Slashdot Mirror

← Back to Stories (view on slashdot.org)

Latest SP2 News

Posted by michael on from the millions-of-man-hours-spent-working-around-new-bugs dept.

Xformer writes "It seems that SP2 for Windows XP isn't as secure as Microsoft touts it to be. Heise Security has uncovered two flaws in SP2's bolstered security measures, both of which may be used to get around the new trusted/untrusted executable origin checks. Of course, who would be surprised by this?" Reader EtherNetFreak writes "Well it appears that at least one hotfix is already available to fix yet another bug in Windows XP, post SP2 application." Reader Finalnight writes "'Microsoft Corp. yesterday delayed yet again its oft-delayed Windows XP Service Pack 2, this time postponing the patch's distribution through the company's Automatic Update service.'"

26 of 483 comments (clear)

  1. Microsoft's response: by tpgp · · Score: 3, Interesting
    From the end of the second page:

    "We have investigated your report, as we do with all reports, however in this case, we don't see these issues as being in conflict with the design goals of the new protections. We are always seeking improvements to our security protections and this discussion will certainly provide additional input into future security features and improvements, but at this time we do not see these as issues that we would develop patches or workarounds to address."


    *Shrugs*
    --
    My pics.
  2. is it serious enough? by Anonymous Coward · · Score: 1, Interesting

    is this flaw serious enough to be used to write some worm?

  3. Re:Where is SP2... by pmcc · · Score: 2, Interesting

    I remember hearing that Service Pack 2 will not be available manually via Windows Update until sometime around August 25. Until then you need to get it via automatic update or an external installer. However these external installers are somewhat harder to come by than previously, as Microsoft has shut many of them down - which is a shame since they were very fast torrents. Oh well.

  4. Managing large projects by nboscia · · Score: 5, Interesting

    This makes me wonder how Microsoft, as well as many other large software corporations, manage security patches and quality assurance of their software. Is the problem with there being so many people working on different projects that they do not communicate and therefore things get overlooked, or is it due to the complexity of the software, or something else entirely? I couldn't imagine how someone could manage 'security' for Windows (or any similarly large project) and be 100% sure of what all the technical staff do. Does it come down to having more meticulous software engineers and rigorous testers? How would people recommend this be done? I'm sure the typical "make it open source!" answer will be given, but if that is not an option, how do companies who are more successful at this do it?

  5. I'd actually be surprised if there are no bugs in by melted · · Score: 4, Interesting

    in SP2. They've gone through pretty much everything, re-hashed a lot of stuff, sometimes on a very deep level. Tons of bugs were fixed. There's not a software company in the world that could release something like this with zero bugs. Not even demi-god Linus Torvalds is capable of such a monumental technological feat as releasing code without bugs.

    Having said that, it's all about risk management. If you're willing to postpone SP2 roll out in your org you've got to estimate the risks of not rolling it out, too. As I said it fixes a lot of issues, and if there's a bug or two the benefits still outweigh the risks by a wide margin.

  6. Execute.me by lastberserker · · Score: 5, Interesting

    How's sending .gif and asking to run cmd on Windows XP system is any different from sending .gif and asking to execute perl on Linux or BSD?

    --
    My other Beowulf cluster is... er...
  7. Actually what happened was the Divx codec thing by Anonymous Coward · · Score: 1, Interesting

    was too hot.
    I mean come on. Here's MS trying to push WM9 on all the media companies saying how they promise to play nice and then suddenly they shut out Divx. That didn't look good at all.
    I'm not saying Divx is the greatest codec, but it looked bad.

  8. Only 2 for a new OS release? by OffTheLip · · Score: 5, Interesting

    From my perspective based on the size of SP2 I'd say it's a new OS. Two patches/flaws in a MS OS is darn good. Kudos to Redmond.

  9. SP2 Borks iPODS it seems... by spineboy · · Score: 5, Interesting
    There are many, many reports on iPODLounge (the main iPOD support forum) of people who install SP2, lose their iPOD functionality, and then need to roll back their XP system to pre-SP2 in order to get their iPODS to function again.

    I just got a new 4th gen iPOD, which I can write to on Linux, but can't get to work on my XP-SP2 Windows dual boot machine.

    Guess what I'll be uninstalling next...

    --
    ..........FULL STOP.
  10. Spreading the load... by RenatoRam · · Score: 2, Interesting

    If you did not notice, MS normally uses the services of Akamai to auto-distribute the load of their DNS AND their content servers. The images, media and download files are hosted on (linux) akamai servers, and are auto-mirrored to practically every ISP in the known world(s).

    So the bandwith excuse is not an option...

    --
    Ciao, Renato
  11. Re:Outsourcing a problem? by ggvaidya · · Score: 5, Interesting

    No wonder Windows '95 was so nice and stable, huh? Happened long before the bad new days of outsourcing ...

  12. Re:'Flaws' Not that big of a deal by Shirotae · · Score: 2, Interesting

    The specific flaws may not be big deal today, but Jürgen Schmidt's article Microsoft: A matter of trust makes some very good points about what the response says about Microsoft's attitude to the problem. One of the biggest obstacles to security it the "it hasn't been exploited yet so it isn't a problem" attitude in those who hold the purse strings. It is a recipe for always doing too little, too late.

  13. Enough already... by Ghostgate · · Score: 5, Interesting

    I mean, let's be serious. I'm not defending Microsoft because let's face it, they have allowed some pretty serious security flaws to get into Windows in the past. But the article does mention "social engineering" and I ask you, isn't this at the root of many, many security issues? I'm not saying Microsoft is never to blame - not at all. But what I wonder is how much damage has to be done before the typical user just sits down and LEARNS a little about security. I am honestly appalled at the number of computers I see that are on the internet without ANY form of anti-virus protection - much less a firewall. Computers are certainly much more complex to operate than say, a car - and we make people go through a whole course and take a test before they're even legally allowed to drive one. Why? Because they can end up killing someone, or themselves, if they don't do it right. With a computer, it's not that severe, but you can still do some major damage (or have it done to you).

    Put it this way. If the average user took the time to learn just a little more about this device that is a BIG part of their lives, and how to keep it and their private information secure, would security really be as massive of an issue as it is today? I will say this, though - I'm glad Microsoft has turned the firewall on by default in SP2. I know it's going to cause a lot of headaches, but think about it - a lot of people are hearing about a firewall for the first time thanks to SP2. Hearing about it, and being FORCED to deal with it, is a big step for the average user towards learning more about security.

  14. Re:'Flaws' Not that big of a deal by LiquidCoooled · · Score: 5, Interesting

    I don't know about you, but just being Open Source fan unfortunately does not mean I can stay away from Windows.

    In the real world, we have jobs and PHBs and spouses who don't want to disrupt things or break working apps (Sims for the missus, god help me if I break that one!).

    I think the SP2 stories are required reading at the moment, and at the same time, I am glad the comments are littered with cynical remarks and questions. We need to question the motives of these companies, and we need to test SP2 to breaking point.

    We want Linux to "take over the desktop", but at this point, as a compromise I am happy running Firefox and OO.org.

    I won't try and say I dual boot, I find the thought of having to reboot an entire computer just to run one program absolutely stupendous, but when I get my linux bug I always have a knoppix disk lying around :)

    --
    liqbase :: faster than paper
  15. Re:'Flaws' Not that big of a deal by Sancho · · Score: 4, Interesting

    That's a very interesting point. "Zones" in Windows seem to be a feature slightly too technical for your average user (the ones who might really benefit if it was implemented well) but completely useless and potentially burdensome to people with even a moderate level of computer knowledge. That makes it an almost worthless feature, in my book. The novices won't know how to use it, and the experts won't care to.

  16. Zero Mission by Graymalkin · · Score: 2, Interesting

    In the past few Windows XP SP2 threads there have been several people complaining about slashdites seemingly "picking" on Microsoft and celebrating any and all flaws the update has. I don't feel bad for Microsoft in the slightest at this point. They've been touting the security of Windows XP for years now and have done little to actually back up their claims. Sure some Windows XP system on a managed network with double filtered internet access and nightly reimaging might be pretty secure. In the home however Windows is simply a distaster waiting to happen.

    While SP2 is more secure than the original release and SP1 that doesn't reduce the number of Blaster hits my firewall blocks. It also doesn't affect the 50% of Windows users that will never download the update and will continue to be hammered by viruses and worms. Microsoft's delays and incompatibility problems just exacerbate the matter.

    It's good to see Microsoft taking real heat from the industry press over their problems in SP2. The industry as a whole rolling over for Microsoft is what led to the situation as it stands now. The original release of Windows XP was riddled with holes and and was summarily exploited. No one seriously called Microsoft on this fact and SP1 was little more than a collection of security patches and minor bug fixes. The changes made in SP2 should have come out years ago. Maybe then you could plug a Windows system into a cable modem and last more than twnety minutes without being exploited.

    Linux is improving in the usability and management arena and MacOS X is gaining mindshare as Apple improves its hardware. Both of these OSes are designed much more securely yet have a high level of technical capability. I really hope people begin to see there are alternatives to Windows and they're not nearly as bad as Microsoft would have you believe. SP2 is going to teach their management a hard lesson; despite being a monopoly power in the industry they still have to improve and maintain their OS.

    --
    I'm a loner Dottie, a Rebel.
  17. Re:'Flaws' Not that big of a deal by alex_tibbles · · Score: 2, Interesting

    Yes. The system as a whole is vulnerable. I don't see how the individual tech support person can help though. How would they verify that they are talking to the right person? Asking them to remember some secret piece of information to prove their identity is exactly what they have just proved they cannot do. What are the other options?

    --
    Posters recognized by their sig,
  18. Re:'Flaws' Not that big of a deal by Ilgaz · · Score: 4, Interesting

    I run Intego netbarrier on OS X (yep, shoot me) and man, these days I am on 56k k (shoot again)... :)

    Getting 3 kb/sec and continuous alert sounds, I wondered what the heck happened, checked logs.

    A new stupid lamer virus checking my port 135. I am on OS X right? FreeBSD based? Got firewall? nothing helps. I am effected by STUPID windows and some jerks opening attachments.

    So, I really hope SP2 will work as advertised, at least stopping viruses coding in VISUAL BASIC for Gods sake... I am not making any sarcasm. I hope it works and guess what? Only owning Macs, I watch all stories about SP2 with Yahoo alerts etc.

  19. Awwwww, FUUUUUDGE! by Asprin · · Score: 2, Interesting


    Well, I learned something. Apparently, for some time now, Windows XP has been completely willing to execute executables that do not have an executable file extension. For example, if you rename notepad.exe to notepad.gif, you can "CMD /C NOTEPAD.GIF" and it will pop right open. Not sure yet if explorer will do this the same way: One test I ran (notepad.exe -> notepad.xxx) prompted for a program, while another program (nestor.exe -> nestor.xxx) just ran normally. Maybe it has something to do with the origin of the file, or whether the file extension is registered or not. I noticed that Windows replaced notepad.exe with a new copy a few seconds after I renamed it.

    The point?

    Those of us using RENATTACH on our mail servers to filter out malware and viruses now have another hole to plug.

    Thanks, Microsoft.

    Dorks.

    --
    "Lawyers are for sucks."
    - Doug McKenzie
  20. People aren't keeping up with the news, so... by Anonymous Coward · · Score: 1, Interesting
    Here are a few items that Microsoft Windows users really need to read: How much more proof do you need to stop using Windows?
  21. Re:News for Nerds. Stuff that matters. by dave420 · · Score: 3, Interesting
    Good points, dude!

    I'm one of those developers. I write OSS on Windows, because Windows does for me what I want. I'm not starting a windows vs. linux debate, but a maturity vs. immaturity debate. I can totally understand why people use linux. I really can. I even use it myself (tho not on my own desktop). I'd defend someone's right to use linux with all my might. Why do I get the feeling that sentiment wouldn't be reciprocated by the /. community? It's called objectivity, folks. If you want OSS to be respected, start respecting other operating sytems. Start respecting closed-source apps and developers, and they'll start respecting you more (they already respect you, but this cheap pot-shot name-calling only hurts that).

    I find it increasingly difficult to talk to people who don't know about OSS and tell them how cool it is, because the community behind it is cheap. Really cheap. Are you all proud that you're bashing an operating system that your favourite OS is aspiring to replace? If linux had 95% of the desktop share, would you love it if people bashed it without any reason what-so-ever? Of course not. So don't do it to windows. Sure, pick up on the truly bad stuff, but also pick up the good stuff. Do the same for linux, as well. Be fair, that's all. Objectivity. It's your friend.

    Anyway, I'll be called a troll for this. I don't care any more. I waste so much time wading through people talking out of their asses on here, it's hard to get to the actual stuff that matters.

  22. Re:'Flaws' Not that big of a deal by pboulang · · Score: 2, Interesting
    Run it. Obviously it only prints things out to screen, so not exactly a security concern.

    pretty, it's a fractal.

    --

    This comment is guaranteed*

    *not guaranteed

  23. Re:'Flaws' Not that big of a deal by EpsCylonB · · Score: 4, Interesting

    But...

    2) heavily biased towards linux.

    So we are heavily biased towards linux, but still using windows. Right...

    How are the two mutually exclusive ?

    Linux is a very successful server operating system but so far it's desktop penetration is relatively low. Many people may be reading slashdot at work where they have no choice of what operating system is run on the desktop.

    I personally run WinXP (cause I like games) but have used a Linux box as router in the past. So technically I use both windows and linux.

    In fact there are many reasons to explain the windows desktop dominance even in a techie demographic like the slashdot readership.

  24. Re:First Bug... They never tested it with win2k ? by Senzei · · Score: 2, Interesting
    So you're saying you can make use of all the new features of a brand new linux desktoop on a linux server that is four years out of date? Sure win2k server has been patched, but my point is that you are trying to use a win2k3 domain feature in a win2k domain. Of course you'll have problems.

    Funny thing is if this was brought up in a comparable linux situation the solution would be "Go download kernel version xxx and install it." Yet somehow upgrading to win2k3 is not seen as the same solution to the problem. Yes it costs you money to do the windows upgrade, probably lots of money, but that's the cost of doing business with microsoft.

    --
    Slashdot: Where anecdotes and generalizations can be freely substituted for facts, logic, or intelligence
  25. Re:'Flaws' Not that big of a deal by js3 · · Score: 2, Interesting

    no components of the system are vulnerable. It's like running a program with a buffer over that listens on ports under LOCAL_SYSTEM. What is happening here is IE firmly plants itself as an administrator and adds an insecure layer of its own protection. By taking advantage of this you can gain system level access. If you don't run IE you won't have these problems but as IE is almost part of the system it is unavoidable..

    --
    did you forget to take your meds?
  26. Re:Oh? I can't run linux as root? by _xeno_ · · Score: 2, Interesting
    Ever try doing that on a Windows machine?

    For a while, I had my primary accout be a restricted user and was using Run As... to get adminstrator privileges for programs that needed that. After realizing that basically every single program I used required administrator rights, I gave up, and made my account an administrator account. (Most annoying was WinAmp - it turned out it required "Power User" privilege levels (or higher) to operate properly.)

    (To be fair, I primarily use Windows for playing games, and most games for some stupid reason require you to be an administrator, including several of Microsoft's games. I don't really understand why - you can use DirectX as a normal user, and it isn't for the network portion. But the developers programmed them to check if you're an administrator and not run if you're not.)

    The thing with Windows is that a ton of developers just assume that you'll be running as an administrator (probably because they're coming from writing for Windows 98 or the like), making it a real chore to be running Windows as anything but Administrator. Yeah, you can do it - but it rapidly becomes too much of a hassle to explain.

    (Besides, who else thinks that even if you did teach people to run as non-admin and only use the admin account when needed, you'll still have users downloading trojan-program.exe and running it as admin when it tells them they have to? Maybe Microsoft should make it so that IE always runs as an unprivileged account. :))

    --
    You are in a maze of twisty little relative jumps, all alike.