Slashdot Mirror
Microsoft Lists SP2 Incompatibilities
thejuggler writes "ZDNET has a story about how the new XP SP2 causes conflicts with over 50 applications and causes problems with others including some of Microsoft's own products. The 'glitch' as they are calling it seems to be that the Windows firewall system is turned on by default and blocks unsolicited connections to your computer. You have to unblock certain ports as your applications require to make the apps work again. They are calling this a glitch, but I thought we wanted everything blocked by default so we would have to choose what was unblocked?" The BBC has a story as well.
I've not seen it mentioned anywhere, so maybe it's just a drive incompatibility issue, but when I installed SP2 RC1, I could no longer play DVDs - I would receive an error telling me that the TV OUT on my card must be disabled first. I rolled back to SP1 and bingo, everything would play fine again.
I snickered when I saw that list earlier today. Most of them are broken due to closed ports. Duh. Why not list every application that requires certain ports be open?
Any firewall can break any piece of software if it requires a port that is blocked.
Windows XP
They're forgetting about all the worms, trojans, and viruses that are going to need to be rewritten to exploit new backdoors in the OS.
:(
Those poor hackers...
"Star Trek StarFleet Command III"
lol.
even though Microsoft is doing the "Right Thing", a majority of average (Below average?) users will complain until MS is forced to set the firewall to disabled by default. It's sad, but true.
Looking for hardware (Currently need: Large Etch-a-Sketch) Have one? See my journal!
I'm not entirely happy with the popup blocker they've included, as it doesn't seem to be that configurable. However, the idea of blocking unsolicited ports is by no means a bad thing.
The vast majority of PC problems these days are rooted in the fact that most users are lazy, and don't want to be bothered with details. Perhaps they can read tax forms, but a simple Windows dialog? Forget it.
If users can't muster up more than an ounce of effort to secure their PC, they shouldn't be using one. Just as a driver needs to make sure their car is roadworthy, PC users need to be sure that their systems have at least some rudimentary method of protection. It's just not that hard, and it's not too much to ask.
If computer users can't manage to get their heads around simple dialogs (which SP2 questions pretty much are), they deserve the trouble they get... perhaps them being offline would reduce the spam & DDoS zombies.
I suppose wishing those people offline is a fantasy, but it certainly would help reduce the idiot factor on the net.
Do any of you actually use Windows Firewall anyhow? I've got no compatibility issues whatsoever because I'm using a hardware firewall in the first place, meaning SP2's default firewall was turned off rather quickly.
Nothing disturbs me more than blind loyalism towards some unrealistic and over-idealistic notion of one's nationality.
Lost it? i don't think so. I support several hundred users on a daily basis, and the vast majority of them barely know what the 'start' button is, let alone abstract concepts like 'ports' or 'firewalls'
as things stand right now, i don't see how ease of use and security can possibly go together. what is needed is user education, but the vast majority of users 'just want it to work' and refuse education.
... people have spent years complaining about Microsoft security, Microsoft don't change anything because they claim it will break stuff.
Microsoft folds and implements some security features which inevitably break things... then everybody gets upset.
You can't have it both ways.
Until someone logs into your network behind your firewall with an infected machine... If you ever have LAN parties or have a wireless network, you're exposed. Null
Seriously, this is an optional service pack. It hasn't really been out long enough to consider seriously deploying it on critical machines. Just give some time for the apps to catch up and sometime in the future this will be a non-issue. On the other hand, shame on the developers for not testing their apps with the release canidates to work out any bugs.
microsoft corp of redmond,wa has filed an antitrust injunction against microsoft corp, also of redmond,wa for deploying 'service pack 2' - a cumulitive update for windows xp users, which has been shown to be incompatible with microsoft's visual studio and outlook.
If I don't know how to open up ports on a firewall or even what a firewall is, how the hell am I going to know figure out how to install Gentoo?!?!?
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
Perhaps, but beta testers tend to be more tech-savvy, so these so called 'glitches' (they are really 'difficulties') probably didn't bother them...
From what I've read, the problems are that MS has finally introduced some default security. They are blaming third party vendors for relying on ports to be open and such. While this may be true, there is also the fact that since they've been able to do it for years and years with Microsoft based OSs, there's no surprise that when they actually started locking stuff down, it did break other programs.
These same (below) average users are the kinds of saps that are locked into Microsoft platforms merely because they are too lazy, naive, or both to use a different platform. If Microsoft says that the firewall will be enabled by default, the users will deal with it, because they don't have a choice.
It would be more likely that application authors will start including tools in their installation wizards for opening ports the application needs.
The sad thing is, any app could easily get passed the firewall with a bit of social engineering. I saw a popup on a Windows machine infected with some ad/spyware today. The window started an automatic download (and thus, on Windows, install) of some app. The page showed a picture of the security warning dialog and told the user to just click Yes. Which is actually what most users will do, because they don't know any better, because nobody has taught them.
You know what happens when SP2 blocks a connection via the firewall? It let's you know. It also let's you take the option of unblocking the program straight away. I had this problem with X-Wing Alliance and Unreal Tournament 2004. When no servers came up, I thought it was my connection, but a quick-alt tab reveals that Windows has a pop-up that actually informs you that it's blocked the game/application. So, don't be too quick to bash. Turning the firewall on by default is a good idea. I mean, why don't you go bash ZoneAlarm or a similar firewall app? It blocks all access by default, and "learns" as you use your computer more, and that's all the SP2 firewall is trying to do.
yeah...this is kinda lame.
Sounds like people are trying to find as much fault in Microsoft as possible. It looks like most of these aren't even problems but are something that Microsoft bashers can use to fuel their fires. As I'm sure many posts have already pointed out by the time I post this, a lot of these problems are just because of closed ports.
I'm sorry, but I'd almost have to call your post a "troll" - even though you're not necessarily wrong about everything you said....
Realistically, how is a Linux distro like Gentoo a real "alternative" at all, for the average PC user wanting a "workstation OS" that runs all of their purchased "off the shelf" software packages??
Just as one little example, a good friend of mine recently wiped Windows XP off his Dell Latitude laptop and replaced it with the latest Gentoo Linux distro. He could only stand it for about 3 days before deciding it just made his laptop *less functional* than it was worth, and went back to XP.
It's not that he dislikes Linux! He thinks it's great! (So do I, for that matter.) It's just that Linux is based on a *server-centric* OS (Unix), and all the attempts to reconstruct it as a desktop workstation OS with user-friendly GUI are less than fully realized.
I'm all for competition, but as much as some people want it to be, I don't think Linux is really the direct competition for Windows XP right now. If anything, it's poised more as a sensible alternative for something like Windows 2000 or 2003 Server.....
If you want a Unix type OS done right as a workstation, I think Apple already pulled it off better than anyone else -- but that's getting into a whole new hardware AND software investment.
They aren't really "glitches"
And they have nothing to do with the actual code in the Service Pack (I've been running it fine since it was released on Winbeta).
If you took time to read the article, you'd find that the applications would work fine if you disabled the Windows Firewall. The applications fail because SP2 enables a firewall by default, and these applications do not work without an open port.
Anyone who tries to agree with the anti-microsoft FUD in the article above must be some kind of luddite or a really blinkered linux zealot.
Enabling a firewall by default in Windows is the greatest thing Redmond has ever done to try and make up for the horror's they've unleashed on the people of the world. Trying to spread even more FUD with the objective to stop people from applying this service pack is madness.
I am government man, come from the government. The government has sent me. -- G.I.R.
According to this Register article, it's not like MS made SP2 come out of the blue. App vendors have had plenty of time to start thinking about the changes they might need to make.
Oh come on! Next you're going to say it must be hard for a noob to compile a kernel! Man, RTFM!
Na, just kidding. You're completely right. There comes a time when the average user has to spend 20 minutes giving a shit about his computer and learn some basic fundamentals. At some point in time, people, in general, did the same thing for their cars. Old ladies will get their oil changed every 3000 miles yet your average user doesn't know it's bad to click yes to "do you wish to install spyware?"
I've had it with people asking me to help them out with their computers. I feel like a plumber who gets the question "hey, I just clogged my toilet by taking a huge dump, how do I fix it?" everywhere he goes. It's not the ignorance I mind, it's the indifference about computer fundamentals that leads to someone else fixing it. If people don't want to learn that "techno mumbo jumbo" then don't use a computer. If I said to the police officer "what the hell, blinker? Break? Steering away from pedistrians? What is this auto mumbo jumbo?" I don't think he'd understand.
Exactly. Slashdotters have always constantly paid out on microsoft because MS has chosen ease of use before security.
Now, like a responsible company should, they've taken the drastic step of enabling a firewall on Windows by default. And, like any slashdot FUD loving crowd would, slashdot is blaming microsoft because a list of 50 third party apps won't run if some ports aren't opened on a firewall.
I'm happy with SP2, very happy at the extra secuirity, especially enabling the NX bit on my A64.
I am government man, come from the government. The government has sent me. -- G.I.R.
Turning on the firewall by default is a design for newbies, and rightly so.
My mother doesn't know what a firewall is, nevermind how to switch it on.
Those who know what it is, and how to configure it, will be able to open the required ports or allow the required programs access to those ports.
The clueless might not be able to use some programs, but if that means viruses and worms will not spread as much as before then it's something I think we all can live with.
So, everyone is whinging that the firewall included with XP SP2 is WORKING?
The 'glitches' listed on the KB articles would be affected by any end user firewall, or hardware firewall on the market. To bash MS for this is counter productive. They have done the right thing in enabling it by default. If you want to run a server, you ought to be smart enough to figure out how to configure your firewall. If not, then its better for the net as a whole, you are the type of person still spreading Code Red.
Okay Mr. FUD, let's look at Linux. Say you had a linux install. And you ran Mozilla and you used that to browse websites, mozilla came *bundled* with your operating system.
This is all well and good.
Now you install a Firewall, perhaps one bundled with your Linux distro.
Suddenly, Mozilla doesn't work anymore! You can't browse the internet!
Is this the fault of your Linux distributor? Why are people saying that Windows is useless because the new firewall *blocks* traffic unless you open the right ports? Why aren't people saying the same for Linux, when Linux works *exactly* the same way?
Or do you just like to spread anti-MS FUD so you can get karma on slashdot?
I am government man, come from the government. The government has sent me. -- G.I.R.
At present if you want other ports to open, other than these default services, you have to open the ports manually. however I would imagine this coupled action is handled by some .plist xml configuration file. So its probably possible for an application to add its own services to the sharing menu and have them coupled to the firewall if you turn the service on.
On my mac I do manually block the incoming and outgoing license manager ports for MS Office. If you dont and want to share the app on your laptop and desktop then you will lose any open edited docuements if you inadvertently plug them into the same network. I wonder if this lic manager is the reason why MS gave the firewall the ability for apps to open ports in the firewall and to have outbound connections?
Some drink at the fountain of knowledge. Others just gargle.
The company I work for issued a statement telling the employees NOT to "upgrade" their computers because of the incompatibilities.
I'm sure there's going to be at least a dozen knuckleheads out of 3000+ who do DL the update. Those are the same one's who call the Help Desk saying, "Hello, I think I just got a virus. (pause) Yeah, I received an email that had an attachment that I didn't recognize so I double-clicked it to find out what it was. (pause) Ok, I'll shut it down and wait for a tech. Thanks. (click)" Unfortunately, that is an actual conversation I heard over the cube wall...
I'm so glad I work on the UNIX side of IT!
See if you can find your favoirite bug on this list!
Best Buy can have you arrested
It just fills you with confidence in their network security qualifications, doesn't it? I'm sure their audience won't be too confused (even most online gamers know the difference between "port number" and "number of ports"), but that just makes it even stranger that they hired a technical writer who can't make that distinction clearly.
RTFA please.
The same applications would all stop working if you installed any firewall, hardware or software, router or ZoneAlarm.
This has nothing to do with QA testing - obviously if you enable a firewall, some apps are going to stop working.
Why on earth is it microsofts QA departments fault that you can't FTP if your FTP port isn't open on your firewall?
If you think that it really is MS's fault after actually reading the article - then yes, you should be shot. Twice. Darwin save us all.
I am government man, come from the government. The government has sent me. -- G.I.R.
The whole Service Pack 2 thing here on Slashdot has gone way out of control. You have to stop bashing Microsoft for every single thing they do. This time they tried their best. Yes, it might not work 100%, yes some things will break, but this is the nature of a firewall, and it's definatly the nature of Microsoft. Would you rather Microsoft hadn't released SP2? I don't think so.
Also, to those of you wise enough to know if you'll have compatability issues, don't install SP2. It's clearly not for you. This is aimed at the average Joe user who browses the Internet, and checks his e-mail. It's designed to stop low level attacks instead of causing the next Blaster. Just because you are a Geek or a Linux guru does not give you the right to bash this, because it is not for you. There's a reason you're using Linux, right? Better security, etc? Stick with it.
And the final point, a lot of you are complaining about how the average user knows no better than Microsoft, and can't defend themselves against simple spyware. Then for God's sake, please go out and help these people! You wouldn't believe the number of people who come to me to fix their laptops about various problems (mostly spyware and viruses), and I always educate them on the matter. I don't just fix it for them, I make sure they understand exactly what they did wrong, and how never to repeat it. And to those of you who believe that they should be ditching Windows XP for Linux... forget it. It's not for them. They'll have no reason to switch over. You're preaching to the wrong choir. Talk to those who you know will be interested rather than the average user.
If they were interested in helping newbies, they wouldn't be blowing grandma out of her chair with a first step such as:
1. Click Start, click Run, type wscui.cpl in the Open box, and then click OK.
Whatever happend to click start, click on the control panel, then click on the icon...?
I fear the easiest solution for most will just be clicking the disable box next to the firewall service.
it is NOT OKAY to open up a machine in root (as windows is) to the world for the sake of an application doing something the user may or may not know about in the background. it was NOT OKAY to maintain for lo these many years that the backdoors of ActiveX and DirectX to kernel functions to be open for all and sundry just because it made pretty things happen in demos.
it was NOT OKAY for microsoft to assume blithly that users are all dunderheads who can't be educated, can't take responsibility, and can't be trusted to make choices.
the only thing broken is not the 50-odd apps, but the corporate vision of M$. they need to deal with the facts: it is not "the Connected Internet with each user a Member Of The Community" any more; everything is interconnected and bad boys can roam the streets unseen and unbidden in Electron Town; and, finally, welcome to the 21st Century, M$, please read the rules this time.
if you want a really good firewall, consider either tiny firewall or zone alarm, both much more friendly and complete, and free as well as licensed/supported versions of both availiable for download any time you want.
if this is supposed to be a new economy, how come they still want my old fashioned money?
Laptops.
(Here are some more words: like you, I use a hardware firewall for my home/office, but when I'm at the coffeeshop with my laptop, it's kinda hard to lug all that routing gear around.)
(And here are even more words for you: concrete, bouncy, superfluous, carrot, foobly, upwards. Not sure about foobly, though.)
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
This is not an assumption, it is a conlusion (and one shared by anyone who has ever spent time trying to support end users). Most users are dunderheads, won't take responsibility, don't want to be educated and can't be trusted to make good choices.
Not all, mind you, but certainly most.
There's a common misconception that the ports above 1024 are somehow "safer" than the lower-numbered ports. As far as an attacker is concerned any tcp port is as good as any other if there's a service listening on it.
All's true that is mistrusted
Uh. No. On my stock install of OS X 10.3, any admin user on the system has read-only access to that file unless they authenticate. So they can certainly *look* at the settings, but they can't change them as you imply.
You must have either authenticated that application before you opened it, or have some weird configuration of OS X.
Comment of the year
I still firmly believe that a person needs a bit of an education before using a personal computer of any sort, especially one with internet access. For their own safety, if not for the safety of others. This isn't the sort of thing that can be remedied by making UI's more intuitive or friendly. Some things you just need to know. For example, everyone should know: what the Internet is; that not everyone on it is trustworthy, and most importantly to READ BEFORE YOU CLICK.
Ignorant (and often gullible) users are too easy to manipulate; 90% of the time it is they who succumb to the shenanigans of fraudsters and virus-writers. For their own sake they need an education, Lord knows the worst of them don't have any common sense.
And indeed, every user should know how to operate a basic firewall. It's an easy thing to explain, especially at the level of allowing or disallowing programs access to the 'net. I've taught several people how to use ZoneAlarm or McAffee Firewall. Most people understand it pretty quickly.
Perhaps if the education can be integrated into the UI somehow (error/warning/question dialog boxes with more pedestrian language and more explanation), we might make some headway against the exploitation of ignorant users.
for a standard setup and ports 1-1024 it's not as big of a deal, really, as your "friendly neighborhood cracker" needs to crack your machine completely to open ports. (Should be obvious, but if your user has root, you just lost all benefit of the firewall as it can be modified)
However, if the cracker just manages to get user privilidges on the box, *ka-blam*, if you don't block inbound you are a mail relay, a DoS zombie, you name it. An easy way to prevent that is to block everything incoming that you don't use.
Heck, with the way some rootkits work, and the relative naievete of the cracker, blocking hte lower ports may prevent something more sinister happening automatically and give you time to shutdown/clean/whatever the system before things get too screwed up.
A good firewall plan always starts with "block everything".
Another neat trick is to use NAT and port forwarding to send all incoming traffic on the firewall from the internet to a host on the local net that doesn't and will never exist. Depending on implementation and how you use it, this prevents the cracker from even touching the box (save a hole in the networking stack) and installing services on it, even if cracked, is fairly pointless. Of course this trick is useless if you don't follow firewalling best practices and block all incoming traffic from the outside that appears to come from internal-only network blocks.
And so what if you installed a hardware firewall? Would you say it is broken if it came with all the ports closed? No, of course not! That is what it was designed to do. Don't blame Microsoft because it's software does what it's designed to do! (Especially if that software actually improves the security of their products!)
As for your comment on these programs having been this way for "years and years", that is somewhat disingenuous. These features may have only been around as long as the internet has been popular, starting around 1996 (or, the "Information Superhighway" aka shoot-me-now-and-put-me-out-of-misery era). Moreover, since these programs require an internet connection with certain ports open, then I'd speculate these were implemented after broadband connections became popular around, what 2000? That was only four years ago, hardly the "years and years" you make it seem.
Even so, just because these programs were doing this for "years and years" doesn't mean they were doing the correct thing in the first place. The third-party software should actually tell their customers that certain ports need to be open. (What a concept!) Actually telling the customers within the software would be ideal. Otherwise, manufacturers should have some place on their website that explains what ports need to be open.
The directory /Library/Preferences has perms of g+w, so group users can write to it - thus as the other poster noted you can potentially overwrite the file. At least, TextEdit sure does.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Parent poster embarasses himself and does not understand that "admin" != "root" on a macintosh.
Given this dialog:How many users are going to click "Yes"? You think it is stupid if a user clicks "Yes" but do you know how stupid is it to allow the user the option to click "Yes" and ruin their computer?? Now change "Ruin your computer?" to "An application has request traffic on port 139. Open it?"
This is a simplified example yet this is whats happening. A firewall is supposed to stop network traffic inbound or outbound that isn't accounted. Allowing the user to sidestep this easily is as handy as asking if they want to ruin their computer: Yes or No. Even with the improved features I'm still going to get calls from Mom saying something complained it wanted access so she clicked "Yes" to get it to shut up. Expecting users to be savy enough to patrol their computers got MS into this mess with SP 2. Now people are suddenly going to be wise??? Something doesn't add up.
I am not knocking SP2 since there are great things going on here but as the old saying goes: Security is a process. SP2 still "enables" users to screw up their computers with a few more hoops to jump through. I would rather have my parents have to jump through a few more hoops before they hang their computer with all of the wonderful "rope" MS gives them but I'm still very bothered its easy to hang themselves.
Simply put, in my opinion Zone Alarm is right and SP2 is wrong. The firewall is there to stop unwarrented traffic not to conviently prompt you to disable it.
Most of us conscientious 'app vendors' have been diligently studying the various release candidates coming out of Redmond.
Before beating on the ISVs make sure you check out a legitimate bug in SP2. This particular bug wasn't present in RC2 and has caused a good few slashdot-friendly vendors some undue heartache (notably PuTTY).
Yes, there are vendors out there who ought to have been more prepared, but MS certainly needs to take a good deal of responsibility for these current issues.
Tarkwyn.
Like you can configure Windows firewall as a part of the installation process (I've applied SP2 at home).
As Mr FUD is suggesting, Windows users won't configure the firewall at install time (which is why those apps don't work). To be fair we'll also assume that you won't configure your linux firewall at install time.
Any good firewall will block outgoing traffic just as well as it blocks ingoing traffic, by default. The new windows firewall in SP2 blocks outgoing traffic (the SP1 version of the firewall was inbound blocking only).
So, without configuration, you'll find all those linux distros you've listed share this same problem - when you install an unconfigured (all ports closed 2-way) firewall on them, some applications will break.
You can't go and say that it's a "non-existent" problem, because you have to assume that any user who can't configure a firewall under Windows couldn't do it under Linux either. What we're really seeing here is Windows moving closer to Linux's security methodology - secure by default. So the problems mentioned in the article are directly applicable to any Linux distro that is secure by default - yet people are hanging it on MS despite this.
I am government man, come from the government. The government has sent me. -- G.I.R.
The fact is that the majority of Joe Public is far too stupid & lazy to want to bother understanding how a computer works so Microsoft has had to force their hand into making their systems more secure.
Whilst I consider Microsoft "it's own worst enemy" by portraying its OSes as error free and requiring minimal management in advertising, they have taken the right action here because hopefully this starts to make it more difficult for viruses and worms to propagate meaning that we all benefit.
If there's one big advantage we have in the Linux world over the Windows world is that our proportion of idiot users is virtually zero - I for one hope it stays that way also.
Gentoo Linux - another day, another USE flag.
I'll tell you a story.
/. about MS security, btw.) Joe Average wouldn't know, and wouldn't reformat.
I once had to install Windows 2000 on a box, and as Loki would have it, I had no Zone Alarm or Sygate Personal Firewall on a CD at hand. Just as Joe Average would.
So I could go download it somewhere else, or I could do a scapegoat installation just to download a firewall. I chose to just sacrifice an install to the gods of Hacking. I _knew_ I'd get hacked, but that was OK, since I'd reformat immediately after anyway. (Takes less time than whining on
(And I'm not disappointed. It takes less than a minute to get my uplink bandwidth saturated with mysterious outbound packets.)
Still, it will serve to illustrate what happens after you get your machine 0wn3d by some l337 skr1p7 kiddi3.
So I decide to play with it a bit longer, and see what happens with a firewall and an 0wn3d machine.
I start the newly downloaded and installed Sygate Personal Firewall, and immediately it pops up a window telling me the name of the application _and_ what's it trying to do. I block it, and that's that. No more outbound packets. I can tell struggles long and hard to send crap, but it can't. Both its inbound and outbound pipes have been sealed shut.
I can now toy with that machine as long as I wish, trying to disinfect it. Again, which is what Joe Average would want. If it's _not_ a sacrificial install, but some machine where his resume and a few gigs of other important data is, Joe will not want it reformatted.
I can even surf the net looking for information on the trojan, safe in the knowledge that it's blocked. No need to pull out the network cable.
Whereas you tell me that Apple would have allowed it to open its own ports, as it damn pleases. Inbound or outbound, whatever. And not even told me about it.
Well, gee. Sorry, that's not the kind of security I'm looking for. Dumbing down a firewall to the point where it doesn't actually block anything, in the name of "user-friendliness" is _not_ the way to go.
A polar bear is a cartesian bear after a coordinate transform.
I think this is what is commonly reffered to as the dark side of the force.