Evaluating Windows XP Service Pack 2 RC2

dncsky1530 writes "Information Week has a good evaluation of Windows XP SP2, excerpt: "The code for release candidate 2 finally looks like a real release candidate. And sure enough, it will help you big-time with security. But what sorts of headaches will the eventual final version mean for IT shops? We'll take it piece by piece... Remember when Microsoft said service packs wouldn't deliver any new functionality? That lasted for about six months back in 1997. Windows XP Service Pack 2 is jammed-packed with both invisible and visible improvements to Windows XP. The biggest boon is that the free update, which will probably ship some time in September, does in fact make Windows XP far more secure""

New features, yes.

[CmdrNullo]

But there's been quite a bit of reporting that there will be compatibility problems because of the security enhancements. Nonetheless, I'm looking forward to spending less time cleaning up spyware infections on relatives' machines.

Re:New features, yes.

[Flyinace2000]

Amen to that! I work at a computer shop and 90% of the repairs we do end with us giving a lecture about spyware.......Our record is 1300 infected spyware files.

Re:New features, yes.

[Gilesx]

Unfortunately, it doesn't really do a lot to protect against spyware. It's mostly a pretty front end to remind you to a) install a virus checker, b) install a firewall (or enable the default Windows firewall - and given the Microsoft security track record, who in their right mind would rely on that?!) and c) reboot your machine after you've installed an update. This last reminder is particularly annoying as it pops up from the system tray approximately every 10 minutes, with the default dialog option set to reboot. In the middle of typing something? Just hit enter right at the moment that the reboot reminder box pops up? Tough - you're rebooting whether you relike it or not! Poor poor POOR UI design there, Bill...

Re:New features, yes.

[Threni]

In the middle of typing something? Just hit enter right at the moment that the reboot reminder box pops up? Tough - you're rebooting whether you relike it or not! Poor poor POOR UI design there, Bill...

This happens quite often with Windows. Not just in this case, or with dialogue boxes, but just generally with windows containing an error message. I'm not that excited about a task completing or a page not being found that I'm interested in stopping writing my email or entering a URL or whatever to click on an OK on a box with no other options. Is there a registry setting anywhere for Windows as a whole - something to the effect of a `Take focus away from user to report an error` boolean or something? Do other operating systems handle this problem another way?

Re:New features, yes.

[Tobias+Luetke]

Unfortuantly you are totally wrong about poor ui design.

When a unasked for popup comes up the first reaction of the average user is to get rid of it. There are statistics which proove that 75% of all users will hit enter to any dialog box without reading it in your average run the mill office.

Don't take this lightly. This is the very reason for most of the problems we have in the internet today. Norton antivirus used to default to "read anyways" when it detected a email virus.

This was realized by microsoft a while ago and now all dialog boxes default to the secure option instead of the least intrusive. Since windows only wants you to restart if it couldn't apply the patch to the machine during installation ( e.g. applications which were to be patched were running / files were in use ) it makes perfect sense to default to reboot. If there is a big exploit in IE it needs to be fixed as fast as possible. Who really tourns off their pc nowadays ? Even after receiving the patch you might run your unpatched ie for a week.

Won't matter, they won't install it.

[garcia]

Mainstream Web sites that employ unsigned ActiveX applets, downloads, pop-up windows, browser helper objects, and other code- or scripting-based functions may encounter difficulty with SP2 version IE 6. Most of these activities are prevented by default, and until thousands of Web sites and Web-based applications are upgraded to more gracefully deal with the new IE's many security precautions, a lot of Web stuff is going to be broken--or, at least, temporarily halted.

While a lot of people here are going to say, "wow, everyone is going to go to Mozilla/FireFox." I have serious doubts that we will see that. All we are going to see is a bunch of broken websites and people complaining. The solution is going to be to turn off the default security options and go back to browsing like they did before.

Microsoft just isn't that interested in upgrading Internet Explorer's feature set. As a result, it's unlikely we'll see tabbed browsing before Longhorn, and it's not even guaranteed for that release. No wonder so many people are jumping ship for Mozilla Firefox and Opera.

Nah, I really doubt that the single reason people are moving to Mozilla FF and Opera are for tabbed browsing. I surf daily and probably at greater lengths than the average person and I don't find tabbed browsing to be my #1 concern.

I found it particularly interesting that the "Windows Security Center (WSC)" didn't detect NAV or ZA for virus or firewall... While they assured the author that they would be detected by the time that XP SP2 comes out I just have to wonder why MS would force them to rewrite their software to work w/WSC. If MS was so concerned w/third parties being able to protect Windows users you would think that they would work with the companies to get it to work, not the other way around.

Microsoft also is working on the 5.0 version of Windows Update, its Windows-updating Web site, which handles a lot more than just critical updates. It's primarily a user-interface update, but one of the underlying improvements is that you'll no longer be required to restart your computer so often after applying updates.

Honestly, most of my most recent XP updates have been installed without a restart. It's really not a huge deal to *ME* and I am sure it's not a huge deal to most other non-technical users as they probably restart their computer almost daily because of various unknown reasons.

All in all, I look forward to it but I wonder how many will install it. Will it make a difference when it comes out? Will 100% of the XP users out there upgrade and stop the vunerabilities from spreading? I doubt it. We are going to suffer through this same shit because Windows users aren't the smartest bunch out there.

Re:Won't matter, they won't install it.

[ObsessiveMathsFreak]

Happily however, windows XP searches for and installs the latest updates without any user input whatsoever, a situation I agree with completely.I know that most home users will rarely go into control panel and almost never run windows update. I don't expect them too, neither does MS.However, I'm not sure if automatic updating applies to service packs. I sure hope it does.

Your right about the websites though. If the SP 'breaks' web sites, people will turn the security off. I've also seen people who've tried firefox recently, go back to IE as javascript,PDF and flash either don't work or don't work 'properly'. They liked tabbed browsing, but that wasn't enough to wean them off IE's integrated plugins unfortunatly. Couldn't mozilla offer a complete install with all the plugins as standard?

Re:Won't matter, they won't install it.

[DrEldarion]

The solution is going to be to turn off the default security options and go back to browsing like they did before.

You're assuming that people actually know how to turn off the security settings. I'd say that most of the people who don't know any better will have no clue how to turn them off, and the people who do know better will, well, know better than to turn them off. Sure, there are a few people who know just enough to be dangerous, but they're a huge minority compared to the amount of people who don't even know what "right-click" means.

Any sites who actually care about having their users stay will fix their site instead of telling their users to "fix" their browser. People are REALLY lazy - if the site they're on doesn't work, they'll just say "screw it" and go to one of the other 5,000 sites on the web that can give them the same content rather than putting any effort towards changing settings.

Plus, I'd hope that people wouldn't trust any website that tells them to change their security settings, but that's probably putting too much faith in them.

Re:Won't matter, they won't install it.

[IgnoramusMaximus]

Oh for Christ's sake, it's a reboot, it doesn't take hours. It takes about two minutes.

What he means is that on a production server you cant just pull the plug to reboot (even if it took 1 second flat) until the last workaholic leaves his beancounting or whatnot at 7pm. IT is an internal service within a company and you dance around others who do earn the actual revenue which you are blowing from the company's gazoo in general direction of Billy Gates.

That is still the part Microsoft doesnt get, insisting that IT is a princeling of corporate departaments which can at its whim bring the company up and down and spend all of its money on bullshit. Apparently you are also under this impression.

Three months to go?

I must check for companies that are now posting jobs asking for two years experience in WinXP SP 2. (It goes nicely with the five years .NET experience.)

Cleaning?

[Biogenesis]

You actually worry about cleaning it? I just recommend reformatting :p. It's got 2 big advantages:

1) It's easier to do (even if it takes longer there's no guesswork/trudging through the registery)
2) It tends to be such a big deal for the relative (backing up etc) that I tend to get asked less :).

Then again, doesn't Adaware do a good enough job as it is?

Yeah, good for those with broadband

[Stevyn]

This is only good for those with broadband. No one on a modem is going to download this. Service packs are great until you factor in the time to download and install. People who were too lazy to update once a week aren't going to install this service pack for the same reason. Windows, if you patch and use antivirus and a hardware firewall, can be pretty stable and secure. However, without all that you're asking for trouble. I still think the majority of problems stem from ignorant users, not the horribly evil company itself. And why do they charge for mailing these service pack CDs? If you paid $300 retail or even the $40 or so from an oem, you should be entitled to a free update CD with no shipping cost. If AOL can afford to send out millions of those discs, Microsoft can do the same. Hell, they already do it for MSN.

Re:Yeah, good for those with broadband

[Gilesx]

An interesting point with the MSN CD thing. You'd think that if Microsoft were really using their noodles, they would include the service pack everywhere they could - if you make it a compulsory install when you install an MSN CD, Office CD or whatever - I'm sure you'd reach a hell of a lot more users than you would just by placing it up for download....

Marketshare has meaning in security

[cyberlotnet]

I do all development and most of my day to day work on linux, I play games on my windows laptop just so all you flamers know I do use both.

Anyway is linux or mozilla more secure? YES.
Why is it more secure? Open Source means better peer review.
Are the "margins" of security between windows and linux really so large? I would have to say NO.

Why you say? The machines being hacked and sending out 80% of the spam in the world are home machines, Why? In general the average user fails to keep there machine up to date, opens up email attachments, or does some other stupid action that causes there pc to get infected. This makes home machines open to direct attack. If a majority of the home machines where linux then you would hear more about linux worms and viruses.

Now due to the way linux is they may not be as bad, patches may be releases faster but with the worlds virus and script kiddies focusing on linux instead of windows there would be problems.

Linux users try to place themselves in such high praise, But they can't, You can't praise yourself until you have truly been subject to the same level of attack and focus as windows.

Re:hmm

[AndroidCat]

The problem with Microsoft is that they have two camps slugging it out. The Raymond Chen Camp and The MSDN Magazine Camp. (This was already covered on Slashdot, but is worth a re-read.) MSDN gang always wants the latest and greatest jammed in the box ASAP--the trouble is, they seem to know squat about real security. And they've been in control for some time now.

And so they produce garbage like IE zones controlling ActiveX security and weak patches to ADO.Streams for years now.

Best Practices

[darkmeridian]

Am I the only one that has a little series of computers that I roll out updates before I roll them out enterprise-wide? I know some people have a test system... but for my network (and the sake of the hospital's uptime) I have a small testing network.

You are not the only one with a test network. I once updated my system and then the enterpriseware suddenly quit working. On all the production systems. Boss was angry. I spent the whole night regressing the software until I realized that the software was incompatible with the ICF in WinXP. I announced that to the company's CS and they updated their website Knowledge Base with that tidbit.

From then on, I ran all upgrades through a three system network with one masquerading as the "server". In addition to software status, all configuration data is recorded as well. I wonder if I'm violating my licensing agreement this way. Oh, well.

Re:Will this kill ZoneAlarm?

[kawika]

You got that wrong. XP's firewall blocks programs from listening on ports--incoming traffic. XP SP2 does not block outgoing traffic, for example a web browser that establishes an outgoing TCP connection will get through just fine, no special configuration required. There is no special whitelist entry for IE, as you'll notice that Firefox or Opera get through fine as well.

ZoneAlarm does much more in that it can block outgoing traffic on a program-by-program basis. But ZoneAlarm also asks questions that are impossible for most users to answer without a course in Windows XP internals, like "Do you want to allow SVCHOST.EXE to access the Internet?" I can see why Microsoft decided to leave this functionality out.

The best outcome would be if programs like ZoneAlarm coordinate their work with the built-in firewall and extend its functionality. I don't think they are in danger of becoming obsolete. Similarly, Windows has bundled a defragger since Win95 but that hasn't stopped a half-dozen companies from writing better ones.

Re:Will this kill ZoneAlarm?

[philbert26]

My problem with this is that it didn't ask me to autheticate IE, or other MSFT services. While I agree that this is better for Joe User, and does indeed make the average computer *somewhat* less vulnerable to becoming zombies [grc.com] I actually think that overall it compromises security, because it has the idea of "pre-trusted" programs.

It does, but you can choose to disable that at install time and enable everything yourself. I think it's a good feature for people who don't know what they're doing, because otherwise they will get used to seeing the authorisation window for every innocent program and will start giving permission without really thinking about it. My brother gave MSBlaster Internet Access this way...if permission popups were a less frequent occurence, he might have been more suspicious.

Users do switch MozFF/Opera for tabbed browsing

[vaderhelmet]

I'm one of a handful of people in my company who are even aware of OSS, Linux, and the like. My boss (System Administrator of my building) is afraid of anything that doesn't have Bill's seal of approval. But when my boss saw how much more efficiently I could research something on the web using tabbed browsing, and the built-in (customizable) search bar, he did a double-take. He installed it and started using it about 25% of the time. After the CERT warning came out, he dumped IE and issued a warning to the building that they need to be using Opera, Firefox or similar non-MS browser.

Another Firewall Issue

[pgrst]

In addition to the issues already raised by other posters, there is another problem that the article does allude to but doesn't explain: The firewall keeps turning itself on!

I have run SP2 since the first release candidate. I don't use the windows firewall since I already have hardware + software firewalls. XP SP2 detects the software firewall correctly (mcafee). But at least once every other day Windows turns on the damn XP SP2 firewall. It's a pain in the ass and the real problem is that you don't know it's on. You only realize it's turned itself back on when it announces that it has blocked a connection.