Slashdot Mirror

← Back to Stories (view on slashdot.org)

XP2 Spotted In The Wild

Posted by michael on from the watch-out-or-it'll-chew-you-up dept.

LostCluster writes "WinXP SP2 has just been released to the public via Automatic Update, but eWeek and PC Magazine are together reporting that Windows XP SP2's 'Windows Security Center' is just about as insecure as it could possibly be. According to them, any program (including ActiveX controls) can access and edit the Windows Management Instrumentation database, and therefore spoof the security status of an insecure box to report that it is properly secured."

6 of 634 comments (clear)

  1. Re:Can someone answer this question? by hardreset · · Score: 5, Informative

    Microsoft released SP2 in a staggered fashion. First to MSDN subscribers, OEM's, Enterprise customers, etc. Second, SP2 was unleashed to XP Home Edition via Windows Update. Today, they're finally allowing XP Pro users to get the patch. It was intended to allow corporate customers the ability to disable the update to their clients.

  2. I installed it last night by mrgreenfur · · Score: 5, Informative

    I noticed it was up last night to I installed it.

    It's 94.50 mb which takes a while to download. Upon installation and restart the new windows security center pops up and trys to get you to turn on your firewall, automatic updates and antivirus software. By default if any of these are off, there's an obnoxious red shield in the system tray. Turning off alerts for these makes it go away.

    Otherwise there doesn't seem to be any major changes.

    So far nothing's borked.

  3. Re:Scary stuff. by spellraiser · · Score: 5, Informative
    You forgot ...

    Step 0: Open IE

    Couldn't even drag the scrollbar in Firefox :-/

    Then I opened IE and tried it - jackpot. Nice little booom.exe in my startup folder. I have SP2 installed. Good grief.

    --
    I hear there's rumors on the Slashdots
  4. Re:I'm sorry, were you expecting better? by Vann_v2 · · Score: 5, Informative

    That's the network install, which includes every update since XP was released plus code to figure out what version of Windows you're actually running. If you download it from Windows Update it does all that before-hand and only sends you the stuff you need, which makes for a much smaller download.

  5. Re:Actually, no... by BabyDave · · Score: 5, Informative

    The reason they say its safer is because they took advantage of the new processor features that allow you to mark a block of memory as "non-executable" thus stopping buffer overrun 'sploits and similar problems. Linux doesn't have this feature.

    Yes it does

  6. Re:SP2 - as secure as any linux distro... by bankman · · Score: 5, Informative
    And designing new programs from a marketing impetus instead of what people want.

    You probably don't know it, but marketing is about giving people the product they want. Unfortunately many companies (and Microsoft is one of them) talk about marketing, but what they are really talking about is advertising.

    "What if somebody could tell if their machine was secure just by opening a control panel?"

    This statement would be a really bad example of marketing: The company and/or its developers and "marketing" experts sit together and brainstorm without ever actually asking the customer. If they were to ask me this exact question, my answer would be:

    "Are you really this insane? I don't want a control panel to tell me whether my machine is secure. I want the machine to be secure, plain and simple. Given MS Windows' (whatever incarnation) security track record, I neither would nor could ever trust any application that tells me the security status of the machine from within. It's probably already cracked, infested or whatever anyway by the time I check it. If history tells us anything, it's that any application can be made to tell me that it is secure."

    ...but it will take at least a year to develop something like this that actually works well enough to be a part of windows.

    I couldn't agree less with you. According to developers who are far more experienced with Windows than I am (IANAP), Windows is insecure by design, no fix or additional security layer on top of the current product will ever make it more secure. The only way to fix it, is to dump it and start from scratch.

    This is the Microsoft equivalent of Sourceforge Development Status 1. It's a dog and pony panel that will undoubtedly be replaced by something good in the future -- but by that time, most of the industry will have lost all trust in it.

    Many people argue that XP is, while more stable than all previous versions, with the notable exception of W2K, is still in development status and many of its design features are so braindead, that many knowledgable people have already lost trust in it.

    IMHO, this is yet another stupid toy to make the casual home user and the boss feel more secure without actually delivering on the promises. If you were to ask them, they would all answer that they want a machine that is actually more secure rather than a having a MS tool that tells them they are. Once they told you, you design a product that is actually secure and does what the customer wants. This is marketing from an academic's point of view.

    --
    I feel so sig.