Windows XP SP2 Impressions

A roundup of concerns and problems with Windows XP SP2 from the early adopters: Many, many users are reporting problems with SP2 limiting outbound TCP/IP connections. This appears to be nailing anyone who makes heavy network use of their machine, including especially users running P2P applications. A Microsoft blog rounds up some reports, as does SANS. Microsoft has objected to people helping them distribute SP2.

Impressions? Or bad reviews?

[FortKnox]

Your list of 'impressions' is nothing but bad things people are saying. Any links to the other views?

If not, simply change the title to "Bad things popping up with SP2" or something to that effect.

Re:Impressions? Or bad reviews?

[stratjakt]

I have a view. It hasnt caused a problem on any machine in my office, and I can only say that my personal machine at least "feels" more responsive.

Look, this is slashdot. They aren't going to be objective. For years the whine has been "MSFT default security is teh suck". MS releases a service pack that locks the boxes down reasonably well. Now that's something to complain about: "my kazaa is teh broked!"

Limiting outbound TCP connections to something sane make sense. Let the extreme P2P kiddies relax the rules manually. On the majority of desktops (not SERVERS) out there, an inordinate amount of outbound traffic is a sign of something bad, like a backdoored spam relay or the machine has been taken over as a DDoS drone.

SP2 crashed a lot of machines that were already exploited. Good. They were already broken. Now those guys can go to Best Buy, who will format and reinstall for them, juice them up with SP2, and there's one less source of SPAM/DDoS/Worms/stupidness.

IMO, SP2 was a huge step in the right direction, and confirmation to me that MSFT is doing more than paying lip service to security.

Of course, this is slashdot, and everything they do is wrong.

It's worth noting that I've never borked a windows box installing a service pack, all the way back to win 95. On the other hand, I've lost track of how much time I've spent cleaning up after typing "emerge -uD world". I thought I'd mention that so I can ensure I'll be modded troll. It's true, though, I swear it.

Anything to Smear Microsoft

[goldspider]

...even if it isn't true.

Ya'll complain that Microsoft doesn't care about security, but when they release a MASSIVE security patch, you try to find (and if that fails, fabricate) any and all tiny inconveniences it causes.

As others here have pointed out, it doesn't block ALL outbound TCP connections, just incomplete ones. Would it kill an editor to come out and say for once that "Microsoft did a pretty good job here."?

And no, I'm not new here.

Re:Works well for me thanks

Other than that it's fine; I turned off the firewall; I'm already NAT'd and have limited ports of entry anyway.

The nice thing about the firewall is that every program that isn't signed that wants to become a server (listen on a port) has to get your permission first. That makes it more likely that you'll catch a malicious program like spyware before it starts sending your browsing activities off to the deep dark jungle of the internet.

Your standard off-the-shelf router from BestBuy won't do that for you.

Unless you run something equivalent like ZoneAlarm, I would suggest you turn it back on.

Re:Impressions? Or bad reviews?

[RatBastard]

Of course. But Microsoft warned everyone that SP2 was more concerned with security than it was with compatibility. The fact that some custome written software breaks should not be a surprise to anyone.

Security limits functionality

[ceswiedler]

Security by definition must limit functionality. The best you can hope for is that the functionality limited is less valuable than the security gained.

Microsoft management has finally realized that in order to avoid the gigantic fiascos of the past year's worms, they have to limit some functionality. My guess is Microsoft engineers have been telling their management this for a long time, and finally, they were heard.

M: Is our product secure?
E: The only way to improve security is at the expense of features.
M: No way. Features sell the product.

M: We need to patch this security hole.
E: The only way to improve security is at the expense of features.
M: I still can't accept this.

M: Please, dear god, do ANYTHING to fix these security problems!
E: The only way to improve security is at the expense of features.
M: All right, all right! Do it!

Re:Impressions? Or bad reviews?

[JoeBuck]

Don't forget that the people sending in reports are self-selecting. People who had problems are far more motivated to write a report on those problems that people who had no problems.

Let's wait until we have some real data, as in definitive reports that particular applications break.

Devil's Advocate

[Cheesewhiz]

"Microsoft has objected to people helping them distribute SP2."

I hate to play Devil's Advocate, but DUH... look at this from Microsoft's perspective. Having non-Microsoft sources distributing SP2 has two huge negative aspects for them:

1) Unthrottled Rollout

Having P2P'ers flooding the patch to "everyone-and-their-monkey's-uncle" destroys any potential throttle control that Microsoft might have had. Microsoft's initial plan was to trickle the rollout of SP2 out at only 25,000 downloads a day, exclusively via Windows Update. This is extremely practical due to the scope of the patch -- it makes a lot of sense for them to control the release in case a catastrophic show-stopper pops up, and also to allow developers some extra update time.

2) P2P Security Liability

Let's face it, Microsoft has a right to have their skivvies in a knot over people downloading any Windows patches from 3rd party sources. The infamous "Average Joe" (they guy who opens email viruses twice a week) isn't going to do an MD5 checksum comparison on a patch from a P2P net before running it -- who's to prevent someone from hacking up their own little "SP2" cocktail exe and distributing it? Ultimately the shit would hit the fan and Microsoft would take it in the face.

Even those who do check MD5 digits on a P2P-downloaded patch need a trusted source for the correct checksum... again, Microsoft doesn't want to be liable. Sure, it could be argued that Microsoft could provide the MD5 checksum themselves, but then "Average Joe XP User" would never check it anyway because "Microsoft says it's ok, so it must be safe!"

Re:I wonder if Steve Gibson is cackling?

[stratjakt]

This guy drives me nuts. I can't stand FUD and lies.

I'm talking about the "shields up" thing. It claims if you're in "stealth mode" then your machine is invisible. This is idiotic.

Dropping incoming packets doesnt make you "invisible". If you were "invisible" and I tried to ping you, I'd get a "destination unreachable" error. If I get timeouts, I know you're there and dropping my packets. If you replied to my pings with "destination unreahables" you might trick me, unless I noticed that the destination unreachable messages were coming from the IP I was pinging (duh!).

It's as false as the "your machine is broadcasting an IP!" popups.

Fuck him and his crusade to break the internet by trying to convince people there's something to be gained by dropping incoming packets, instead of responding with a proper RST packet or ICMP message.

Linux folks, set your default firewall properties to DENY, and not DROP. It doesn't make you vulnerable, it doesn't allow SYN floods (which attack by spawning multiple server threads on a local port - an application vulnerability not a TCP/IP one).

It doesn't "hide" you from scanners, as he claims.

It doesn't prevent DDoS attacks, if I have enough bandwidth to clog your downstream, it doesnt matter what you do with all the crap I flood you with.

Actually, heh, he is doing a spin on the old "your machine is broadcasting an IP address" scam:

Many Internet connection IP addresses are associated with a DNS machine name. (But yours is not.) The presence of "Reverse DNS", which allows the machine name to be retrieved from the IP address, can represent a privacy and possible security concern for Internet consumers since it may uniquely and persistently identify your Internet account -- and therefore you -- and may disclose other information, such as your geographic location.

Uhhh, I can get that from the numeric IP, who cares about the reverse DNS. Do the RIAA do reverse DNS lookups when they launch all those suits against IPs?

This machine does have a static IP and proper DNS, so I dont know why his tool says it doesnt. Though, I don't really care.

Re:Impressions? Or bad reviews?

[prisoner-of-enigma]

It's been a while so I might have the numbers wrong...NT 4 SP4 was issued to fix NTFS which was horribly crippled by NT 4 SP3. I suffered through that.

Um, I got news for you: NT4 was released around 1996. The service pack in question was released prior to the year 2000. The product you're speaking of isn't available for sale, isn't current, and isn't even officially supported any longer. We're more than halfway through the year 2004. Isn't it time people quit judging the quality of Microsoft software by what happened almost ten years ago? Would it be fair if I judged Linux's fitness for a particular task based upon a bad experience I had with the 1.x kernel back in 1997? No, but I constantly hear Slashdotters harp about how awful Win95/NT4 was and how nice Linux kernel 2.4/2.6 is when Linux clearly has the benefit of several more years of development under its belt. If you're going to castigate Microsoft for something, castigate current products by comparing them with current alternatives. Doing anything else is comparing apples to oranges.

If such stuff came from Microsoft, it'd be called FUD, but since it comes from Linux lovers on Slashdot, it gets modded +1 Insightful. What a way to be fair and unbiased, huh?