Slashdot Mirror
Last Words On Service Pack 2
thejoelpatrol writes "So did Slashdotters call this one? Windows XP SP2 seems not to be so secure after all. A Register reporter goes in depth to find out just how safe a fresh install is. He provides a list of which dangerous ports are left open and which services are left on by default. I guess now we know why Microsoft's security timetable is 10 years." Reader ack154 writes "ZDNet is reporting that many Dell Inspiron users are reporting an extreme performance decrease since installing Windows XP SP2 - decreases as much as from 2.6ghz down to 300mhz. Dell claims no responsibility, claiming it is 'externally loaded software' and they don't support it. In the mean time there has been a fix posted on Dell's forums, which rolls back the processor driver." Finally, Marxist Hacker 42 writes "Amid complaints of too much XP Service Pack 2 coverage on ZD Net, David Berlind writes that Service Pack 2 deserved the scrutiny it got- and charges that it failed to live up to Gates' Trusted Computing Initiative." Finally, Microsoft warns that installing SP2 on a spyware-infested PC is a bad idea.
...deserve some extra 'X's.
Somehow, I doubt that these are the last words we'll see on the subject....
I don't get them moaning that there is too much scrutiny being given to this. It is going to affect 90% + of all the computers in the world.
Well, just wait 'til Longhorn. It will be way better...in like 12 years, or maybe 14...
FoundNews.com - get paid to blog.,
ZDNet is reporting that many Dell Inspiron users are reporting an extreme performance decrease since installing Windows XP SP2 - decreases as much as from 2.6ghz down to 300mhz. Dell claims no responsibility, claiming it is 'externally loaded software' and they don't support it. In the mean time there has been a fix posted on Dell's forums, which rolls back the processor driver."
Aren't 99% of drivers 3rd party software? The only thing MS does is bundle them together, but I believe that AMD or Intel et al are the ones who actually WRITE the device drivers. And if the performance of a new driver sucks, I'd chock that up to being a shitty driver, versus a shitty Service Pack...
This is why I didn't bother. My XP Pro with SP1 is protected with a firewall, updated virus scanner and Spybot S&D's innoculator. Running Firefox and Thunderbird and anti-spam software doesn't hurt as well.
I might add that the free/OSS I have protecting my machine weighs in considerably less in terms of combined file size then does SP2.
You want to know who isn't running Firefox 2.x? They spell it "definately" and "rediculous".
I don't get why Microsoft insists on leaving so many services enabled by default. So many of them the average home user will not need, and like the reporter from The Reg said, if a sys admin needs those services, it will be trivial for him to enable them.
"With sufficient thrust, pigs fly just fine." -- RFC 1925
I haven't had ANY decrease in performance. I have had a lot more stability with wireless networking now though.
If for some reason you DID load SP2 on a spyware infested computer and it is no longer booting just boot with the "Last known good configuration" option in the F8 boot menu. Uninstall SP2 (you may have to use XP system restore before doing this), remove spyware, reinstall SP2.
Yes, perhaps there are things that could have been done better in SP2, but the simple act of filtering inbound connections is a massive step forward in security for Windows users.
I say it's a "massive step forward" because there are literally MILLIONS of windows machines which are never updated, don't run any firewall software, and which are directly connected to broadband ISPs. The people running these boxes truthfully don't know what they're doing in these matters.
Right now, those poeple have NOTHING. Now at least they will have something, albeit limited. This is a major improvement. Even the old XP internet connection firewall, if it had only been enabled by default, would have prevented Blaster from ever happening.
Of course there are some questionable exceptions in the new firewall default configuration, and no doubt the next generation of worms will take advantage of those - but at least the bar has been raised a little higher.
"Microsoft warns that installing SP2 on a spyware-infested PC is a bad idea."
One word. DUH. If you even install sP1 on a spyware infested computer it can render it unbootable. I've run into atleast 10 machines this week that have had this same problem. I work at a university which is forcing students to install service pack 1. there are a lot of machines that can't even take the service pack because of the spyware the installs just hang or destroy the install on the computer. I feel bad for the students because they have to either format or pay to get thier comptuer fixed. It not thier fault or the universities fault. who would have thought forcing college students to update thier microsoft patches would be a bad idea.
Every currently known security flaw would be a good start. Eh?
FoundNews.com - get paid to blog.,
RTFA. The main gripe is that it doesn't follow braindead simple best security practices (e.g., not leaving services listening on the public net) , not that it doesn't fix all the holes.
Many of microsofts security problems could be fixed by just following best practices, and the built in firewall doesn't do shit.
Finally, Microsoft warns that installing SP2 on a spyware-infested PC is a bad idea.
So basically, you don't want to install it on any computer running a Microsoft operating system that has been using a Microsoft browser or a Microsoft e-mail client.
Huh..I think I'm starting to see a pattern.
"DHCP Client, automatic. Unnecessary on most home machines. Should be disabled by default."
Now, I'm no fan of Microsoft (Windows free for over 5 years now), but this is insane. Evey home user I have ever helped needs a DHCP client so that their computer can get an IP off the university LAN or off their brand-spankin'-new broadband router. To disable the DHCP client means to turn off the interweb for the majority of users. Greene went a little over the top it seems.
MS really is in a bind here.
If they were to close off all those ports, they would risk all the clueless sysadmins screaming on MS forums that SP2 breaks everything, even basic windows sharing facilities.
I think the main point here is that MS has tried to appeal to people by saying that it's easy to be a sysadmin, that anyone can set up a network and run it. Real sysadmins all over the place freaked out, with good reason. They were accused of being set in their ways, etc, etc.
Now all those things that the skillful have said would happen, have happened. Rampant security problems, etc.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
The writer of the article is full of it and obviously knows nothing about Windows.
He claims that WebClient, DCOM, TCP/IP NetBIOS Helper, Secondary Logon, Remote Desktop Help Session Manager, Remote Access Connection Manager, DNS Client are all on or set to manual and should be disabled. Thanks, but I'd like to be able to use WebDAV, COM/DCOM, share files with a roommate/family member, use remote desktop from work, VPN into work in the first place, and resolve DNS hostnames thanks.
I might also add that he rails on Microsoft not taking advantage of multiuser capability properly then recommends that Secondary Logon be disabled for home users! Without it, Windows can't popup when you try to install a program or run Control Panel and ask for an admin password to proceed... which makes using a non-admin account a pain in the ass.
He also whines about these network drivers being installed:
Client for Microsoft Networks, File and Print Sharing, and the QoS Packet Scheduler
But perhaps he assumes everyone has one and only one PC in their home and has no wish to share files between them (yeah right). Oh, and you'd like to take advantage of QoS for VOIP or bandwidth throttling? Forget it if the driver isn't available.
With "genius" insights like these I certainly wouldn't trust this yahoo to install a toaster oven, let alone an operating system.
Natural != (nontoxic || beneficial)
Ports 135-139 are turned off by default on NON-DOMAIN installs for XP2 at the firewall.
Ports 135-139 are enabled by defailt when joining a domain.
Windows Firewall is managable by DOMAIN POLICY.
Complaining that they're enabled by default is moronic.
This is normal. This is another in a long line of articles that does little more than say:
...get this... ...MANUAL. Manual is another word for "not on unless I need it," which is a nice long way of saying "OFF" -- you damned chowderheads.
L0LZ@Micro$0ft!111!!11oneeleven1!! because your firewall choices and services defaults aren't what I would have picked.
There's still service bloat in XP. There's little doubt about that, but suggesting that you turn off DHCP when 51% of us use broadband? I mean, DHCP only has an effect for people that actually, you know - HAVE A FRICKIN NETWORK CABLE PLUGGED INTO THEM! Can we make an assumption that a pretty fair percentage of people who have network cables plugged into their computer use DHCP? Good lord almighty.
Also, he complains because the service type on most services is set to...
Sure, XPSP2 isn't perfect, but articles like this, these "If I had made it, I'd have made it stupid!" articles - they're just drivel.
Think about it, for a moment. The firewall is blocking internally-generated connections. Which is fair enough. (Though silently dropping would likely have been safer.) However, to lock the machine up, the TCP stack has got to be taking the error as cause to retransmit the packet.
Why am I so certain that this is what's happening? Because Windows has had some degree of preemption for a while. It's not great, but it works. Sort-of. Lock-ups should be next to impossible on a totally pre-emptive OS, as the locked-up program would simply be interrupted. It'd slow the machine down, slightly, but it wouldn't be fatal.
What we're getting here, though, looks like something fouling up big-time in a non-blockable part of Windows. Odds are pretty good that it's the network code. My suspicion is that the TCP stack and firewall are in an unbreakable infinite loop, with the error generated by the firewall causing the TCP code to resend the packet, ad infinitum.
A lot of people have argued that Microsoft isn't to blame for other people's crappy code. Which is fair enough. But they are very much to blame for their own crappy code. If you're going to have non-blockable code (a VERY bad idea!) then you've got to be damn sure that there are no scenarios in which that code will put itself into a spin-dry cycle.
It seems as though Microsoft merely added firewall code, with absolutely no thought as to the possible impact it could have on the rest of Windows.
Further, if my suspicion is correct (and I'm pretty confident it is), then it should be possible to crash any Windows box remotely. Simply generate a packet that Windows cannot reply to. By forcing the TCP stack and the firewall to fight it out, you'd paralyze the machine.
The correct way to handle this kind of situation is to recognise when a connection is administratively prohibited or impossible, and to not keep retrying. You'd then escape out of the non-blockable code, and pre-emption would allow you to continue as normal.
If you want slightly "smarter" behaviour, then if a process repeatedly keeps retrying a connection or activity that is prohibited, every time it gets woken back up, it should drop in priority, be slept a reasonably long time (in the hope the problem can be cleared by then) or get kicked off the system. ("Three strikes and you're out." logic.)
It should absolutely not be possible for any user process, no matter how badly written, to create a situation in which an uninterruptable infinite loop can develop. Either there needs to be some mechanism to interrupt any loop that might be infinite, OR there needs to be a mechanism for recognising when a loop is running unacceptably long.
It's no use Microsoft whining that customers should clean their computers first. That would be like McAffee arguing that you should clean your computer of viruses before running their software. And how are you supposed to do that, if you've no software installed for detecting and/or cleaning the damn things in the first place?
The only way you can know (for certain) that there's nothing trying to access an unauthorised port is by blocking the ports and seeing what happens when you try to use the computer as normal. And the only way you can then do anything about it is if the computer can cope with that situation in a controlled manner.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
-Lucas
My inspiron is acting fine too. A little snappier too.
>So did Slashdotters call this one?
No. They really didn't. Of course SP2 was going to cause *some* problems, but poo-pooing everything MS in a knee-jerk fashion doesn't help anyone and probably is keeping people from installing it, which is a real shame because:
1. Firewall on by default. Power users can easily shut it off. How many Slashdot posts do we have that wish MS did this, but when they do suddenly MS is doing wrong. Yes an admin can shut it off even with an activeX control. Such is the life of running as admin.
2. Nag screens for anti-virus and updates. Much needed.
3. Better wireless interface. The old one wasn't so hot and this is a welcome upgrade.
4. "Drive by installs" are not going to be as common as IE requires an extra step to install/download stuff and blocks pop-ups natively and by default. Man, how many slashdoot posts did we have about "MS should do something about pop-ups and click installs!" Well, they did. Sure, they didnt remove activeX altogether, but no one was expecting that.
5. NX support for AMD 64. Wow.
> Finally, Microsoft warns that installing SP2 on a spyware-infested PC is a bad idea.
No shit. Installing ANYTHING on a spyware infested PC will cause all sorts of problems. Fighting spyware is what SP2 is trying to do. Give it time or at least introduce your friends and co-workers to a little thing called Ad Aware, especially if they'll never switch to FireFox. Face it, many people will never switch and will go to their deathbeds using bundled software.
>So did Slashdotters call this one?
Granted, if you take the negative approach to life 24/7 you will be right every so often or at least subjectively, but I feel these are much needed changes and will help technophobes better use their machines. MS can do things right. Yeah, break out the smelling salts...
Thanks Bill.
As an OEM that sells systems bundled with XP, Dell, I believe, is obligated to support systems whose users apply service packs to the OEM-installed OS. There was some flak about this some time ago when some OEMs simply referred their customers to Microsoft, and I believe that they were reminded that they picked up this obligation as one consequence of their OEM arrangement. This support site page gives the particulars for Dell. In my experience, Dell acts like any other Windows sysadm: they wait until their own internal testing is done before they add it to the list of supported service packs, so that they can simultaneously publish a list of any issues (such as required driver updates). Until then, you take your chances (which have been minimal for me, though I tend to stay in the Latitude line, even for home systems) and rely on the forums. My reading is that Dell isn't done with its testing, and the particular spokesperson is only half right: not supported until their testing is complete and it appears on the above page.
Thanks Linus.
The service is not enabled... it is in a state where applications that rely on it can start it if its necessary, but that would be performed by the user. Have it not enabled is not a security risk....
I love this service. I love that it is not enabled by default, but must (as above) be initiated by the user. Again, there is nothing wrong having this service in a state where the user can enable it without confusion...
This service is what allows fast-user-switching (multiple console logons w/out logging out). It is an integral part of the XP ui and absolutely should be enabled.
Newsflash -- Windows is not *nix, its user base is not a *nix user base, etc... Excuse the cliche, but "Mom" is not going to login as a "user" then launch setup apps in root/admin context -- this is just not something that "mom" can wrap her head around.
I'm calling bullshit on this one. Pick -- the end user should be smart enough to work in the user context until he/she needs admin access, then they should go use it for that specific context, etc... but they shouldn't know if they trust a site or not? And by default there is nothing in the "trusted" sites list, so the user is going to be prompted for each download attempt. If they don't like the "zones" idea that's fine, but complaining about the implementaion is different from that implementation being unsafe.
More of the same. We get it, you don't like the "zones" thing. There is no difference between what the review wants and what IE already does in this case. There are no trusted sites by default and the user is going to have to go out of his/her way to get some there. If you like reading some activex riddled crap page you should be able to view the site without being bothered every 2 seconds. You have that right.
As a matter of fact, can you imagine the user experience if these setting
...except that in this case, the problem was a broken driver for CPU power-saving which, literally, reduced the CPU's clock speed from 2.6ghz to 300mhz. So in this particular case, it's a valid measurement.
I for one think XP service pack 2 is a good thing. Now really, why is the security issues in service pack 2 so blown up, all earlier service packs has had security issues too?? Service pack 2 is about to make serious changes to the web, simply becaus popup's are blocked. Even Joe Average will have a popup blocker in 6 months time. It makes me wonder if there could be some anti-popup-blocker people spreading a whole lot of FUD about this package? The days of popups might have come to an end, and some people might not like that.