Slashdot Mirror
Microsoft Lists SP2 Incompatibilities
thejuggler writes "ZDNET has a story about how the new XP SP2 causes conflicts with over 50 applications and causes problems with others including some of Microsoft's own products. The 'glitch' as they are calling it seems to be that the Windows firewall system is turned on by default and blocks unsolicited connections to your computer. You have to unblock certain ports as your applications require to make the apps work again. They are calling this a glitch, but I thought we wanted everything blocked by default so we would have to choose what was unblocked?" The BBC has a story as well.
I snickered when I saw that list earlier today. Most of them are broken due to closed ports. Duh. Why not list every application that requires certain ports be open?
Any firewall can break any piece of software if it requires a port that is blocked.
This doesn't surprise me one bit. We all knew that it was going to cause problems for some programs. The funny part to all this that there are a lot of MS programs on the list, as well as almost ever well known Anti_virus and Firewall program.
Everyone has a photographic memory, some just don't have film.
even though Microsoft is doing the "Right Thing", a majority of average (Below average?) users will complain until MS is forced to set the firewall to disabled by default. It's sad, but true.
Looking for hardware (Currently need: Large Etch-a-Sketch) Have one? See my journal!
I'm not entirely happy with the popup blocker they've included, as it doesn't seem to be that configurable. However, the idea of blocking unsolicited ports is by no means a bad thing.
The vast majority of PC problems these days are rooted in the fact that most users are lazy, and don't want to be bothered with details. Perhaps they can read tax forms, but a simple Windows dialog? Forget it.
If users can't muster up more than an ounce of effort to secure their PC, they shouldn't be using one. Just as a driver needs to make sure their car is roadworthy, PC users need to be sure that their systems have at least some rudimentary method of protection. It's just not that hard, and it's not too much to ask.
If computer users can't manage to get their heads around simple dialogs (which SP2 questions pretty much are), they deserve the trouble they get... perhaps them being offline would reduce the spam & DDoS zombies.
I suppose wishing those people offline is a fantasy, but it certainly would help reduce the idiot factor on the net.
Do any of you actually use Windows Firewall anyhow? I've got no compatibility issues whatsoever because I'm using a hardware firewall in the first place, meaning SP2's default firewall was turned off rather quickly.
Nothing disturbs me more than blind loyalism towards some unrealistic and over-idealistic notion of one's nationality.
Lost it? i don't think so. I support several hundred users on a daily basis, and the vast majority of them barely know what the 'start' button is, let alone abstract concepts like 'ports' or 'firewalls'
as things stand right now, i don't see how ease of use and security can possibly go together. what is needed is user education, but the vast majority of users 'just want it to work' and refuse education.
... people have spent years complaining about Microsoft security, Microsoft don't change anything because they claim it will break stuff.
Microsoft folds and implements some security features which inevitably break things... then everybody gets upset.
You can't have it both ways.
Until someone logs into your network behind your firewall with an infected machine... If you ever have LAN parties or have a wireless network, you're exposed. Null
Seriously, this is an optional service pack. It hasn't really been out long enough to consider seriously deploying it on critical machines. Just give some time for the apps to catch up and sometime in the future this will be a non-issue. On the other hand, shame on the developers for not testing their apps with the release canidates to work out any bugs.
Perhaps, but beta testers tend to be more tech-savvy, so these so called 'glitches' (they are really 'difficulties') probably didn't bother them...
It's okay. People aren't going to open ports for every application. They're just going to disable the firewall, making everything better. It will be Windows XP SP2-1. It's funny, but it's true. Turning off the firewall is the first thing I'm going to do, when I get up enough courage to install the damn thing. Maybe I'll just test on some of my nicer clients.
From what I've read, the problems are that MS has finally introduced some default security. They are blaming third party vendors for relying on ports to be open and such. While this may be true, there is also the fact that since they've been able to do it for years and years with Microsoft based OSs, there's no surprise that when they actually started locking stuff down, it did break other programs.
These same (below) average users are the kinds of saps that are locked into Microsoft platforms merely because they are too lazy, naive, or both to use a different platform. If Microsoft says that the firewall will be enabled by default, the users will deal with it, because they don't have a choice.
It would be more likely that application authors will start including tools in their installation wizards for opening ports the application needs.
The sad thing is, any app could easily get passed the firewall with a bit of social engineering. I saw a popup on a Windows machine infected with some ad/spyware today. The window started an automatic download (and thus, on Windows, install) of some app. The page showed a picture of the security warning dialog and told the user to just click Yes. Which is actually what most users will do, because they don't know any better, because nobody has taught them.
yeah...this is kinda lame.
Sounds like people are trying to find as much fault in Microsoft as possible. It looks like most of these aren't even problems but are something that Microsoft bashers can use to fuel their fires. As I'm sure many posts have already pointed out by the time I post this, a lot of these problems are just because of closed ports.
They aren't really "glitches"
And they have nothing to do with the actual code in the Service Pack (I've been running it fine since it was released on Winbeta).
If you took time to read the article, you'd find that the applications would work fine if you disabled the Windows Firewall. The applications fail because SP2 enables a firewall by default, and these applications do not work without an open port.
Anyone who tries to agree with the anti-microsoft FUD in the article above must be some kind of luddite or a really blinkered linux zealot.
Enabling a firewall by default in Windows is the greatest thing Redmond has ever done to try and make up for the horror's they've unleashed on the people of the world. Trying to spread even more FUD with the objective to stop people from applying this service pack is madness.
I am government man, come from the government. The government has sent me. -- G.I.R.
Oh come on! Next you're going to say it must be hard for a noob to compile a kernel! Man, RTFM!
Na, just kidding. You're completely right. There comes a time when the average user has to spend 20 minutes giving a shit about his computer and learn some basic fundamentals. At some point in time, people, in general, did the same thing for their cars. Old ladies will get their oil changed every 3000 miles yet your average user doesn't know it's bad to click yes to "do you wish to install spyware?"
I've had it with people asking me to help them out with their computers. I feel like a plumber who gets the question "hey, I just clogged my toilet by taking a huge dump, how do I fix it?" everywhere he goes. It's not the ignorance I mind, it's the indifference about computer fundamentals that leads to someone else fixing it. If people don't want to learn that "techno mumbo jumbo" then don't use a computer. If I said to the police officer "what the hell, blinker? Break? Steering away from pedistrians? What is this auto mumbo jumbo?" I don't think he'd understand.
Exactly. Slashdotters have always constantly paid out on microsoft because MS has chosen ease of use before security.
Now, like a responsible company should, they've taken the drastic step of enabling a firewall on Windows by default. And, like any slashdot FUD loving crowd would, slashdot is blaming microsoft because a list of 50 third party apps won't run if some ports aren't opened on a firewall.
I'm happy with SP2, very happy at the extra secuirity, especially enabling the NX bit on my A64.
I am government man, come from the government. The government has sent me. -- G.I.R.
Perhaps Windows Firewall is intelligent enough to remember that it just told you about this 3 seconds ago.
Take a look at the list of 'broken' apps, go read what a firewall does, then look at the list again. Firewalls break things that are used to having unrestricted access. Thats a fact of life so get used to it. Changing security settings in an OS breaks things, get used to it. People can whine all the want about how they're favorite game is broken by SP2 but the blame lies with the developer of that game, not MS, they shouldn't have made a game that handled network connections in such a sloppy manner.
"I use a Mac because I'm just better than you are."
So, everyone is whinging that the firewall included with XP SP2 is WORKING?
The 'glitches' listed on the KB articles would be affected by any end user firewall, or hardware firewall on the market. To bash MS for this is counter productive. They have done the right thing in enabling it by default. If you want to run a server, you ought to be smart enough to figure out how to configure your firewall. If not, then its better for the net as a whole, you are the type of person still spreading Code Red.
If I were you, I'd uninstall Windows and install Linux. I do not trust companies to protect my rights.
Not one comment on the fact you *could* even roll it back.. and probably without too much of an issue I'm guessing.. They *are* learning (slowly, and as much as people hate to admit here). It just takes time. Your DVD issue seems legit, but most of this stuff being broken due to close ports is hardly a glitch.. it's called security.. and I for one say kudos for doing the right thing (at least partially).
Lets see... just for this application, through putting the version in it's own field, in the same field as the application name, and misspelling it a couple different ways, (and varying the version unnecessarilly) they've managed to list two seperate versions of the application (8.6.1 and 9.1) and somehow come up with 6 seperate entries... I think the list is shorter than y'all think...
"Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
Comment removed based on user account deletion
The whole Service Pack 2 thing here on Slashdot has gone way out of control. You have to stop bashing Microsoft for every single thing they do. This time they tried their best. Yes, it might not work 100%, yes some things will break, but this is the nature of a firewall, and it's definatly the nature of Microsoft. Would you rather Microsoft hadn't released SP2? I don't think so.
Also, to those of you wise enough to know if you'll have compatability issues, don't install SP2. It's clearly not for you. This is aimed at the average Joe user who browses the Internet, and checks his e-mail. It's designed to stop low level attacks instead of causing the next Blaster. Just because you are a Geek or a Linux guru does not give you the right to bash this, because it is not for you. There's a reason you're using Linux, right? Better security, etc? Stick with it.
And the final point, a lot of you are complaining about how the average user knows no better than Microsoft, and can't defend themselves against simple spyware. Then for God's sake, please go out and help these people! You wouldn't believe the number of people who come to me to fix their laptops about various problems (mostly spyware and viruses), and I always educate them on the matter. I don't just fix it for them, I make sure they understand exactly what they did wrong, and how never to repeat it. And to those of you who believe that they should be ditching Windows XP for Linux... forget it. It's not for them. They'll have no reason to switch over. You're preaching to the wrong choir. Talk to those who you know will be interested rather than the average user.
If they were interested in helping newbies, they wouldn't be blowing grandma out of her chair with a first step such as:
1. Click Start, click Run, type wscui.cpl in the Open box, and then click OK.
Whatever happend to click start, click on the control panel, then click on the icon...?
I fear the easiest solution for most will just be clicking the disable box next to the firewall service.
it is NOT OKAY to open up a machine in root (as windows is) to the world for the sake of an application doing something the user may or may not know about in the background. it was NOT OKAY to maintain for lo these many years that the backdoors of ActiveX and DirectX to kernel functions to be open for all and sundry just because it made pretty things happen in demos.
it was NOT OKAY for microsoft to assume blithly that users are all dunderheads who can't be educated, can't take responsibility, and can't be trusted to make choices.
the only thing broken is not the 50-odd apps, but the corporate vision of M$. they need to deal with the facts: it is not "the Connected Internet with each user a Member Of The Community" any more; everything is interconnected and bad boys can roam the streets unseen and unbidden in Electron Town; and, finally, welcome to the 21st Century, M$, please read the rules this time.
if you want a really good firewall, consider either tiny firewall or zone alarm, both much more friendly and complete, and free as well as licensed/supported versions of both availiable for download any time you want.
if this is supposed to be a new economy, how come they still want my old fashioned money?
A list of applications broken by windows Internet Connection Firewall (which I dont use)
A list of applications broken by the NX features on X86-64 (which I am not affected by)
and A list of applications broken by other things
Rejected by slashdot editors.
The mods may be on crack, but the editors are on something much juicier.
And funnily enough, just by pointing it out, you can inadvertently exclude yourself from moderator duty.
Humbug.
I installed it as Beta on my work machine and haven't had any issues with it affecting my access to critical applications. Anytime something new attempts to access the net a dialog pops up and asks what it should do. This is the same behavior that Zone Alarm does, and that's what I would hope to see.
I can still work, I'm able to use Remote Desktop and VPN into work from home.
Either you want Microsoft to be security minded and patch holes, or you want it to be easier to use and less secure. Pick one, you can't have both.
This is not an assumption, it is a conlusion (and one shared by anyone who has ever spent time trying to support end users). Most users are dunderheads, won't take responsibility, don't want to be educated and can't be trusted to make good choices.
Not all, mind you, but certainly most.
There's a common misconception that the ports above 1024 are somehow "safer" than the lower-numbered ports. As far as an attacker is concerned any tcp port is as good as any other if there's a service listening on it.
All's true that is mistrusted
Those that are running local servers or use it for IPC - it very common.
I still firmly believe that a person needs a bit of an education before using a personal computer of any sort, especially one with internet access. For their own safety, if not for the safety of others. This isn't the sort of thing that can be remedied by making UI's more intuitive or friendly. Some things you just need to know. For example, everyone should know: what the Internet is; that not everyone on it is trustworthy, and most importantly to READ BEFORE YOU CLICK.
Ignorant (and often gullible) users are too easy to manipulate; 90% of the time it is they who succumb to the shenanigans of fraudsters and virus-writers. For their own sake they need an education, Lord knows the worst of them don't have any common sense.
And indeed, every user should know how to operate a basic firewall. It's an easy thing to explain, especially at the level of allowing or disallowing programs access to the 'net. I've taught several people how to use ZoneAlarm or McAffee Firewall. Most people understand it pretty quickly.
Perhaps if the education can be integrated into the UI somehow (error/warning/question dialog boxes with more pedestrian language and more explanation), we might make some headway against the exploitation of ignorant users.
Don't run as root.
Nobody in their right mind would run as root in OSX, in fact root is disabled by default.
Are you a troll or are you clueless?
Jesus was a compassionate social conservative who called individuals to sin no more.
And so what if you installed a hardware firewall? Would you say it is broken if it came with all the ports closed? No, of course not! That is what it was designed to do. Don't blame Microsoft because it's software does what it's designed to do! (Especially if that software actually improves the security of their products!)
As for your comment on these programs having been this way for "years and years", that is somewhat disingenuous. These features may have only been around as long as the internet has been popular, starting around 1996 (or, the "Information Superhighway" aka shoot-me-now-and-put-me-out-of-misery era). Moreover, since these programs require an internet connection with certain ports open, then I'd speculate these were implemented after broadband connections became popular around, what 2000? That was only four years ago, hardly the "years and years" you make it seem.
Even so, just because these programs were doing this for "years and years" doesn't mean they were doing the correct thing in the first place. The third-party software should actually tell their customers that certain ports need to be open. (What a concept!) Actually telling the customers within the software would be ideal. Otherwise, manufacturers should have some place on their website that explains what ports need to be open.
SimCity for Windows 3.x had a bug in its handling of memory that caused it to crash on Windows 95. Microsoft had to add code to test if SimCity was running and handle it appropriately; if they had not done so, the crash would not have been Microsoft's fault-- the bug wasn't.
MS has been moving away from their mantra of absolute reverse compatability. That's said, since that's one thing at which the used to be very good. Still, if SP2 uncovered a bug in someone else's software, that's not SP2's fault; you have to know whose bug it was.
MS could easily err on the side of caution and just block its own file sharing, etc ports and other system ports that usually reside under 1025. Everything else would be open. Not everyone is a techie who can diagnose every app's port and do the forwarding.
Inbound and outbound port management is really too much for technophobes. I usually set up a simple firewall and open up everything after 1025. They dont get hit by trojans and their apps work. If they do network printing, sharing, etc I just make exceptions for the NAT subnet they are using.
I know its heresey in these parts to speak ill of firewalls, but the more they nag and the more they break apps the higher the chance they will just get shut off. The worst thing you can do for a person if give them Zone Alarm or some other nagware.
Real protection comes in email scanning, patching, and future CPUs which support NX (currently only AMD64). Not in blocking every damn port out there and pretending one is protected.
Given this dialog:How many users are going to click "Yes"? You think it is stupid if a user clicks "Yes" but do you know how stupid is it to allow the user the option to click "Yes" and ruin their computer?? Now change "Ruin your computer?" to "An application has request traffic on port 139. Open it?"
This is a simplified example yet this is whats happening. A firewall is supposed to stop network traffic inbound or outbound that isn't accounted. Allowing the user to sidestep this easily is as handy as asking if they want to ruin their computer: Yes or No. Even with the improved features I'm still going to get calls from Mom saying something complained it wanted access so she clicked "Yes" to get it to shut up. Expecting users to be savy enough to patrol their computers got MS into this mess with SP 2. Now people are suddenly going to be wise??? Something doesn't add up.
I am not knocking SP2 since there are great things going on here but as the old saying goes: Security is a process. SP2 still "enables" users to screw up their computers with a few more hoops to jump through. I would rather have my parents have to jump through a few more hoops before they hang their computer with all of the wonderful "rope" MS gives them but I'm still very bothered its easy to hang themselves.
Simply put, in my opinion Zone Alarm is right and SP2 is wrong. The firewall is there to stop unwarrented traffic not to conviently prompt you to disable it.
Enabling a firewall by default in Windows is the greatest thing Redmond has ever done
Only problem with it - they made it nine years later than ought to.
Looks like many users who aren't very windows savvy are going to have to make the choice between security and usability... I do think that this is partly MS's fault and partly that of co's who's apps shouldn't require an internet connection (especially on obscure ports) do. I've never been a big fan of software firewalls but the flaw (imho) in windows firewall which allows it to be disabled by other applications should allow third party developers to release patches that will reenable the necessary ports... Overall SP2 will do much more good than bad for the average user and minor "gliches" are definately worth the added security for many of the users I know are waiting for the public release.
All the torrents you could want.
Ahh, so it's not Microsoft Word, Microsoft Excel and a whole screed of Microsoft Office bits and pieces included in that list? Just some third party apps with the same names?
I thought that was a bit odd...
Cat.
I'd love to know what the point is in a "personal firewall" - seriously.
A computer does _not_ need a firewall - it is configured correctly, all those nasty services with security holes in aren't even listening to the internet-facing interface (because you've got it configured correctly). There's no advantage in having a firewall over having the services configured correctly.
The *only* reason to have a firewall is that if you make a mistake and accidentally open a service you didn't intend to, the firewall is there as a failsafe. If you link the firewall and service controls together so you only have to press one button to enable a service you remove this advantage and there is again no reason to ahve a firewall.
Rather than running hundreds of services you don't need and then blocking them, it would be far better to have a unified way of telling all services which interface to bind to - to the end user this would appear like a firewall configurator anyway.
And if you must insist on prompting the user each time Doom 3 opens a listening network port then tie it in with the IP stack properly and prompt the user when it actually opens the port.
To me, the concept of using a personal firewall as your primary method of security is a kludge - if you need one then your machine's configuration is fundamentally broken and that's where you should be applying security.
http://blog.nexusuk.org
Perhaps his software likes to phone home, and the firewall is getting in the way?
According to the document, the updated firewall may prevent computers from properly connecting to outside networks, limiting systems' abilities to effectively receive data.
Isn't that what a firewall is supposed to do, limit connections such that a trojan/virus/spyware or something couldn't get out or in?
--
Adobe's anti-counterfeiting softw
The *only* reason to have a firewall is that if you make a mistake and accidentally open a service you didn't intend to
Wrong. Suppose there is an issue in the IP stack itself? The machine can still be knocked over - a la early NT 4.0 - by crafted packets even if no services are listening. Can you see where a firewall might help?
the firewall is there as a failsafe
Yes, it is. There is a concept called "multi-level security"; you should look into it. Essentially the machine is protected by multiple overlapping sets of controls so the loss of one control is not catastrophic.
I want to drag this out as long as possible. Bring me my protractor.
Windows has finally collapsed under the weight of all the patches that have been added to it. Patches to fix security holes, patches to fix the stuff that doesn't work because of the other patches, and patches for patches - all built on an infrastructure that was fundamentally rotten. The fact is, so much software depends at low levels on Windows's lack of security, it was bound to break good and hard when the real issues were addressed. And now it's impossible to maintain backward compatibility, because the legitimate software is using exactly the same security holes as the malware.
..... because Microsoft decided that there are some things that the user does not need to know about or have any control over.
Whether the closed source nature of Windows and Windows applications encourages this kind of slovenly programming is not the real issue here. The real issue dates right back to the early days, and the difference between mini- and microcomputers.
Unix was conceived from the outset as a minicomputer OS. That meant it had to have at least some awareness of multiple users -- some of whom might be dangerous, whether due to malice or incompetence. Privilege separation was built in from the outset; with just one, special user account able to do absolutely anything, including bring the system down irretrievably. This purposely was never blocked.
MS-DOS was conceived from the outset as a microcomputer OS -- it was once a CP/M clone. A computer running DOS would have a single user, and not be connected electrically to anything else -- except maybe a minicomputer, via an RS-232 serial link; and requiring a particular program to send data to and accept data from the port, and when that program is not running, nothing happening on the port can affect what the computer is doing. Therefore, there was no need for privilege separation; that one user could effectively be given root privileges. Or almost
Advance a few years and we have networks. Unix -- thanks to the ingenious concept of treating everything as a file -- gains the ability to treat storage devices and peripherals attached to other network nodes as its own. MS-DOS PCs are generally connected to communal file and printer servers -- effectively, using the network as an alternate hard disk / printer interface. This functionality has just been bodged in, a little at a time, as and when necessary.
Now remember that Linux and Mac OS X are both based on Unix -- which was already a fully fledged, network-aware system -- while Windows is based on MS-DOS, which began as an "island" system without giving the user full manual override ability. In other words, someone could cause Windows to run a program without the user even being aware of it, much less able to do anything about it.
Once you factor in a huge influx of clueless users -- and I'm talking tipp-ex on the screen, broken the coffee cup holder, adding up the spreadsheet with a calculator type cluelessness -- this becomes a recipe for disaster. For Windows to reach the point of total unusability was inevitable, and -- this sticks in my craw a bit -- it's a testament to Microsoft's hard work and determination that it's actually taken up to now for this to happen.
Je fume. Tu fumes. Nous fûmes!