Windows XP SP2 Impressions

A roundup of concerns and problems with Windows XP SP2 from the early adopters: Many, many users are reporting problems with SP2 limiting outbound TCP/IP connections. This appears to be nailing anyone who makes heavy network use of their machine, including especially users running P2P applications. A Microsoft blog rounds up some reports, as does SANS. Microsoft has objected to people helping them distribute SP2.

Impressions? Or bad reviews?

[FortKnox]

Your list of 'impressions' is nothing but bad things people are saying. Any links to the other views?

If not, simply change the title to "Bad things popping up with SP2" or something to that effect.

Re:Impressions? Or bad reviews?

[stratjakt]

I have a view. It hasnt caused a problem on any machine in my office, and I can only say that my personal machine at least "feels" more responsive.

Look, this is slashdot. They aren't going to be objective. For years the whine has been "MSFT default security is teh suck". MS releases a service pack that locks the boxes down reasonably well. Now that's something to complain about: "my kazaa is teh broked!"

Limiting outbound TCP connections to something sane make sense. Let the extreme P2P kiddies relax the rules manually. On the majority of desktops (not SERVERS) out there, an inordinate amount of outbound traffic is a sign of something bad, like a backdoored spam relay or the machine has been taken over as a DDoS drone.

SP2 crashed a lot of machines that were already exploited. Good. They were already broken. Now those guys can go to Best Buy, who will format and reinstall for them, juice them up with SP2, and there's one less source of SPAM/DDoS/Worms/stupidness.

IMO, SP2 was a huge step in the right direction, and confirmation to me that MSFT is doing more than paying lip service to security.

Of course, this is slashdot, and everything they do is wrong.

It's worth noting that I've never borked a windows box installing a service pack, all the way back to win 95. On the other hand, I've lost track of how much time I've spent cleaning up after typing "emerge -uD world". I thought I'd mention that so I can ensure I'll be modded troll. It's true, though, I swear it.

Anything to Smear Microsoft

[goldspider]

...even if it isn't true.

Ya'll complain that Microsoft doesn't care about security, but when they release a MASSIVE security patch, you try to find (and if that fails, fabricate) any and all tiny inconveniences it causes.

As others here have pointed out, it doesn't block ALL outbound TCP connections, just incomplete ones. Would it kill an editor to come out and say for once that "Microsoft did a pretty good job here."?

And no, I'm not new here.

Re:Works well for me thanks

Other than that it's fine; I turned off the firewall; I'm already NAT'd and have limited ports of entry anyway.

The nice thing about the firewall is that every program that isn't signed that wants to become a server (listen on a port) has to get your permission first. That makes it more likely that you'll catch a malicious program like spyware before it starts sending your browsing activities off to the deep dark jungle of the internet.

Your standard off-the-shelf router from BestBuy won't do that for you.

Unless you run something equivalent like ZoneAlarm, I would suggest you turn it back on.

Re:Read the reason-

[flanksteak]

Normally I wouldn't expect MS to allow you to configure something like this, but if you think about it, if there were a user option to turn it off, then it probably wouldn't be that difficult for a trojan to turn it off. Especially since so many people run with admin privs.

Re:Impressions? Or bad reviews?

[RatBastard]

Of course. But Microsoft warned everyone that SP2 was more concerned with security than it was with compatibility. The fact that some custome written software breaks should not be a surprise to anyone.

Security limits functionality

[ceswiedler]

Security by definition must limit functionality. The best you can hope for is that the functionality limited is less valuable than the security gained.

Microsoft management has finally realized that in order to avoid the gigantic fiascos of the past year's worms, they have to limit some functionality. My guess is Microsoft engineers have been telling their management this for a long time, and finally, they were heard.

M: Is our product secure?
E: The only way to improve security is at the expense of features.
M: No way. Features sell the product.

M: We need to patch this security hole.
E: The only way to improve security is at the expense of features.
M: I still can't accept this.

M: Please, dear god, do ANYTHING to fix these security problems!
E: The only way to improve security is at the expense of features.
M: All right, all right! Do it!

As well they should

[SuiteSisterMary]

Microsoft has objected to people helping them distribute SP2.

Can you blame them? Untrusted sources and all that?

Re:Impressions? Or bad reviews?

[JoeBuck]

Don't forget that the people sending in reports are self-selecting. People who had problems are far more motivated to write a report on those problems that people who had no problems.

Let's wait until we have some real data, as in definitive reports that particular applications break.

Devil's Advocate

[Cheesewhiz]

"Microsoft has objected to people helping them distribute SP2."

I hate to play Devil's Advocate, but DUH... look at this from Microsoft's perspective. Having non-Microsoft sources distributing SP2 has two huge negative aspects for them:

1) Unthrottled Rollout

Having P2P'ers flooding the patch to "everyone-and-their-monkey's-uncle" destroys any potential throttle control that Microsoft might have had. Microsoft's initial plan was to trickle the rollout of SP2 out at only 25,000 downloads a day, exclusively via Windows Update. This is extremely practical due to the scope of the patch -- it makes a lot of sense for them to control the release in case a catastrophic show-stopper pops up, and also to allow developers some extra update time.

2) P2P Security Liability

Let's face it, Microsoft has a right to have their skivvies in a knot over people downloading any Windows patches from 3rd party sources. The infamous "Average Joe" (they guy who opens email viruses twice a week) isn't going to do an MD5 checksum comparison on a patch from a P2P net before running it -- who's to prevent someone from hacking up their own little "SP2" cocktail exe and distributing it? Ultimately the shit would hit the fan and Microsoft would take it in the face.

Even those who do check MD5 digits on a P2P-downloaded patch need a trusted source for the correct checksum... again, Microsoft doesn't want to be liable. Sure, it could be argued that Microsoft could provide the MD5 checksum themselves, but then "Average Joe XP User" would never check it anyway because "Microsoft says it's ok, so it must be safe!"

Re:I wonder if Steve Gibson is cackling?

[stratjakt]

This guy drives me nuts. I can't stand FUD and lies.

I'm talking about the "shields up" thing. It claims if you're in "stealth mode" then your machine is invisible. This is idiotic.

Dropping incoming packets doesnt make you "invisible". If you were "invisible" and I tried to ping you, I'd get a "destination unreachable" error. If I get timeouts, I know you're there and dropping my packets. If you replied to my pings with "destination unreahables" you might trick me, unless I noticed that the destination unreachable messages were coming from the IP I was pinging (duh!).

It's as false as the "your machine is broadcasting an IP!" popups.

Fuck him and his crusade to break the internet by trying to convince people there's something to be gained by dropping incoming packets, instead of responding with a proper RST packet or ICMP message.

Linux folks, set your default firewall properties to DENY, and not DROP. It doesn't make you vulnerable, it doesn't allow SYN floods (which attack by spawning multiple server threads on a local port - an application vulnerability not a TCP/IP one).

It doesn't "hide" you from scanners, as he claims.

It doesn't prevent DDoS attacks, if I have enough bandwidth to clog your downstream, it doesnt matter what you do with all the crap I flood you with.

Actually, heh, he is doing a spin on the old "your machine is broadcasting an IP address" scam:

Many Internet connection IP addresses are associated with a DNS machine name. (But yours is not.) The presence of "Reverse DNS", which allows the machine name to be retrieved from the IP address, can represent a privacy and possible security concern for Internet consumers since it may uniquely and persistently identify your Internet account -- and therefore you -- and may disclose other information, such as your geographic location.

Uhhh, I can get that from the numeric IP, who cares about the reverse DNS. Do the RIAA do reverse DNS lookups when they launch all those suits against IPs?

This machine does have a static IP and proper DNS, so I dont know why his tool says it doesnt. Though, I don't really care.

Re:Impressions? Or bad reviews?

[TheGrayArea]

One of my old friends from when I used to work at MS said to me, and I quote "With SP2 DCOM apps are fucked". The whole outgoing TCP connections limitation is going to cause a lot of issues w/ distributed apps using DCOM and other such things.

Re:Impressions? Or bad reviews?

[0racle]

Exactly what about SP2 makes moving to Linux unrealistic? SP2 is a needed up date to an already good OS but its not some sort of revolution, and not something that I can see that would prevent someone from using Linux if indeed they really wanted to 'move beyond Windows.' Incidentally, when I wanted to try something new, I built a machine out of used parts and ran linux and windows, and I still do, so once again, what about SP2 precludes using Linux?

Re:Impressions? Or bad reviews?

[Stevyn]

Typical linux user response, "you're an idiot." Blaming the user for running this command which the handbook (as in RTFM) says to do is hypocritical. Blame microsoft when some fucktard installs gator, but blame the user when portage screws things up.

I use emerge -p for doing this too, and I'm very cautious because I've read how this command can bork your system. And unless I've manually changed one of those config files myself, I don't know what they all mean or what the differences will make when etc-update changes them. I've heard dispatchconf takes care of this though. But my point is that he did what the manual said, and it borked the system.

Re:Limited outbound connections

[Dogun]

Having been network administrator at my living group in college, I have to mention the merits of fyodor's rather awesome tool. nmap has saved my ass a number of times, locating owned boxes, spotting shitty firewall setups, etc.

On some occasions, I've used ARP poisoning on an owned box to figure out who's responsible. More often than not, it's a box at another university that was owned as well. Which is usually pretty obvious, thanks to nmap.

And now that nmap picks up versioning information, I can scan my entire living group and make note of anyone who's running something abysmally old, too. Quite frankly, it kicks ass, because it allows me to address problems that I would have had a bitch hard time figuring out without it.

As far as nefarious uses go... if people want to use the tool for bad, they're going to do so anyhow. From a *nix box at their disposal. Like any normal person. Also, if they're using the tool for bad, unless they're using the zombie scan feature, it's not all that anonymous, so... it's not something you want to do from your personal box, then.

All in all, I think this was a poor move by msft, nerfing raw sockets like this. They've trashed one of the good features in WinXP, and I think people are going to care.

As for those of you who think you know what the tools is for, I urge you to think a bit harder.

Sure, you can scan the entire internet doing version scanning on port 80 looking for vulnerable IIS boxes, but there is still fallout from the last virus epidemic doing that. Or you can use nmap to assess your own vulnerabilities and help prevent dozens of hours dealing with idiots who don't read security related emails.

Re:why they consider Nmap an "attack tool",

[jeffasselin]

And you would ban tools just because they are also weapons? We should ban hammers, you can kill someone with a hammer! That way lies madness.

And one significant difference between a gun and nmap: a gun requires little training or knowledge. Nmap requires computer skills and knowledge of networking. Basic for us, maybe, but not for everyone. It's also only a computer tool, hard to kill someone with nmap.

In the end, though, restricting tools (whether they are to kill or hack) is a lost cause. You should instead try to provide wisdom in their use.

Re:Impressions? Or bad reviews?

[prisoner-of-enigma]

It's been a while so I might have the numbers wrong...NT 4 SP4 was issued to fix NTFS which was horribly crippled by NT 4 SP3. I suffered through that.

Um, I got news for you: NT4 was released around 1996. The service pack in question was released prior to the year 2000. The product you're speaking of isn't available for sale, isn't current, and isn't even officially supported any longer. We're more than halfway through the year 2004. Isn't it time people quit judging the quality of Microsoft software by what happened almost ten years ago? Would it be fair if I judged Linux's fitness for a particular task based upon a bad experience I had with the 1.x kernel back in 1997? No, but I constantly hear Slashdotters harp about how awful Win95/NT4 was and how nice Linux kernel 2.4/2.6 is when Linux clearly has the benefit of several more years of development under its belt. If you're going to castigate Microsoft for something, castigate current products by comparing them with current alternatives. Doing anything else is comparing apples to oranges.

If such stuff came from Microsoft, it'd be called FUD, but since it comes from Linux lovers on Slashdot, it gets modded +1 Insightful. What a way to be fair and unbiased, huh?

Re:Impressions? Or bad reviews?

[prisoner-of-enigma]

Contrast the following two comments from your response:

Perhaps your sysadmin skills are lacking. I've never had an issue with using 'emerge --pretend -uD world' to see what will be changed,

and

The fact that a M$ service pack (which replaces M$ only software) can blow up some systems up here and there (one of the reasons why they added system restore points to service pack installations) just gives you an idea of how hard it is to maintain the Windows operating environment.

So, if someone messes up a Linux "service pack" application, they're an idiot and Linux shares no blame, but if they muck up a Windows box, Microsoft is totally to blame. Yup, that makes all the sense in the world...if you're a Linux zealot.

I feel sorry for the M$ developers that have to deal with dll hell and have to worry about retaining ancient compatability with old libraries..

I'll remember that next time I can't get an RPM to install due to dependency hell. That's just so much more fun than DLL hell, isn't it? Sure, I can mitigate that with apt-get and Synaptic package manager, but likewise Windows DLL hell hasn't existed in a long, long time due to built-in Windows DLL version control. Again, you're judging current Microsoft products based upon what they were producing almost ten years ago. Clearly have no idea whatsoever about how much improved Microsoft's current product line is. Perhaps you should research the things you're criticizing before you criticize them.