Slashdot Mirror
Windows XP SP2 Impressions
A roundup of concerns and problems with Windows XP SP2 from the early adopters: Many, many users are reporting problems with SP2 limiting outbound TCP/IP connections. This appears to be nailing anyone who makes heavy network use of their machine, including especially users running P2P applications. A Microsoft blog rounds up some reports, as does SANS. Microsoft has objected to people helping them distribute SP2.
I've had no problems yet to report; the only thing that pissed me off is it reinstalled windows messenger after I had already uninstalled it.
Other than that it's fine; I turned off the firewall; I'm already NAT'd and have limited ports of entry anyway.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Just so there isn't a bunch of FUD being spread, the limit is on INCOMPLETE outbound connections. There is no limit on COMPLETED connections. This should only affect network scanners such as nmap.
XP SP2: Are P2P, Port Scanning, and Port-Opening Programs Slower?
Check for the error code!
By design SP2 limits the number of simultaneous incomplete outbound TCP connection attempts. Who cares? This mostly stops trojans.
Run the event checker as described in the article above. You'll prove to yourself that you don't have a problem.
... you can disable it with this.
I read through some of the "reviews" linked through a MS employee's? blog. They were mostly people saying that the install went well but they have minor issues with it (ie slow downs).
Personally I have installed it and have been using it since I learned of its release on Slashdot a couple weeks ago. It's nothing impressive for me but I didn't notice any slow downs.
I griped about my personal issues with the updated "features" and the nagging it causes.
YMMV.
I have had no problems since RC 1. I for one applaud Microsoft for turning the firewall on by default and creating a central security control panel for all users to use and understand.
Such as Norton or whatever, be aware that if XP's firewall is turned on (as it gets turned on by default in SP2) you won't be able to hit the 'net on that PC.
-Markvs
46. The Hobo smiles, his eyes glaze over, and he burps. "Beware the man who has lived longer than the Wasteland."
The BBC has a pretty good article about it, entitled "Concerns over key Windows update". Seems like there are plenty of things going wrong..
CHANGES DUE IN SP2
Pop-up ads blocked
Revamped firewall on by default
Outlook Express, Internet Explorer and Windows Messenger warn about attachments
Origins of downloaded files logged
Web graphics in e-mail no longer loaded by default Some spyware blocked
Users regularly reminded about Windows Updates
Security Center brings together information about anti-virus, updates and firewall
Protection against buffer over-runs
Windows Messenger Service turned off by default
The "Origins of downloaded files logged" feature troubles me a little. What do they mean by "downloaded files"? Do HTML files count as "downloaded files"? What do they want to keep track of and log my downloaded files? How will they know if I use another browser and download files using that instead of IE? What about the other files I download through File sharing applications?
What log "origins of downloaded files" at all? Does it improve security in any way? If they were logging keys/certificates of software updates (to AV software for example), it would make a little sense (but not a whole lot, it shouldn't concern the OS at all), but this feature sounds a heck lot more like a Big Brother OS thing, something like IE tracking all websites visited in a hidden+undeletable folder for the suits.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
Shareaza has found some solutions and are discussing them.
An Education is the Font of All Liberty
What new functionality is added to this feature in Windows XP Service Pack 2?
Restricted traffic over raw sockets
A very small number of Windows applications make use of raw IP sockets, which provide an industry- standard way for applications to create TCP/IP packets with fewer integrity and security checks by the TCP/IP stack. The Windows implementation of TCP/IP still supports receiving traffic on raw IP sockets. However, the ability to send traffic over raw sockets has been restricted in two ways:
TCP data cannot be sent over raw sockets.
UDP datagrams with invalid source addresses cannot be sent over raw sockets. The IP source address for any outgoing UDP datagram must exist on a network interface or the datagram is dropped.
I bet his "I told you so" rant will be entertaining.
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
The limit is enfored if a previous connection attempt to a host has failed.
There is no limit if connection if the connection attempt was sucessful.
Licences have no effect.
There is no limit on the number of connections.
You will probably reach the memory limit of your system before you reach the maximum number of connections that XP can support.
This was from the HTBugTraq mailing list a few days ago.
To: NTBUGTRAQ at LISTSERV.NTBUGTRAQ.COM
Subject: XP SP2 - Statement of the NTBugtraq list
Ok, so I feel like I need to do this, hopefully its understandable.
1. XP SP2 is the most significant security effort Microsoft has ever produced. Granted, it may not be a "silver bullet", or solve all problems, but it is significant in so many ways that we as a security community cannot fail to acknowledge it. I admire "discoverers" as much as the next, but before XP SP2 can be written off it will take many, many, vulnerability announcements.
a) IMO, this is the first time that Microsoft has put security over existing, and frequently used, features.
b) IMO, this is the first time that Microsoft has accepted the fact that their choice is going to lead to "some" incompatibilities.
c) IMO, this is the first time that Microsoft has taken a stand against ISV who are definitely making money out of some features they (MS) made available to them.
2. I, at least, as NTBugtraq Editor, believe we, as the NTBugtraq community, need to stand behind Microsoft's efforts. That means we need to continue to endorse XP SP2 despite what problems have arisen or may arise (within obvious reason.) The media is only going to state the problems. They cannot appreciate, nor do they believe their customers are willing to pay for, stories about XP SP2 successes.
So, I want to hear from you, every one of you, regarding XP SP2 success or failure. Obviously, I want those stories in as much detail as you can provide.
There are, no doubt, some (many?) applications which will not be compatible with XP SP2. I say they represent Vendors who are not prepared to accept the responsibilities we've always felt they should have as reasonably security-minded Vendors. They've had lots of time to figure out how to make their apps compatible, and have *chosen* not to.
I offer any Vendor who feels Microsoft left them "in the lurch", regarding their problems with XP SP2. a forum to express their problems.
Equally, I offer all NTBugtraq subscribers a place to state the problems they are encountering with an ISV application.
It is extremely important for corporate environments to get XP SP2 deployed to all home systems running XP. Let's make sure the media has the right information.
Cheers, Russ - NTBugtraq Editor
Check Here for a fix.
There's both a downloadable patch as well as manual instructions for patching by hand for the ultra-paranoid.
Said article mentions that "..But the overall reports about SP2 were broadly positive." How is it that there are plenty of things going wrong?
I've done the XP SP2 upgrade myself just fine.
The windows icom does represent the Windows / Microsoft category. And if that looks like 'broken' to you, get your glasses checked buddy. They look like stained glass to me.
Here you go
r vi ces\Tcpip\Parameters]0 0fffffe
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Se
"TcpNumConnections"=dword:
This made the rounds on NTBugTraq.
= 1& A2=ind0408&L=ntbugtraq&F=P&S=&P=28 86
http://www.ntbugtraq.com/default.asp?pid=36&sid
From the Microsoft doc mentioned in the article:
What new functionality is added to this feature in Windows XP Service Pack 2?
Restricted traffic over raw sockets
Detailed description
A very small number of Windows applications make use of raw IP sockets, which provide an industry-standard way for applications to create TCP/IP packets with fewer integrity and security checks by the TCP/IP stack. The Windows implementation of TCP/IP still supports receiving traffic on raw IP sockets. However, the ability to send traffic over raw sockets has been restricted in two ways:
TCP data cannot be sent over raw sockets.
UDP datagrams with invalid source addresses cannot be sent over raw sockets. The IP source address for any outgoing UDP datagram must exist on a network interface or the datagram is dropped.
Why is this change important? What threats does it help mitigate?
This change limits the ability of malicious code to create distributed denial-of-service attacks and limits the ability to send spoofed packets, which are TCP/IP packets with a forged source IP address.
John
- Things truely do seem to be snappy. I am not sure where to attribute this, but it is welcome.
- My notebook has wireless which had the annoying habit of showing that there wasn't a wireless connection (the disconnected red x) coming out of hibernation even though it was fully operational. That appears to be fixed.
- I was afraid that the firewall would prove to be annoying, but it actually works pretty well. When I load ICQ, Activestate Komodo, or other applications that try and used blocked ports, it pops up asking if I want to unblock things. The old SP1 firewall didn't do this.
- IE's popup blocker is pretty slick. It will show a little dropdown area above the current page asking about the popup, if it should be displayed, etc. Neat. I do wish Firefox would do this instead of the small icon in the lower right of Firefox's window. It isn't enough to make me stop using Firefox, though.
Now, for the stuff I find annoying.- Their Windows Security Alerts interface isn't compatible with my corporate Norton I have from my work place. It isn't a big whoop, but I am surprised they don't work together.
- Some of my folder settings have changed. I am not sure why, but Microsoft feels the status bar shouldn't be on by default. To hit this point home, it changed it back to disabled after the install. Come on.....
- Along those lines, they decided to mess with my sound scheme. I normally turn all of that off, but sure enough after reboot it is back in all its glory!
- A lot of the wireless stuff has been funneled into wizards, need to find a way to turn that stuff off.
- IE and PNG is still pretty broken. Alpha doesn't work, and that problem where the colors are slightly off of what they actually are is still there. You would have thought that they would have addressed some of that stuff!
There you go, a user's point of view. Take it for what it's worth....Bryan R.
The price of freedom is eternal vigilance, or $12.50 as seen on eBay.....
Goto Control Panel->Admin Tools->Service and set the security service to manual.
Are you serious?
1. The limit is for uncompleted connections (like network scanning).
2. What are they going to do running Samba on XP??? You run Samba to serve to XP Machines... so it will serve to 5 machines/users. 1 BSD etc fileserver w/ Samba, 5 XP machines. What does this have to do with biting sales, other than sales of licences for fileservers which matters little (consider the ration of users to fileservers)...
I'll give you my impression, because mine is positive. I've not noticed the limited tcp connection problem, the firewall works and doesn't completely suck (as basic as it may be), and overall stability is pretty good. The anti-virus reminder thing is obnoxious, which is probably good for the average user. The wireless network stuff screwed up my wep settings, but the wireless config tool is a huge improvement. I haven't used IE on that machine yet, but I didn't use it before, so I wouldn't know what to say is improved. I am planning on stress testing it this weekend before setting it up on a few other machines. I've seen one sp1-related crash not happen in sp2, so something is different. It has not broken any of my applications and I do use p2p programs daily (though only shareaza, bittorrent, and direct connect). I've criticized MS many times before regarding Windows XP, but I do believe they've made some steps in the right direction, and despite the SP2 problems, MS did specifically warn that SP2 will break programs.
And you can still get secure, by running this tiny app.
Well the OpenGL tooltip bug is fixed. That makes me very happy. Prior to SP2, if you had an OpenGL app open, tooltips did not refresh correctly, often displaying a previous tip. A fix apparently exsited for a while but MS wasn't distributing it easily until SP2.
Bluetooth seems more reliable than the implemention that was shipped from Belkin with my USB bluetooth device. It does seem to have fewer services though. For instance, there is no way to send a contact to Outlook from my phone or vice versa.
1. Open up the Windows Security Center 2. Click "Change the way Security Center alerts me" 3. Uncheck ALL of the Alert settings 4. Click OK 5. Close the Security Center window (tray icon should now be gone)
This message details how to shut it off.
- Michael T. Babcock (Yes, I blog)
/ points at Microsoft icon....
I have not experienced absolutely any problem with SP2, perhaps with the exception of the terribly long install time -- it took 1-2 hours on my relatively fast machine (the backing up of files is not fast at all).
For the normal "Joe Average" user there won't be too much of a difference -- a simple reboot and the system looks just the same. IE has the pop-up blocker, which has a semi-intuitive way of adding a sites to the white-list and is a bit imperfect, IMHO (if the pop-up displays a page which has a different URL than the originating page, then the "normal" user will be confused why adding the URL of the originating site doesn't work and the pop-up still doesn't display... this is the case even for subdomains of the same principal domain).
The firewall is pretty nice, the default being to ask when some program is trying to access "the internet". BitTorrent works very fine with me and I haven't had any problems with IM programs.
So, overall, after 2 days of SP2 experience, I can only recommend it to people who still use XP.
Doomie
> How is it that there are plenty of things going wrong?
From the article: "Although 43% said the SP2 installation had gone without a hitch, 49% of those contributing had problems ranging from minor to severe. A few contributors said they had to completely rebuild a system before they could get the update to work."
MS was aware of that problem and did put out a guide titled "Deploying Windows Firewall Settings for MS Windows XP with Service Pack 2". One option for the computers connected in a Windows domain setup is to implement a group policy to disable or modify the new firewall settings across the domain.
1f u c4n r34d th1s u r34lly n33d t0 g37 l41d
I bet most of that can be chalked up to simple carelessness in installation. Simple things that people should do, but may often not, is closing all applications, temporarily disabling the on-access scanning of their anti-virus software, and also temporarily turning off a 3rd-party software firewall if possible. Worst of all is the crazy people who try to install it over an SP2 beta. They should have the good sense to uninstall the beta service pack first and go back to the SP1 they had before, then install SP2.
GET THEM INSIDE THE VAULT!
I have an eMachines M6805.
Athlon64 3000+ laptop.
I Ghosted my machine, running XP Pro w/SP1.
Slipstreamed SP2 into my XP Pro Upgrade CD.
Restored from OEM CDs.
Upgraded to XP Pro SP2, and then the problems started.
-Star Wars Galaxies locks up when I launch it.
-Only the FN+F1 and FN+F2 keys work, the rest lock up the system.
-Unplugging USB devices (other than thumbdrives when I stop them) or the power supply lock up the system.
-On shutdown or hibernate, it stops at the end, right where it should power off, and hangs.
The kicker - I emailed eMachines tech support.
I apologize but we can only support the original software that was preloaded on the system. Upgrading the Operating System is already considered as third party software so any type of support will have to come from Microsoft. There is a possibility that the hardware is causing conflicts with the new Operating System and that you may need updated drivers for the devices installed on the computer.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Here's a good impression:
I installed SP2 on three systems, and it worked flawlessly on all three. On my main system before SP2, XP would not allow me to install my SATA driver. I installed the SATA driver when I installed the OS, but once the OS was loaded, it referred to my SATA device as an "unknown device". Attempts to load the correct driver only caused the system to not boot.
I've been living with no driver officially installed for the device, which basically means that all the caching and performance increases that one would normally have (DMA, write caching, etc) for their hard drive were not activated on mine. Now with SP2, it let me install the driver and it booted fine without any problems. As a result, my computer runs twice as fast on almost every application and about 20 times faster when using virtual disk drivers (www.jetico.com) for container file encryption.
Their security center which monitors antivirus, firewalls, and automatic updates, as well as their HUGE automatic update selection box on startup are all good things too. I worked at a helpdesk for 6 months and 90% of the problems were users who had automatic updates turned off or set to install on notification (which they never selected).
Overall I've been very happy with it.
-=Lothsahn=-
Given your diatribe, I see there being little chance of anyone casting you in the light of a geek.
Ranting asshole is more like it.
Any sites that are doing more than linking to the official download sources are probably going to be getting nastygrams though; check out the second to last paragarph. There are some pretty useful links for those involved in largescale rollouts at the very bottom as well.
UNIX? They're not even circumcised! Savages!
I thought it was stained glass, too, or some semiprecious stones... thought it looked nice, actually, like some old jewelry.
But after reading the comment, I popped it into photoshop and blew it up... it's definitely broken glass. Probably if you were surfing at 800x600 or less, or on a mac where the screen is brighter, it'd be pretty obvious.
How hard would it have been to enclose that URL with the ?
& A2=ind0408&L=ntbugtraq&F=P&S=&P=28 86
http://www.ntbugtraq.com/default.asp?pid=36&sid=1
My other car is first.
Anyone else have this problem or know how to fix it?
Other than that, it seems fine. Some good new options (and by new I mean newly copied from Mozilla) in Internet Explorer.
"Luck is the residue of design" -- Branch Rickey
FWIW,
/noexecute to /execute in boot.ini. Problem solved.
n xp pro/maintain/sp2mempr.mspx
SP2 breaks Aladdin hardlock drivers on AMD64 machines but not Athlon XP. It has to do with Hardware DEP in the AMD64 chips. I changed
http://www.ealaddin.com/hardlock/default.asp
http://www.microsoft.com/technet/prodtechnol/wi
but if you right click on the .exe and click on the digital signature tab it will check the file and verisign will tell you if the microsoft siganture is good.
not that 'average joe' is gonna do this, but it isn't hard if he wants to.
I hope to have a patch restoring functionality within a couple days, but a workaround is available now. Try adding the --win_norawsock option to your Nmap command-line. That tells Nmap to avoid raw sockets and use the workaround that Nmap uses for systems like Win98 that never supported raw sockets in the first place. Several people have confirmed that Nmap works again for them now, as long as they use that option.
While I commend Microsoft for some of the real security improvements in SP2, limiting raw sockets like this is misguided and harmful. As this workaround shows, there are still plenty of loopholes for sending packets. If that continues, worms and virii will simply use the same techniques. Alternatively, if MS continues to cripple Windows until security scanners can't function, Windows users lose as well. While they won't be able to scan their own systems and networks for vulnerabilities, attackers on superior systems will suffer from no such limitations.
MS should focus on security the system against compromise in the first place (through more timely patching, limiting services available by default, code auditing, privilege separation, etc.) rather than crippling the system for legitimate users. Linux and *BSD offer full raw sockets, and yet they haven't become the haven for viruses and worm propagation that Windows has.
-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner
That doesnt work with the SP2 rtm. Presumably because then any virus could just set the registry key to overcome the tcp connection limit of 10.
http://www.lvllord.de/4226fix/4226fix.htm
it is simply stored in an alternate stream. get streams.exe from sysinterl.com to see it:
:Zone.Identifier:$DATA 26
c:\Download>streams XSDObjectGen.msi
NTFS Streams Enumerator v1.02
Copyright (C) 1999 Mark Russinovich
Systems Internals - http://www.sysinternals.com
XSDObjectGen.msi:
Nope. Didn't read the article? Its not even about blocking or unblocking a port at your firewall.
Its about two things, raw sockets go bye-bye, and TCP/IP stack based limits to simultaneous outbound connections:
"The Windows implementation of TCP/IP still supports receiving traffic on raw IP sockets. However, the ability to send traffic over raw sockets has been restricted in two ways:
*TCP data cannot be sent over raw sockets.
*UDP datagrams with invalid source addresses cannot be sent over raw sockets. The IP source address for any outgoing UDP datagram must exist on a network interface or the datagram is dropped."
Also, "The TCP/IP stack now limits the number of simultaneous incomplete outbound TCP connection attempts."
Please note that this last is *not* the firewall, but the TCP/IP stack.
Ha, ha, obnoxious Microsoft apologist. When *your* software starts failing under your spiffy new Microsoft patch, come back and tell us all about it, OK?
--
make install -not war
...not at all, it's not like everybody has more than one working machine in case one of them is screwed(and I can hardly see them going to the nearest cafe for the report; most likely they'll have their system restored, curse loudly, but it'll be too late for them to want to do anything). Judging by previous articles, that can be quite a few...
Which only changes the firewall and not the TCP/IP stack, where the simultaneous connection attempt limit occurs. You can't adjust this.
yeah, Linux is secure in this regard only because it limits raw socket connections to root. If XP Home had such a concept (don't forget this is for home users), then they could restrict it in the same way.
As it happens, this only applies to "puts limits on outbound incomplete TCP connections" which is like preventing you from getting killed in a traffic accident by ensuring you can only drive 1 car at a time.
That does not solve the problem. That is the number of connections, not number of incomplete connections, completely different. Please mod parent down.
I.O.U One Sig.