XP2 Spotted In The Wild

LostCluster writes "WinXP SP2 has just been released to the public via Automatic Update, but eWeek and PC Magazine are together reporting that Windows XP SP2's 'Windows Security Center' is just about as insecure as it could possibly be. According to them, any program (including ActiveX controls) can access and edit the Windows Management Instrumentation database, and therefore spoof the security status of an insecure box to report that it is properly secured."

Can someone answer this question?

[forgotten_my_nick]

I was told it was rolled out today (SP2), so can someone explain why my XP machines wanted to install the SP2 patch a few days ago?

this is surprising?

[suezz]

why does this surprise anybody - I am sure glad I don't do windows anymore - I can get on with a lot more important things and my computers just work - don't have to defrag, virus update, or worse yet os update from microsoft. now if my dsl provider can just get more reliable life would be great.

Re:this is surprising?

[Errtu76]

Right. I can only assume you're using Linux now, and I apologize if i'm wrong. So you probably never have to: upgrade your kernel, upgrade applications or do an fsck. If this is the reason why you abandoned windows, it's a silly one. As far as i know, only consoles (Nintendo, PS1/2 & Co.) don't require updates. Everything else does.

Re:this is surprising?

[black+mariah]

Bullshit. I ran this computer right here sans virus protection, Ad-Aware, Spybot, Zone Alarm, or anything else even remotely resembling security software for the better part of a year and a half on the same connection as my parent's computers (router). They constantly get nailed with viruses and trojans and all manner of fun shit. I never did. User stupidity accounts for massive amounts of infections.

Re:this is surprising?

[bmj]

I guess that depends on what you mean by "have to". An out of the box Fedora Core 2 system will work and play just nicely with your email, office, internet, graphics, video, etc. An OOB Windows XP install will only last 20 minutes once connected to the internet.

Out of the box Fedora may work with everything, but at some point in time, security vulnerabilities will be found in some piece of open source software, and a patch will (quickly) be made available. An unpathed *nix machine can be just as dangerous as a Windoze box.

Re:this is surprising?

You're protected from worms by the router. The 20 minute figure is sans firewall or router. I've seen it with my own eyes ... take a brand new Windows XP computer with a fresh install, without security patches (you said "anything else even *remotely* resembling security software" - that "remotely" opens the door to considering patches), plug it into an unprotected connection with no firewall or NAT, and pretty soon you'll see an RDC error resulting in a reboot. If you patch the system completely before you plug in, you won't see this issue. It's not quite that bad with Linux - with this new ssh hack, if you've got an unpatched fresh install, you're toast in a day or two.

Re:this is surprising?

[essreenim]

and I apologize if i'm wrong.
That was the smartest thing you said. You don't need to upgrade your kernel. In favt many choose to use the older more stable kernels instead of the newer unstable ones - i.i 2.6.8.1
Hackers just dont pay the same attention to Linux, and when they do, they are not able to have the same penetration. Linux security is a public work in progress so exploits can be spotted long before they are with Windows. Windows is a good OS - good enough to warrant a small piece of the pie - not the huge amount it actually does. Windows offers: a good GUI, decent plug'n'play, a half-decent office suite, amongst a couple of other things. It deserves credit for that, but thats it. But its not free - like a bird.

I'm sorry, were you expecting better?

Fact: You cannot bolt on security to something after the fact-- it has to be designed in from the ground up, or it's worthless.

Exhibit A: Windows.

Bill can announce a new security initiative every day from now until Doomsday, and it won't mean a damn thing unless they scrap Windows completely and start over. Period.

Re:I'm sorry, were you expecting better?

[Serapth]

UM... have you taken a look at the size of SP2 yet? I used the MSDN install about a week back, and it was 400 megs in size. Thats as big or bigger then the initial install of XP.

They arent bolting it on to XP, they are essentially rolling out Windows XP version 2. Sofar I havent had too many issues with the service pack, which is amazing considering how much it does. Frankly, I dont think Linux could come close to releasing a patch of this magnitude with as little side effects. Microsoft should truly be applauded for their recent actions... although, granted this is slashdot... aint gonna happen.

Re:I'm sorry, were you expecting better?

[SilentChris]

This has nothing to do with the base security of Windows. The base nuts of NTFS and the security scheme has been solid ever since it was ripped from VMS. The problem IS the bolts that have been added since then: easily-foiled APIs that have full access to some of the underpinnings when they shouldn't.

Quite frankly, if MS never "innovated", it would be a fairly secure product. NT 3 was practically bulletproof. It's when they started grafting on Win32 junk from 9x, things started to get screwed up. Take off that top layer and everything would be kosher (but a lot less user-friendly)... just like Linux.

Re:I'm sorry, were you expecting better?

[AKAImBatman]

Personally, I would applaud more if their idea of security wasn't so damned screwy. For example, XP SP2 now modifies IE to reject redirects. i.e. If you have a redirect page to forward someone to your new website, IE will pop up an error message and tell you that it won't redirect. To make the redirect work, you have to add the site to your list of trusted sites. Apparently, there is no way to turn off this behavior.

If Microsoft would focus on *real* security like that found in FireFox, OS X, etc., they wouldn't have to put these stupid "security" enhancements in. On the bright side, Microsoft is making Macs veeerrrry attractive to end users.

Re:I'm sorry, were you expecting better?

[Serapth]

Actually, I hold to my origional comment... but I want to add one thing, which MANY people commented on, and thankfully, not you! ;)

First off... im not bashing linux, and im not saying Linux needs a 400 meg patch, because frankly it doesn't. Nor, am I saying that Linux is a worse or better operating system. Actually, now that I think about it more, although my wording was poor, what I meant to say is I dont think the Linux Community, could have pulled off a patch like this with as minimal impact as what Microsoft has done.

Not an attack... just an observation... here is my reasoning...

Microsoft has control over all aspects of the OS, one of the positives I suppose of closed source. They know for example that a change here in the kernal, will break feature x in the web browser. Additionally, one company controls basically all of the API's that 3rd party companies would have to use to write software.

Now, contrast that to the linux world, whereas you have on entity basically in control of the kernal development and direction. Then you have another group that controls Apache, another for GCC, another for X, another for KDE, etc, etc... You make massive changes in the kernal, and you are going to have a trickle out effect, that all other teams are going to have to deal with. Thing is, there is nobody there with a big stick that would force people to comply. Additionally, Linux is all about choice and freedom. But with that, perhaps my biggest beef with linux, and IMHO the thing holding linux back the most is the labrinth of dependancies between various libraries and subsystems. In a situation like this, where you need to make sweeping changes across the board, the team based, decentralized aspect... not to mention the multiple distributions, would make it all but impossible to do a rollout like this, with less impact then what MS has experienced.

Once again, to keep the fanboy zealots ( not you Hundalz ) quite... im not saying Linux sucks, or that open source sucks, or any of these things. And yes, im well aware that Linux does not need a patch like this, unlike windows... so please stop beating that poor dead horse.

What im saying is, that in this case, MS did good. For once they actually deserve some kudos. Also, this is one of those rarer examples, where a closed source single controller development system, is actually superior to open source. ( In regards to the ability to make sweeping changes with minimal impact, fairly quickly. ).

Re:I'm sorry, were you expecting better?

[SilkBD]

If Microsoft would focus on *real* security like that found in FireFox,

Ok, then use Firefox... you don't need to use IE. I don't.

Re:I'm sorry, were you expecting better?

[AKAImBatman]

The meta tag appeared to begin with, because HTML authors often don't have access to the web server. This is a very valid reason, and I can guarantee you that authors would just start writing "window.location = 'xyz.html'" to get around it. Thus Microsoft has saved us from nothing, and made everyone's lives more difficult.

Re:I'm sorry, were you expecting better?

[_Sprocket_]

Wasn't security for UNIX and UNIX-like systems an afterthought? The difference being that it has had decades of work to get where it is now, by companies and organizations that had to make it good, and not just a few years on a product that only has to be "good enough" for consumers.

Great point. I would suggest a few other things to consider.

One of the things I find interesting about Unix is its modular nature. For the most part, various components are fairly well insulated from each other. One is able to rip out or drop in pieces as one wants. This allows for major changes of the system's operation. This can be applied to anything from hardening the system to implementing new functionality. Security may have been an afterthought for Unix. But it's foundation allowed for it.

Keep in mind that "security" hadn't always been a buzzword for Unix. A very visible example is the Morris Worm. But exposure to the public via the Wild Internet caused the Unix community to start picking up all its dirty laundry. It learned lessons. And those lessons are often the basic tenants of Infosec.

One of my criticisms of Microsoft is that they ignore history. The Unix crowd has already run its gauntlet early on and made its findings and lessons learned widely available. Yet Microsoft continually repeats not only Unix's mistakes, but also their own.

Sure - a mature code base implies a greater degree of bug fixing, etc. But that solves implementation mistakes. It doesn't help fundamental design flaws. Those can be very difficult to deal with. Especially if your system isn't very modular.

One final point - how mature IS the relative codebases? How much of the original *nix code still exists vs. being entirely new? And how much of WinXP is pedigree WinNT from a previous decade?

Re:I'm sorry, were you expecting better?

[darkwhite]

Of the four methods you listed, only #3 does not require admin control over httpd and is automatic (which was kind of the point, DOH). I don't quite see how javascript is better than META REFRESH, especially since the latter is part of (D?)HTML while the former is an extension available in fewer browsers and turned off by some users.

Wait

[wwwojtek]

another good reason to wait a few more weeks before applying sp2

Pseudo Problem.

[vi+(editor)]

If a boxen is 0wned then we can savely assume that the 0wner/w0rm has root access. And with root access it can do anything anyway.
This is like complaining that one can shut down your computer by removing the power plug.

Close it anyway MSFT or stop the default Admins!

[garcia]

To spoof the Windows Security Center WMI would require system-level access to a PC. If the user downloads and runs an application that would allow for spoofing of Windows Security Center, they have already opened the door for the hacker to do what they want. In addition, if malware is already on the system, it does not need to monitor WSC to determine a vulnerable point of attack, it can simply shut down any firewall or AV service then attack - no WSC is necessary."

Sadly just about everyone runs shit as Administrator (it is the default mode for XP Home installs) to make life easier and as MSFT has noted they are opening themselves up to the attacks... For those that will mention that Linux is so much better remember that these are the same people that wouldn't like to have to change to root (sudo, su, login, whatever) to install anything and would be opening themselves up to the same vulnerability level as if they had been running Windows.

Basically the problem was in design... They should not have had an open API controlling the "WSC" and thus malware would not be able to detect the presence of the programs' status from a single location. The real problem is that MSFT isn't admitting that it is a serious problem and needs to be changed on a different level... Saying that malware writers are going to use the direct route and disable the firewall/AV outright, while true, doesn't get them off the hook for creating this hole that is more difficult even for a more advanced user to notice.

Oh my god!

[dave420]

You mean it's possible to edit configuration scripts from within the operating system? Oh no!

Seriously, this is just more scaremongering. The WMI system has to be accessed locally, and their examples of how this could be circumvented is pretty silly. ActiveX apps on a web page won't run unless you specifically tell them to. The only other ways are via a downloaded application. It boils down to "you have to do something on your computer that lets a malicious application run". How is that any different from any other operating system in the world? Even as a non-root linux user you can fuck up a system by running a malicious script... I don't get it.

Am I missing something?

Re:Oh my god!

[$rtbl_this]

Even as a non-root linux user you can fuck up a system by running a malicious script...

I'm intrigued. While I've only given it a few minutes' thought, I haven't managed to come up with a way that an unprivileged Linux user can hose an entire system (well, outside of their own data) with a malicious script. Could you let me know what I'm missing here? Thanks.

No real surprise

[Arclite]

Let's be honest. Did anyone really expect SP2 to not need a slew of new patches after release?

Personally, I'm just glad that it doesn't bomb randomly after install. Yet.

Need root?

[randyest]

No, most user's don't need to be root most of the time. Yet:

While we are not aware of any malware exploiting this, we think it will only be a matter of time. The one mitigating factor that we found is that to change the WMI, and spoof the Security Center, the script has to be running in Administrator mode. If executed in Windows XP's Limited Mode, it will give an error, and not allow changes. Unfortunately, most home users who will be at risk, run in the default administrator mode.

How can we convince people not to run admin mode? It's easy at work, in UNIX land (most people don't get to know root pw.) But most Windows users I know don't even know the difference.

Every windows security problem I know of can be solved, or at least significanly mitigated, by users not running root.

Re:Need root?

[MobyDisk]

How can we convince people not to run admin mode?

Two steps are required:
1) Make apps that work without admin mode. Most stuff on the shelf today still doesn't. I have yet to see a game that does.
2) Make apps that need admin access prompt you for it. - *nix has done this for a long long time.

But neither of these things will happen until the mentality changes. The mentality won't change until the apps are there. I've tried to get user's to do it when possible, but then they go download some spyware app that makes a jiggly peanut dance across the screen (or some such nonsense), and it needs admin rights, so they would rather lose all security and pay me $100 later on to fix their system, than to stop downloading the pointless spyware.

Re:SP2 - as secure as any linux distro...

[Red+Alastor]

And all running the same distro. And all running Internet Explorer with crossover. ;-)

and you were expecting what???

[stonebeat.org]

Windows XP SP2's 'Windows Security Center' is just about as insecure as it could possibly be.

and you were expecting what???

Remember Windows Management Instrumentation requires administrator credentials. If you have admin priveledges on any box, you can do much harm, regardless of the Operating System

Re:and you were expecting what???

[black+mariah]

I have a script here that hoses your entire Linux system. All you have to do is run it as root.

rm -rf *

Please explain how this is different than any other program on any operating system being run as root.

Worse than no protection at all...

According to them, any program (including ActiveX controls) can access and edit the Windows Management Instrumentation database, and therefore spoof the security status of an insecure box to report that it is properly secured.

A protection scheme that reports that it is secure while actually being totally insecure is worse than no protection at all. A lot of people will use ZoneAlarm or whatever and their own virus scanner, but if too many people believe their machines are secured, this SP may have the opposite of its intended effect: *more* unsecured PCs attached to the Net than before. MS should stick with their old policy of not introducing new features in service packs, just bundling bug fixes and security patches together.

Running as admin?

[W2k]

According to them, any program (including ActiveX controls) can access and edit the Windows Management Instrumentation database, and therefore spoof the security status of an insecure box to report that it is properly secured.

Um .. you sure that's not supposed to be any program that's already running as admin on the box in question? Sorry, but if I was a malicious app running as admin, I would do much more interesting things than tamper with the security center. Not even Linux/OSX/*BSD are secure if you manage to get malicious code running with admin rights. The article got it right (it mentions that the attacking script/app/whatever must be running as admin) but whoever submitted this to Slashdot seems to have missed this tiny, unimportant detail.

The next thing to be said is usually: "But most home users run as admins." (The article also mentions this.) Well, that's not a Windows problem; that's a user problem. Even if Windows forced users to run in "limited mode" (which would cause an outcry in itself - "eek, Microsoft is trying to take away control over our own computers from us"), it also doesn't help that most third-party software for Windows requires admin rights either to install or *gasp* to run. Of course, this is ancient news to everyone with a clue .. nothing to see here, move along.

Of course, even when running as admin, protecting yourself against malicious code is fairly trivial; simply use a firewall (SP2 incidentally includes one), don't run binaries from untrusted sources, surf the web and check your email using something other than IE/Outlook, use a virus scanner/shield, and keep your apps and OS updated. Again, no news to anyone with a clue.

Re:Running as admin?

[Tom]

"But most home users run as admins." [...] Well, that's not a Windows problem; that's a user problem.

You are oversimplifying. Ask yourself why most home users run as admins. May it be because that's the default? Because XP doesn't even offer another setup option, but hides it well? Or maybe because tons of things simply don't work if you run as a normal user?

Driving reckless is a user fault, yes. But driving reckless when that's how the manual told you to do it and that's what the car was designed for makes it a bit more tricky to properly place the blame.

Re:Running as admin?

[W2k]

It's the default because the users want it that way (see previous posting). Windows users have been running as admin since it was just a glossy shell over DOS (hell, pre-NT, Windows didn't have a non-admin access mode as such). If Microsoft changed it now, there would be an outcry (see grandparent) and people would just figure out how to make themselves admins, and do so. It's a lose-lose situation for Microsoft - and again, the fact that many pieces of third-party software expect or demand admin access to run does not help matters.

In the end, no operating system is luser-proof. User education is the only viable solution, not built-in lockdown of the OS.

This sounds like a typical...

[bob670]

bullshit headline grab from PC Mag/Ziff Davis/Cnet that Slashdotters love to sieze on. If Windows is so damn insecure why haven't I had any issues professionally or personally in the last 10 years? Patch it when called for, keep your anti virus software up to date (come to think of it, I only scan incoming mail on my personal workstations), get a decent router with (an even marginal) built in firewall/NAT and don't click on every pop up you see at www.pussy-u-will-never-get.com and you are pretty much safe.

I love my Linux box but I expend far more effort keeping it locked down with constant updates than I do my Windows boxes.

I'll say it again, OSS will never suceed with end users as long as so many in this community take an "Anything But Microsoft" stance.

Re:This sounds like a typical...

[praxis]

I would also like to tell my story. I've been a Windows user since 1990, a Linux user since 1995, a SunOS/Solaris user since 1995, an Irix user since 1995, an OpenVMS user since 1997, and an AIX user since 1997. I don't run all of these concurrently anymore but I've administered each of them for quite some time. I keep abreast of security issues in each OS I'm running, even if it's only getting the latest patches. On Windows, I run an up-to-date virus scanner. I had to do a lot more work to secure Linux than I did to secure Windows XP. I have *never*, not *once* had a serious issue with any of my machines running any OS unless it was a hardware fault. By serious I mean anything beyond a virus caught by the scanner or an application crash due to a bug. I may, or may not, help that I don't run any software beyond the business apps I need, a few games, and some IM client. I don't download much software, beyond perhaps putty, Java run-time, and well, perhaps something else. I did, in college witness many people have problems with Windows, and they did not run AVS, used Kazaa liberally, and liked to install little apps that web pages offered. There is no technological solution today that trumps educating users. I'm rambling, so I'll stop.

Re:You would think..

[Anaphiel]

A poster further up the thread has it right: it's nearly impossible to make a software product, especially one as large and complex (and insecure) as XP, secure after the fact by patching it. Security is best designed into a product at every level from the very start.

What Microsoft is doing is analogous to me trying to turn my apartment into a bank:

Initially I just put up a sign that says "Bank" and leave the money lying on my sofa. Then when I get tired of people walking in and taking the money I lock my door. Then they kick in my door, so I get a thicker door. So now they climb in through a window, so I close and lock the windows. They break a window, I put up shutters. They cut through the floor, I lay down cement; ceiling, I add an alarm; they cut the electricity, I buy a generator. Maybe at some point I buy a safe, which works until they pick the safe up and roll it out of a hole cut into my wooden walls. This goes on for years, until eventually I get fed up and move out, and have a building built to purpose that's secure as a bank should be.

Where this analogy breaks down is at some point pretty early on customers would stop giving me their money until I got my act together, where they've shown no intention of doing the same to Microsoft.

Re:Leave it to microsoft

[shird]

Uhm... yeah. Easy to fake by a program already running as admin on your box. Why would such a program even bother?

The point of the security center is so you dont get that malicious code running on your system in the first place. If it does, your systrem is already compromised, and nothing can be trusted anyway.

No OS can protect against malicious code running as root/admin.

Re:SP2 - as secure as any linux distro...

[rokzy]

oh sorry I thought the fact that using a scrollbar could install and run a program without asking WAS A SECURITY ISSUE IN ITSELF regardless of what that program would then do.

oh and *ONLY* wipe a user's directory? what fucking planet do you live on?

M$ should make the Admin account anoying to use

[denis-The-menace]

The only way to make joe user NOT want to use an Administrator account is to make it anoying to use. IE: -Display a NAG window everytime the user launches an application. (Maybe only if the user spends more than 30 minutes in the account) Maybe even make it easy to do some admin tasks easily as a Limited user by prompting for the administrator pw when required like Linux distros do today.

Re:M$ should make the Admin account anoying to use

Yeah, I remember 'Safe Mode' on Win9X being terribly painful. Maybe something along those lines?

Re:Please help a Linux Newbie

Hey Do you know any of these people? They sound like they have the same (or very similar) problem
One,
Two,
Three,
Four,
Five,
Six,

Re:SP2 - as secure as any linux distro...

The historic problem with all variants of 'nix is that the (sensible, smart, aware) user who does operate a computer without elevated priveledges is very much in the minority... most home 'nix users just run as root (must be the type who like rebuilding their systems every week!) - hence all this great 'nix security is just a puff of wind... they blow it out the door every time they log on.

Yet for the (smart, aware etc.) minority who do care about system securities... an inherent drawback of 'nix (with the exception of Hurd) is that programs cannot elevate themselves to su and drop access rights again whilst running - software often needs elevated rights for any of a million reasons... yet instead we have to run the whole program with su rights (dangerous, silly, insecure).

The workaround has always been to use scripts because a script can elevate itself to su rights... hence the propensity for 'nix users to promote scripts and the command line (and you thought the 'nix community don't like GUI's because it is a "Microsoft or Mac type thing")... the reason GUI's are avoided in 'nix is because you really can't do anything with them (a GUI app cannot elevate itself to su while running) - it's not because we just like the look of plain old text characters

Re:SP2 - as secure as any linux distro...

[SilentChris]

"install and run a program without asking WAS A SECURITY ISSUE IN ITSELF regardless of what that program would then do"

Uh, it doesn't install a program. It drops a file in a directory. Granted, this directory is sort of important (Startup) but it's only for the user, not the system. Even if it tries to access important files, like I mentioned, it'll be denied on a correctly-configured box.

Also, the act of scrolling doesn't run the program, but restarting does. Small point, but kind of shows you know nothing about it.

"oh and *ONLY* wipe a user's directory? what fucking planet do you live on?"

The same planet where UNIX has had the exactly same scheme for 20+ years, Windows for 10 or so and Mac OS X for 5. As far as I know, short of a dumb terminal, there's no system in the world that can prevent users from doing dumb things to their files. It's the ones that screw up the system that need to be prevented.

Cowards at PC Mag

[Sloppy]

This open door to the security status of a system can be exploited several ways. First, a malicious site could download a file (possibly with the drag and drop exploit discussed in our Windows updates and vulnerabilities section), which could run and access the WMI, monitoring the status of the firewall and antivirus protection.

Holy crap, you're already executing hostile code, and you're worried that MS has added yet another library that it can call? You fucking idiot! It can already write to your disk's partition table, what more are you worried about? A psychotic killer is holding a loaded gun to your head, and you're worrying about the second-hand-smoke cancer-risk from his cigarette. ;-)

People, get a clue: a "malicious site" can't do anything to your computer, unless your box has already been compromised.

PC Mag, here's an idea: tell the users what the real problem is. You damn well know what it is. But you're afraid, because they spend a shitload of money on ads.

Re:SP2 - as secure as any linux distro...

[dotcher]

You're right, I wasn't as clear as I should have been - "users running with more privileges than they need" is indeed what I meant.

I'll grant that some of the Windows defaults are appauling, security-wise, and creating users as Administrators is part of that. Microsoft are making an effort to advertise features like Run As, though - there's a topic in XP help explaining why running as an Administrator is a bad idea, for instance.

(That said, I've no idea how many people actually read it, of course).

The point I'm trying to make is that any system with uneducated administrators is going to have security problems, sooner or later. Most Unix users tend to do their research and understand why running as root is a problem, as do the application developers. If your applications will run fine as a normal user, then people will run as a normal user.

That doesn't apply as strongly in the Windows world - people are much less likely to do any security research, and application developers do have a tendency to make it harder for people to run as a user. That's beginning to change, though - the current guidelines for the "Designed for Windows" logo on software include a requirement that software runs correctly as a non-administrator.

Hopefully, the next release (be it a SP3 or Longhorn, should it ever be released) will concentrate on the user education side of things, and make it easier to do the right thing with regards to least privilege.

Why so sloppy?

[Futurepower(R)]

Maybe you've seen the old motto. MS: "The whole world is our beta test site."

Why is MS software so insecure, and just plain sloppy? Maybe their management model just does not allow a programmer to finish his work. Later some poor guy is assigned to fix a terrible bug that is getting publicity, but it is difficult, boring work trying to understand what someone else did, and he makes mistakes.

I'm gonna have to call BS

[Sycraft-fu]

Either that, or you are doing something wrong. Here at work we have, oh about 500 Windows machines and maybe 200 Solaris machines and some Linux machines too. Of the Windows machines, I'd say 200 or so are already on SP2. They don't crash on bootup and SMB traffic is ALWAYS flying over our building (it's a single large subnet too).

As for AVG, well, you screwed something up. It detects fine on every system I've put it on. As for Norton, it is a documented Norton problem, and they (Norton) are working on it.

As for security centre, yes, this is by design. They know users ignore the update installation requests, so they want it automatic. Just tell it to quit bothering you, and it will.

What I find really funny is that this user, who appears quite clueless, is modded informative when all the replies are not. Look folks, anti-MS != informative.

Dumb, slightly OT question/proposition

[chadjg]

What would happen if Microsoft limited the administrator account to 16 colors and maybe a low resolution. Would people learn quickly to use a user account to play games? Would administrators still be able to get their work done with said limitations?

This is just one of those off-the-top-of-the-head-and-not-thought-out type ideas, but i'm curious.

Its not that bad

[gad_zuki!]

IE is actually usable for the first time since, err, ever. The extra nag dialogs and the pop-up blocker go a long way towards keeping spyware off your machine. Lets face facts, most people will never stop using IE. They will go to their deathbeds using bundled software. They will never switch to Firefox or Opera. This is the service pack for them.

The nag "Where if your anti-virus" box is a reminder that windows needs an AV program to run properly. I can't stress how important a built-in firewall is, even if it is "weak" its still going to introduce people to the concept of a firewall much more than the old version did. Personally, I dont think ports over 1025 should be blocked by default, but that's just me.

I've been running SP2 since MS released the final version and am pretty pleased with it. XP even feels snappier. It passes the "grandma" test fairly well and like you wrote is a good first step towards securing windows. If it only helps fight spyware installs its worth its bytes in grams of gold. Especially for us techies who get called, bothered, etc for stuff that is completely preventable.

This is really the first step to securing windows for the everyman, if such a thing is truly possible. Soon enough current machines will be replaced with machines with processors which understand NX, thus making the feared buffer overflow much less fearsome.

Even though SP2 is going to cause all sorts of headaches with clients, friends, and family, I'm very optimistic about what it can do to help stop spyware and to a lesser extent worms and viruses. Its a real shame there isn't an equivalant SP for the HUGE win2k user base out there. Seems like the script kiddies will now be focusing on win2k machines from now on.