Slashdot Mirror
Microsoft Lists SP2 Incompatibilities
thejuggler writes "ZDNET has a story about how the new XP SP2 causes conflicts with over 50 applications and causes problems with others including some of Microsoft's own products. The 'glitch' as they are calling it seems to be that the Windows firewall system is turned on by default and blocks unsolicited connections to your computer. You have to unblock certain ports as your applications require to make the apps work again. They are calling this a glitch, but I thought we wanted everything blocked by default so we would have to choose what was unblocked?" The BBC has a story as well.
I've not seen it mentioned anywhere, so maybe it's just a drive incompatibility issue, but when I installed SP2 RC1, I could no longer play DVDs - I would receive an error telling me that the TV OUT on my card must be disabled first. I rolled back to SP1 and bingo, everything would play fine again.
What I think is the "real" issue here is that customers that have installed SP2 simply don't have a clue about what a firewall is, what it does, and how to use it. The problem is also no doubt being exacerbated by programs that needlessly try to access the network.
But I always take the time to say "shame on you" to programs that needlessly try to access the network when their primary function has absolutely nothing to do with networking, ESPECIALLY when their networking options are turned "off".
If I don't know how to open up ports on a firewall or even what a firewall is, how the hell am I going to know figure out how to install Gentoo?!?!?
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
I'm sorry, but I'd almost have to call your post a "troll" - even though you're not necessarily wrong about everything you said....
Realistically, how is a Linux distro like Gentoo a real "alternative" at all, for the average PC user wanting a "workstation OS" that runs all of their purchased "off the shelf" software packages??
Just as one little example, a good friend of mine recently wiped Windows XP off his Dell Latitude laptop and replaced it with the latest Gentoo Linux distro. He could only stand it for about 3 days before deciding it just made his laptop *less functional* than it was worth, and went back to XP.
It's not that he dislikes Linux! He thinks it's great! (So do I, for that matter.) It's just that Linux is based on a *server-centric* OS (Unix), and all the attempts to reconstruct it as a desktop workstation OS with user-friendly GUI are less than fully realized.
I'm all for competition, but as much as some people want it to be, I don't think Linux is really the direct competition for Windows XP right now. If anything, it's poised more as a sensible alternative for something like Windows 2000 or 2003 Server.....
If you want a Unix type OS done right as a workstation, I think Apple already pulled it off better than anyone else -- but that's getting into a whole new hardware AND software investment.
According to this Register article, it's not like MS made SP2 come out of the blue. App vendors have had plenty of time to start thinking about the changes they might need to make.
Turning on the firewall by default is a design for newbies, and rightly so.
My mother doesn't know what a firewall is, nevermind how to switch it on.
Those who know what it is, and how to configure it, will be able to open the required ports or allow the required programs access to those ports.
The clueless might not be able to use some programs, but if that means viruses and worms will not spread as much as before then it's something I think we all can live with.
In IE, just go to "tools"/"Popup Blocker"/"Settings" and there's about the same settings as in Firefox.
Not a Twitter sockpuppet... but I wish I was.
Okay Mr. FUD, let's look at Linux. Say you had a linux install. And you ran Mozilla and you used that to browse websites, mozilla came *bundled* with your operating system.
This is all well and good.
Now you install a Firewall, perhaps one bundled with your Linux distro.
Suddenly, Mozilla doesn't work anymore! You can't browse the internet!
Is this the fault of your Linux distributor? Why are people saying that Windows is useless because the new firewall *blocks* traffic unless you open the right ports? Why aren't people saying the same for Linux, when Linux works *exactly* the same way?
Or do you just like to spread anti-MS FUD so you can get karma on slashdot?
I am government man, come from the government. The government has sent me. -- G.I.R.
At present if you want other ports to open, other than these default services, you have to open the ports manually. however I would imagine this coupled action is handled by some .plist xml configuration file. So its probably possible for an application to add its own services to the sharing menu and have them coupled to the firewall if you turn the service on.
On my mac I do manually block the incoming and outgoing license manager ports for MS Office. If you dont and want to share the app on your laptop and desktop then you will lose any open edited docuements if you inadvertently plug them into the same network. I wonder if this lic manager is the reason why MS gave the firewall the ability for apps to open ports in the firewall and to have outbound connections?
Some drink at the fountain of knowledge. Others just gargle.
It just fills you with confidence in their network security qualifications, doesn't it? I'm sure their audience won't be too confused (even most online gamers know the difference between "port number" and "number of ports"), but that just makes it even stranger that they hired a technical writer who can't make that distinction clearly.
On the other hand, the list of "programs that behave differently" includes Excel, Office 2003, Office XP, Outlook, Visual Basic, Visual C++ and Visual Studio. I can see various personal firewalls and p2p apps like Kazaa being broken by port issues, and maybe the Office suite because of email & calendaring, &c, but why on earth would VB & VC++ be affected??
for a standard setup and ports 1-1024 it's not as big of a deal, really, as your "friendly neighborhood cracker" needs to crack your machine completely to open ports. (Should be obvious, but if your user has root, you just lost all benefit of the firewall as it can be modified)
However, if the cracker just manages to get user privilidges on the box, *ka-blam*, if you don't block inbound you are a mail relay, a DoS zombie, you name it. An easy way to prevent that is to block everything incoming that you don't use.
Heck, with the way some rootkits work, and the relative naievete of the cracker, blocking hte lower ports may prevent something more sinister happening automatically and give you time to shutdown/clean/whatever the system before things get too screwed up.
A good firewall plan always starts with "block everything".
Another neat trick is to use NAT and port forwarding to send all incoming traffic on the firewall from the internet to a host on the local net that doesn't and will never exist. Depending on implementation and how you use it, this prevents the cracker from even touching the box (save a hole in the networking stack) and installing services on it, even if cracked, is fairly pointless. Of course this trick is useless if you don't follow firewalling best practices and block all incoming traffic from the outside that appears to come from internal-only network blocks.
The directory /Library/Preferences has perms of g+w, so group users can write to it - thus as the other poster noted you can potentially overwrite the file. At least, TextEdit sure does.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Most of us conscientious 'app vendors' have been diligently studying the various release candidates coming out of Redmond.
Before beating on the ISVs make sure you check out a legitimate bug in SP2. This particular bug wasn't present in RC2 and has caused a good few slashdot-friendly vendors some undue heartache (notably PuTTY).
Yes, there are vendors out there who ought to have been more prepared, but MS certainly needs to take a good deal of responsibility for these current issues.
Tarkwyn.
Like you can configure Windows firewall as a part of the installation process (I've applied SP2 at home).
As Mr FUD is suggesting, Windows users won't configure the firewall at install time (which is why those apps don't work). To be fair we'll also assume that you won't configure your linux firewall at install time.
Any good firewall will block outgoing traffic just as well as it blocks ingoing traffic, by default. The new windows firewall in SP2 blocks outgoing traffic (the SP1 version of the firewall was inbound blocking only).
So, without configuration, you'll find all those linux distros you've listed share this same problem - when you install an unconfigured (all ports closed 2-way) firewall on them, some applications will break.
You can't go and say that it's a "non-existent" problem, because you have to assume that any user who can't configure a firewall under Windows couldn't do it under Linux either. What we're really seeing here is Windows moving closer to Linux's security methodology - secure by default. So the problems mentioned in the article are directly applicable to any Linux distro that is secure by default - yet people are hanging it on MS despite this.
I am government man, come from the government. The government has sent me. -- G.I.R.
For example, everyone should know: what the Internet is; that not everyone on it is trustworthy, and most importantly to READ BEFORE YOU CLICK.
My 7 year old daughter knows to do this - I have taught her that if any box appears on the computer to read the message, and if she doesn't understand it or know why the message appears, to ask me. As an example, a while ago she was trying to play a game (probably from the BBC web-site). After a few minutes she came and told me the game wouldn't work - it turned out everytime she clicked on it, she got the standard IE "do you want to run this, blah blah, may cause damage to your computer", so she clicked Cancel (not wanting the computer to be damaged...). After 4 or 5 goes round this she decided it was time to ask for help.
Why is this so difficult to get into other peoples heads?
The fact is that the majority of Joe Public is far too stupid & lazy to want to bother understanding how a computer works so Microsoft has had to force their hand into making their systems more secure.
Whilst I consider Microsoft "it's own worst enemy" by portraying its OSes as error free and requiring minimal management in advertising, they have taken the right action here because hopefully this starts to make it more difficult for viruses and worms to propagate meaning that we all benefit.
If there's one big advantage we have in the Linux world over the Windows world is that our proportion of idiot users is virtually zero - I for one hope it stays that way also.
Gentoo Linux - another day, another USE flag.
I'll tell you a story.
/. about MS security, btw.) Joe Average wouldn't know, and wouldn't reformat.
I once had to install Windows 2000 on a box, and as Loki would have it, I had no Zone Alarm or Sygate Personal Firewall on a CD at hand. Just as Joe Average would.
So I could go download it somewhere else, or I could do a scapegoat installation just to download a firewall. I chose to just sacrifice an install to the gods of Hacking. I _knew_ I'd get hacked, but that was OK, since I'd reformat immediately after anyway. (Takes less time than whining on
(And I'm not disappointed. It takes less than a minute to get my uplink bandwidth saturated with mysterious outbound packets.)
Still, it will serve to illustrate what happens after you get your machine 0wn3d by some l337 skr1p7 kiddi3.
So I decide to play with it a bit longer, and see what happens with a firewall and an 0wn3d machine.
I start the newly downloaded and installed Sygate Personal Firewall, and immediately it pops up a window telling me the name of the application _and_ what's it trying to do. I block it, and that's that. No more outbound packets. I can tell struggles long and hard to send crap, but it can't. Both its inbound and outbound pipes have been sealed shut.
I can now toy with that machine as long as I wish, trying to disinfect it. Again, which is what Joe Average would want. If it's _not_ a sacrificial install, but some machine where his resume and a few gigs of other important data is, Joe will not want it reformatted.
I can even surf the net looking for information on the trojan, safe in the knowledge that it's blocked. No need to pull out the network cable.
Whereas you tell me that Apple would have allowed it to open its own ports, as it damn pleases. Inbound or outbound, whatever. And not even told me about it.
Well, gee. Sorry, that's not the kind of security I'm looking for. Dumbing down a firewall to the point where it doesn't actually block anything, in the name of "user-friendliness" is _not_ the way to go.
A polar bear is a cartesian bear after a coordinate transform.