges, the screen should go absolutely blank and stall for 2 seconds, then flash a giant VIRUS WARNING message in blinking red text, and sound a klaxon on the speakers. Then the "do you want to install?" message should appear in a size 6 font, followed by two buttons: A 5x5 pixel dark-gray (remember, the background is black) button for "Yes", and a 200x200 green button for "Yes". And maybe then people will hesitate to install spyware. I don't know how much good that will do either.
If it weren't for fog, the world would run at a really crappy framerate.
I've not seen it mentioned anywhere, so maybe it's just a drive incompatibility issue, but when I installed SP2 RC1, I could no longer play DVDs - I would receive an error telling me that the TV OUT on my card must be disabled first.
I rolled back to SP1 and bingo, everything would play fine again.
IT's only in Beta, so be warned. Don't upgrade a critical machine. http://v5.windowsupdate.microsoft.com/ to upgrade a windows box (remember to go there in IE)
Nothing great was ever achieved without enthusiasm
I think it is kind of a good thing, it is making inroads for .
.
.
.
.
.
.
.
.
.
.
open source products by showing all the preplanned back doors
into the OS that are wide open
Bill meant it to be used for businesses to track customers, etc etc
Motivation being greed, but it has been perverted like alot of
other back doors and has become an anethma
Talk about shooting yourself in the foot
My standard practice is now, to remove all I can with Adaware,
Spybot, and manually removal
reboot, go another round with it
After google searches, registry searches, and looking at active
processes and using a live registry trace tool, I get it all
removed EVENTUALLY
It does take longer on some machines than a reinstall which is sad.
After I do all of this I essentially remove EVERY like to IE and
tie all automatic browsers launches to Mozilla
Then I tell them to never ever use IE again as long as they live
After the hours of weeding thru the muck they respect my wishes
M$ has shot itself on the foot with all these spyware/malware/adware
back door holes and all they are doing is promoting open source
God Bless Them !!! LOL
Peace,
Ex-MislTech
google "32 trillion offshore needs IRS attention"