Slashdot Mirror
Microsoft Lists SP2 Incompatibilities
thejuggler writes "ZDNET has a story about how the new XP SP2 causes conflicts with over 50 applications and causes problems with others including some of Microsoft's own products. The 'glitch' as they are calling it seems to be that the Windows firewall system is turned on by default and blocks unsolicited connections to your computer. You have to unblock certain ports as your applications require to make the apps work again. They are calling this a glitch, but I thought we wanted everything blocked by default so we would have to choose what was unblocked?" The BBC has a story as well.
I've not seen it mentioned anywhere, so maybe it's just a drive incompatibility issue, but when I installed SP2 RC1, I could no longer play DVDs - I would receive an error telling me that the TV OUT on my card must be disabled first. I rolled back to SP1 and bingo, everything would play fine again.
wouldn't they have found this "glitches" earlier by the SP2 beta testers..?
Lord knows CodeWarriors IDE activation is flumoxed by sp2... Dave
Intel Landesk (an MS SMS competitor) also has issues when SP2 is installed. But why would MS care about that? According to them everyone should be using SMS.
Consensus is good, but informed dictatorship is better
Good! at long last all those applications that want to phone home are getting busted. WTF is an application doing opening ports on the localhost anyway?
Your just decide to implement a 100% turnaround in how your OS policy worked before (without making a big deal of it, of course...I'm sure it was documented somewhere). This is almost akin to "Oh yeah, and XP only reads DOS partitions now...er again...er yeah, just like you wanted!". This blunder is complicated by MS applications not always documenting what ports they are using because that's proprietary information and of course you can always buy the product and ask the licensed technical support.
Often wrong but never in doubt.
I am Jack9.
Everyone knows me.
What I think is the "real" issue here is that customers that have installed SP2 simply don't have a clue about what a firewall is, what it does, and how to use it. The problem is also no doubt being exacerbated by programs that needlessly try to access the network.
But I always take the time to say "shame on you" to programs that needlessly try to access the network when their primary function has absolutely nothing to do with networking, ESPECIALLY when their networking options are turned "off".
At the top of the list was visual studio .net. Are you kidding me? Their new software "concept" that's going to revolutionize can't be created using a computer running sp2? Does this mean .net is inheriently insecure, or just this remote dcom debugging? I'm ignorant on what that is so my point won't be to spread FUD about .net, just to say "what the shit?"
.net guys to make a patch for sp2. Even if they made a patch, they should have put it in sp2 as an option. It seems like poor management to surpise people that even their own software won't work with sp2.
It seems to me that when a company spends this much time working on a service pack they can't yell down the hall for the
I still commend microsoft for closing those old holes and throwing perfect compatibilty in the wind in this case. Sometimes you just got to bite the bullet and focus on new security. Hell, look at OSX. IIRC, photoshop didn't work initially with OSX, but apple had to balls to let OSX create the demand.
Now that last statement may sound contradictory, but notice that apple doesn't control adobe where as microsoft controls microsoft.
If I don't know how to open up ports on a firewall or even what a firewall is, how the hell am I going to know figure out how to install Gentoo?!?!?
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
I'm sorry, but I'd almost have to call your post a "troll" - even though you're not necessarily wrong about everything you said....
Realistically, how is a Linux distro like Gentoo a real "alternative" at all, for the average PC user wanting a "workstation OS" that runs all of their purchased "off the shelf" software packages??
Just as one little example, a good friend of mine recently wiped Windows XP off his Dell Latitude laptop and replaced it with the latest Gentoo Linux distro. He could only stand it for about 3 days before deciding it just made his laptop *less functional* than it was worth, and went back to XP.
It's not that he dislikes Linux! He thinks it's great! (So do I, for that matter.) It's just that Linux is based on a *server-centric* OS (Unix), and all the attempts to reconstruct it as a desktop workstation OS with user-friendly GUI are less than fully realized.
I'm all for competition, but as much as some people want it to be, I don't think Linux is really the direct competition for Windows XP right now. If anything, it's poised more as a sensible alternative for something like Windows 2000 or 2003 Server.....
If you want a Unix type OS done right as a workstation, I think Apple already pulled it off better than anyone else -- but that's getting into a whole new hardware AND software investment.
That shouldn't happen. Of course the system should allow unfettered connections to localhost, and the system's own public/LAN IP. Firewalls should wall off the outside.
I'm sure a simple update to add "if (connection.ip != INADDR_LOOPBACK)" to the firewall code. Frankly, I'm surprised it wasn't already in there.
Turning on the firewall by default is a design for newbies, and rightly so.
My mother doesn't know what a firewall is, nevermind how to switch it on.
Those who know what it is, and how to configure it, will be able to open the required ports or allow the required programs access to those ports.
The clueless might not be able to use some programs, but if that means viruses and worms will not spread as much as before then it's something I think we all can live with.
In IE, just go to "tools"/"Popup Blocker"/"Settings" and there's about the same settings as in Firefox.
Not a Twitter sockpuppet... but I wish I was.
(i.e. "broken"!)
Okay Mr. FUD, let's look at Linux. Say you had a linux install. And you ran Mozilla and you used that to browse websites, mozilla came *bundled* with your operating system.
This is all well and good.
Now you install a Firewall, perhaps one bundled with your Linux distro.
Suddenly, Mozilla doesn't work anymore! You can't browse the internet!
Is this the fault of your Linux distributor? Why are people saying that Windows is useless because the new firewall *blocks* traffic unless you open the right ports? Why aren't people saying the same for Linux, when Linux works *exactly* the same way?
Or do you just like to spread anti-MS FUD so you can get karma on slashdot?
I am government man, come from the government. The government has sent me. -- G.I.R.
At present if you want other ports to open, other than these default services, you have to open the ports manually. however I would imagine this coupled action is handled by some .plist xml configuration file. So its probably possible for an application to add its own services to the sharing menu and have them coupled to the firewall if you turn the service on.
On my mac I do manually block the incoming and outgoing license manager ports for MS Office. If you dont and want to share the app on your laptop and desktop then you will lose any open edited docuements if you inadvertently plug them into the same network. I wonder if this lic manager is the reason why MS gave the firewall the ability for apps to open ports in the firewall and to have outbound connections?
Some drink at the fountain of knowledge. Others just gargle.
It just fills you with confidence in their network security qualifications, doesn't it? I'm sure their audience won't be too confused (even most online gamers know the difference between "port number" and "number of ports"), but that just makes it even stranger that they hired a technical writer who can't make that distinction clearly.
ISPs will take the brunt of this issue on the phones. Once SP2 is released, ISPs will be innondated with calls asking why their software doesnt work. And believe me, those answering the phones will be annoyed. As a former ISP tech, I have had to deal with the MyDoom, the SQL worm, and all the huge viruses that hit two years ago. Luckally, there have not been any major virii released since September of 2002. However, the first person the people call is always the ISP, its not because they dont know whom to call, but because they know they can get advice for free.
On the other hand, the list of "programs that behave differently" includes Excel, Office 2003, Office XP, Outlook, Visual Basic, Visual C++ and Visual Studio. I can see various personal firewalls and p2p apps like Kazaa being broken by port issues, and maybe the Office suite because of email & calendaring, &c, but why on earth would VB & VC++ be affected??
This is the same security issue (not a security hole per se) that microsoft was being critisized for. That is a rogue program can open and close ports on the firewall.
here, try it yourself. the following patch will add a port setting called x-windows to your fire wall and open up ports in the 6000 range.
Dang, the lameness filter wont let me show the patch. oh well figure it out for yourself. its easy. just look in:
Some drink at the fountain of knowledge. Others just gargle.
I left a network of 80 computers with XP auto-update feature turned on. I came to work this week to find SP2 installed, yet the version listed in the control panel is "XP 2002 SP1". Kinda sneaky. Sure enough all the new firewall stuff is there. I visit windowsupdate, and v5 is now the default. No updates left to be installed. No mention of ServicePack2 except in Internet Explorer -> Help -> About. Whats the deal? HOw does one uninstall? No mention in Add/Remove Programs.
for a standard setup and ports 1-1024 it's not as big of a deal, really, as your "friendly neighborhood cracker" needs to crack your machine completely to open ports. (Should be obvious, but if your user has root, you just lost all benefit of the firewall as it can be modified)
However, if the cracker just manages to get user privilidges on the box, *ka-blam*, if you don't block inbound you are a mail relay, a DoS zombie, you name it. An easy way to prevent that is to block everything incoming that you don't use.
Heck, with the way some rootkits work, and the relative naievete of the cracker, blocking hte lower ports may prevent something more sinister happening automatically and give you time to shutdown/clean/whatever the system before things get too screwed up.
A good firewall plan always starts with "block everything".
Another neat trick is to use NAT and port forwarding to send all incoming traffic on the firewall from the internet to a host on the local net that doesn't and will never exist. Depending on implementation and how you use it, this prevents the cracker from even touching the box (save a hole in the networking stack) and installing services on it, even if cracked, is fairly pointless. Of course this trick is useless if you don't follow firewalling best practices and block all incoming traffic from the outside that appears to come from internal-only network blocks.
The directory /Library/Preferences has perms of g+w, so group users can write to it - thus as the other poster noted you can potentially overwrite the file. At least, TextEdit sure does.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Like you can configure Windows firewall as a part of the installation process (I've applied SP2 at home).
As Mr FUD is suggesting, Windows users won't configure the firewall at install time (which is why those apps don't work). To be fair we'll also assume that you won't configure your linux firewall at install time.
Any good firewall will block outgoing traffic just as well as it blocks ingoing traffic, by default. The new windows firewall in SP2 blocks outgoing traffic (the SP1 version of the firewall was inbound blocking only).
So, without configuration, you'll find all those linux distros you've listed share this same problem - when you install an unconfigured (all ports closed 2-way) firewall on them, some applications will break.
You can't go and say that it's a "non-existent" problem, because you have to assume that any user who can't configure a firewall under Windows couldn't do it under Linux either. What we're really seeing here is Windows moving closer to Linux's security methodology - secure by default. So the problems mentioned in the article are directly applicable to any Linux distro that is secure by default - yet people are hanging it on MS despite this.
I am government man, come from the government. The government has sent me. -- G.I.R.
I've noticed that SMAC version 1.1 and 1.2 no longer works with SP2 installed. Neither does editing my mac address with regedt32.
This might just be my computer but it's worth thinking about before installing SP2.
For example, everyone should know: what the Internet is; that not everyone on it is trustworthy, and most importantly to READ BEFORE YOU CLICK.
My 7 year old daughter knows to do this - I have taught her that if any box appears on the computer to read the message, and if she doesn't understand it or know why the message appears, to ask me. As an example, a while ago she was trying to play a game (probably from the BBC web-site). After a few minutes she came and told me the game wouldn't work - it turned out everytime she clicked on it, she got the standard IE "do you want to run this, blah blah, may cause damage to your computer", so she clicked Cancel (not wanting the computer to be damaged...). After 4 or 5 goes round this she decided it was time to ask for help.
Why is this so difficult to get into other peoples heads?
The fact is that the majority of Joe Public is far too stupid & lazy to want to bother understanding how a computer works so Microsoft has had to force their hand into making their systems more secure.
Whilst I consider Microsoft "it's own worst enemy" by portraying its OSes as error free and requiring minimal management in advertising, they have taken the right action here because hopefully this starts to make it more difficult for viruses and worms to propagate meaning that we all benefit.
If there's one big advantage we have in the Linux world over the Windows world is that our proportion of idiot users is virtually zero - I for one hope it stays that way also.
Gentoo Linux - another day, another USE flag.
Of the three machines we've got here with the Windows XP / Office 2000 combination, two of them stopped opening documents after installing SP2 (just hangs). Office seems to have latest service pack itself, so nothing else to do but rollback and disable auto-update.
I'll tell you a story.
/. about MS security, btw.) Joe Average wouldn't know, and wouldn't reformat.
I once had to install Windows 2000 on a box, and as Loki would have it, I had no Zone Alarm or Sygate Personal Firewall on a CD at hand. Just as Joe Average would.
So I could go download it somewhere else, or I could do a scapegoat installation just to download a firewall. I chose to just sacrifice an install to the gods of Hacking. I _knew_ I'd get hacked, but that was OK, since I'd reformat immediately after anyway. (Takes less time than whining on
(And I'm not disappointed. It takes less than a minute to get my uplink bandwidth saturated with mysterious outbound packets.)
Still, it will serve to illustrate what happens after you get your machine 0wn3d by some l337 skr1p7 kiddi3.
So I decide to play with it a bit longer, and see what happens with a firewall and an 0wn3d machine.
I start the newly downloaded and installed Sygate Personal Firewall, and immediately it pops up a window telling me the name of the application _and_ what's it trying to do. I block it, and that's that. No more outbound packets. I can tell struggles long and hard to send crap, but it can't. Both its inbound and outbound pipes have been sealed shut.
I can now toy with that machine as long as I wish, trying to disinfect it. Again, which is what Joe Average would want. If it's _not_ a sacrificial install, but some machine where his resume and a few gigs of other important data is, Joe will not want it reformatted.
I can even surf the net looking for information on the trojan, safe in the knowledge that it's blocked. No need to pull out the network cable.
Whereas you tell me that Apple would have allowed it to open its own ports, as it damn pleases. Inbound or outbound, whatever. And not even told me about it.
Well, gee. Sorry, that's not the kind of security I'm looking for. Dumbing down a firewall to the point where it doesn't actually block anything, in the name of "user-friendliness" is _not_ the way to go.
A polar bear is a cartesian bear after a coordinate transform.
I installed SP2 and then it made me re-activate both Windows and Office 2003. During the reactivation, my original Product keys were no longer valid. I had to call Micrsoft support, spoke to numerous tech support and activation department employees before they gave me a new product key which could be re-activated. I felt like I was getting interrogated as to why I was re-activating the software even though I had valid and legal copies. The other interesting part, every person I spoke to was from India, the the only person not from India was Canadian. It appears as if Microsoft has almost completely off-shored major portions of their company to India.
I can explain why I use a personal firewall (Kerio PF) on my XP box at home, and what advantages I think it offers over a standalone hardware firewall:
Control: Even though I have broadband, I want control over what applications connect in and out. When a popup box appears, I am immediately informed what part of Windows or program is trying to access the outside world. I start the PF by locking everything, then clicking yes to everything I want to access the Internet and no to the others (making quick rules). I get a quick and easy overview. This gives an extra control over potential spyware and applications that shouldn't connect remotely.
While a broadband router is more secure, it's not as easy to configure, it doesn't block on the application-level neither on the device level (for VPNs etc), it doesn't implement "web-filters" or other goodies. A very interesting feature of Kerio is that you can deny, or question wether programs should start up at all.. Nice to lock down Internet Explorer and Outlook that way for extra security.
Fast & Easy: Getting a pop-up box, I am immediately informed and may quickly make an automatic rule, or specify a more advanced rule. When the ruleset is mature, the boxes disappear.
While a hardware firewall is quick to setup in the LAN. Setup and configuring simply doesn't compare to a PF with a nice GUI. It's almost as fast as having an automatic firewall. A PF is also more convinient for newbies and lazy users. You don't always know what application or service is using what port, and have to spend time searching. Not everybody thinks it's fun or have the skills to search for port-numbers.
That said, a broadband router is usually the best solution for a home-network, as you don't need a computer up-and-running all the time to have secure Internet access. But why not have both? In my eyes, not trusting XP or its applications, a PF is absolutely nescessary for control over your computer. Of course, if you don't like the pop-up dialogs, you can turn them off. That's just a GUI-event, you can read the logs instead.
I'll recommend to stay far away from ZoneAlarm though and use Kerio PF instead. It is very powerful, tidy and secure to use. ZoneAlarm gives me the creeps, what a good example on bad and bloated design!
To argument against PF I would say that it is very complex and located on the same host, which IS bad for security. It is also harder to know what rules are implemented, maybe the automatic rules are bad or too broad? Also, bad users will easily make the PF worthless by allowing everything. It's certainly no silver-bullet, except for letting users shoot themselves in their feet.
An additional argument FOR PF is that security can be enhanced by making it easier for clueful users to setup a firewall with high enough level of restriction to prevent most attacks.
Use what fits the job best, often it's a balance between convenience and security. But as said earlier, you CAN use both!
I do agree about the false sense of security though, but most people just want to do their work/play, not have a complete network in their home. Many will never be able to figure out a hardware firewall in this lifetime. If you want security, best not use XP either, but OpenBSD or something similar. By being proprietary, XP simply cannot be relied upon and may give a "false sense of security" when everything goes OK for a while.
http://www.debunkingskeptics.com/