Slashdot Mirror
XP2 Spotted In The Wild
LostCluster writes "WinXP SP2 has just been released to the public via Automatic Update, but eWeek and PC Magazine are together reporting that Windows XP SP2's 'Windows Security Center' is just about as insecure as it could possibly be. According to them, any program (including ActiveX controls) can access and edit the Windows Management Instrumentation database, and therefore spoof the security status of an insecure box to report that it is properly secured."
Microsoft released SP2 in a staggered fashion. First to MSDN subscribers, OEM's, Enterprise customers, etc. Second, SP2 was unleashed to XP Home Edition via Windows Update. Today, they're finally allowing XP Pro users to get the patch. It was intended to allow corporate customers the ability to disable the update to their clients.
I noticed it was up last night to I installed it.
It's 94.50 mb which takes a while to download. Upon installation and restart the new windows security center pops up and trys to get you to turn on your firewall, automatic updates and antivirus software. By default if any of these are off, there's an obnoxious red shield in the system tray. Turning off alerts for these makes it go away.
Otherwise there doesn't seem to be any major changes.
So far nothing's borked.
Step 0: Open IE
Couldn't even drag the scrollbar in Firefox :-/
Then I opened IE and tried it - jackpot. Nice little booom.exe in my startup folder. I have SP2 installed. Good grief.
I hear there's rumors on the Slashdots
That's because you got the network admin version, which has every little bit for every possible system so that admins can customise it for the systems running on their networks. The version designed for single computers is between 50 and 80MB according to how well patched your pc is to start off with. You're right that they're, effectively, rolling out XPv2, but your reasoning's off.
That's the network install, which includes every update since XP was released plus code to figure out what version of Windows you're actually running. If you download it from Windows Update it does all that before-hand and only sends you the stuff you need, which makes for a much smaller download.
Of course, you can "update" them also with mod chips, but I don't think that that is what you had in mind :)
Yes it does
Mozilla has never had a security bug, right?
You run *any* OS as root or equivalent on a daily basis, and you're going to have problems sooner or later.
Okay, so if you're running IE that's more likely to be "sooner" than "later" but the point still stands - the main problem is running systems with more privileges than they need.
"Someone please explain to me how this is different than Linux?"
Most programs on Linux run happily as a non-root user. So many programs on Windows force you to run as an admin user that most people who even think about trying to run as a non-root user quickly give up...
META REFRESH is not a good way to redirect people, and furthermore, it's not standards compliant. Allowing META REFRESH to direct users around the web without their consent is deceptive, and a major usability problem for users.
One of the big goals of SP2 was to improve the web browsing experience for users tired of getting hijacked by bad nasty web pages that intentionally use seemingly harmless methods to corral, trap, and frustrate users.
A lot of people use the META REFRESH directive to move them to a new URL once an old one has expired. Even on FireFox/Mozilla this can be used to trap users, enable phishing, and the like.
Better methods when you can addresses is to:
Use server side URL rewriting, like in mod_rewrite or like available in IIS
Display a simple page with a large clear hyperlink and message to update the original link
Display a simple page like above and use a simple Javascript to move the user (unlike META commands, the Javascript can be disabled).
Use the appropriate 3xx HTTP status code and let the client handle the change appropriately
Hey. I hate Windows as much as the next guy, but if you want to make a compelling argument you should at least be fair.
Windows XP came out in 2001. Do you really need me to tell you that running a RedHat distribution from 2001 would be suicide right now?
-If God wanted people to be better than me, he would have made them that way.
You probably don't know it, but marketing is about giving people the product they want. Unfortunately many companies (and Microsoft is one of them) talk about marketing, but what they are really talking about is advertising.
"What if somebody could tell if their machine was secure just by opening a control panel?"
This statement would be a really bad example of marketing: The company and/or its developers and "marketing" experts sit together and brainstorm without ever actually asking the customer. If they were to ask me this exact question, my answer would be:
"Are you really this insane? I don't want a control panel to tell me whether my machine is secure. I want the machine to be secure, plain and simple. Given MS Windows' (whatever incarnation) security track record, I neither would nor could ever trust any application that tells me the security status of the machine from within. It's probably already cracked, infested or whatever anyway by the time I check it. If history tells us anything, it's that any application can be made to tell me that it is secure."
I couldn't agree less with you. According to developers who are far more experienced with Windows than I am (IANAP), Windows is insecure by design, no fix or additional security layer on top of the current product will ever make it more secure. The only way to fix it, is to dump it and start from scratch.
This is the Microsoft equivalent of Sourceforge Development Status 1. It's a dog and pony panel that will undoubtedly be replaced by something good in the future -- but by that time, most of the industry will have lost all trust in it.
Many people argue that XP is, while more stable than all previous versions, with the notable exception of W2K, is still in development status and many of its design features are so braindead, that many knowledgable people have already lost trust in it.
IMHO, this is yet another stupid toy to make the casual home user and the boss feel more secure without actually delivering on the promises. If you were to ask them, they would all answer that they want a machine that is actually more secure rather than a having a MS tool that tells them they are. Once they told you, you design a product that is actually secure and does what the customer wants. This is marketing from an academic's point of view.
I feel so sig.