Windows XP Service Pack 2

Windows XP users inhabit dangerous waters, beset by all manner of Internet-borne malicious code. Unfortunately, Microsoft's remedies have, until now, been restricted to a series of security patches that repelled only a few attacks at a time. Last Friday saw the arrival of Microsoft's long-delayed Service Pack 2 (SP2), which will help all of us keep our heads above water. SP2 tightens your PC's security with a new Windows Firewall, an improved Automatic Updates feature, and a pop-up ad blocker for Internet Explorer. Plus, the newly minted Security Center gives you one easy-to-use interface for keeping tabs on your PC's security programs. We suggest you pause before jumping ship, however. We downloaded and installed SP2 and weren't surprised to find a handful of conflicts with existing programs and wireless network settings on some of our test machines. Wait until SP2 is made available to your PC via Microsoft's Automatic Updates service, expected later this month for most users. By then, Microsoft should have had enough time to work out the kinks.

Setup & interface
In order to get our hands on Windows XP Service Pack 2's final code, we downloaded the whopping 266MB network installation package for all of our test machines as soon as it was available at Microsoft's Download Center. We suggest you exercise a bit more patience. After installing SP2, we encountered problems with our wireless network, which we suspect were related to an existing driver that the new version of Windows didn't like (Microsoft says that some driver conflicts are to be expected). Previously stable systems developed a tendency to disconnect and jump onto other available wireless local-area networks (WLANs), and one of our test systems kept losing its connection to a secure WLAN completely. Only rebooting would reconnect it. Microsoft expects to add SP2 to its online Windows Update service later this month. Download sizes will vary because your system will download only the components of the service pack it needs. If you've diligently updated XP, Microsoft estimates the download will be between 80MB and 100MB. That number could balloon to 270MB for less up-to-date systems, however. Dial-up users not looking forward to such a large undertaking should note that Microsoft will ship -- free of charge -- SP2 on CD-ROM, but delivery could take up to two months. Boxed retail versions of Windows XP with SP2 will be available by the end of October. If you've been waiting for a reason to upgrade to XP from an older version of Windows, this is as good a reason as any (Longhorn is still years away). Corporate IT managers will want to deploy with limited trials to check for compatibility with their current configurations.

Sign on for updates
If you've disabled Automatic Updates in your copy of Windows XP, we suggest you turn it on now. Once you install SP2, it too will urge you to turn on Automatic Updates. You can set Automatic Updates to do its magic at a given time each day -- a good idea, given what CNET (ZDNet's parent company) security expert Robert Vamosi calls the Eschelbeck Theory. Within the first month of any security flaw going public, a rain of worms and Trojan horses flood the Internet to take advantage of that flaw. The faster you fix the flaw, the safer you'll be -- and the safer we'll all be since the worms won't spread. Occasionally, a Microsoft fix may cause some problems with a particularly delicate Windows configuration. If you're worried that this will happen, you can set Automatic Updates to download but wait for your word before installing or simply alert you that there are updates available for download. Or, should you go it alone, you can just turn it off -- but we reserve the right to say, 'We told you so'.

Security Center
Microsoft bundles most of SP2's security enhancements into a single interface called the Security Center, which hides in the All Programs menu, under Accessories \ System Tools. In addition to providing a single interface for monitoring your system's firewall, (either Microsoft's or a third party's), Automatic Updates, and your third-party antivirus program, it tracks certain antivirus programs to make sure they and their virus signature databases are up-to-date. If you're using eTrust EZ Antivirus, F-Secure, McAfee Security, Panda, Symantec/Norton or Trend Micro, SP2 hooks into your software and alerts you when updates are available. If you use more obscure software, such as Frisk's F-Prot, you can click an 'I'll take care of it myself' box to avoid constant warnings that your system is not secure.

Features
Most of the new features found in Windows XP SP2 are related to making your PC more secure. Among its many enhancements, you'll find a new firewall, a pop-up ad blocker for Internet Explorer, added protection against attachments, and -- in some systems but far from all -- technology that helps keep malicious code from attacking via system memory. Microsoft built a software firewall called Internet Connection Firewall (ICF) into the first release of Windows XP, but it was turned off by default. For protection, you either had to hunt through system settings to turn it on, or more likely, you installed ZoneAlarm or another third-party firewall program. The extremely security-conscious use a hardware firewall router between their PC and Internet connection. SP2 ushers ICF out the door and replaces it with Windows Firewall, a more comprehensive and aggressive firewall. The first change you'll notice from the new software is that as soon as you install SP2, the firewall is turned on by default. Since no single firewall in entirely foolproof, we ran Windows Firewall alongside an existing installation of ZoneAlarm Pro. In our tests, the two coexisted fairly well: ZoneAlarm flagged every attempt by a new or updated software component to access the Internet, so we did get several warnings after upgrading to SP2. This problem quickly went away, however; we needed only to grant access for a program once to avoid future warnings for it. In some experiments with earlier versions of SP2, we found that the new Windows Firewall blocked programs with legitimate reasons to access our test PCs, such as ActiveSync connections with Pocket PCs. We didn't face this issue with the final version of SP2, however. Should you encounter such problems with your existing applications, you can easily make exceptions to allow your programs to skirt the new Windows Firewall. Using the new Firewall control panel, which you launch from Control Panel or by right-clicking any Internet connection, you can pick whatever networking or Internet connections you use (dial-up, broadband, or sundry networking connections) and set up exceptions and rules on a case-by-case basis. Windows Firewall is still rudimentary compared with firewalls in, say, the security suites from McAfee, Symantec or Zone Labs. Windows Firewall doesn't pop up a yes/no dialogue box for you to allow or block programs you've installed that access the Internet (a somewhat fussy feature that's popular with many ZoneAlarm fans). But in our tests, it did all the things a firewall should do, including protect a computer during bootup and shutdown. A quick trial run at the security site ShieldsUp showed our test systems were adequately cloaked from port-probing scripts. We strongly recommend keeping Windows Firewall turned on, even if you are running another software firewall. And if you aren't currently using a firewall, then there's absolutely no reason why you wouldn't want to run Windows Firewall. (For an alternative view of Windows Firewall, see here.)

Pop-up ads, begone
The bane of most Net surfers is the constant stream of pop-up ads. Wander into the wrong Web neighbourhood, and you not only get assaulted with unwanted advertising, you can also be infected by opportunistic code that changes your home page or worse. With SP2, Microsoft Internet Explorer gets a much-needed pop-up ad blocker. Like the new Windows Firewall, it's turned on by default. In our tests with medium-strength settings, IE's new pop-up blocker kept most offenders at bay, including JavaScript-spawned pop-ups such as those found at Tripod and Newsweek. In one or two cases, the pop-up blocker prevented a few windows from appearing that we wanted. At Download.com, for example, it suppressed our download window, and it also disabled one of Trillian's best features: an indicator that new Yahoo mail has arrived -- SP2 deemed the ActiveX code that signs you into the Yahoo Mail site insecure. Fortunately, the newly updated IE displays a grey bar beneath the address bar explaining what action its pop-up blocker has taken. To let pages through selectively, you just click this bar and select the Allow option. You can also add sites to an exceptions list by clicking a new Tools menu option and entering the URLs you want to allow through. Or if you prefer to use a third-party program, you can turn IE's new pop-up ad blocker off altogether.

Email and IM protection
But SP2 blocks more than just pop-ups. The new update adds a feature to Outlook Express that's available in the Microsoft Office 2003 version of Outlook: It can prevent HTML-formatted messages from displaying images and executing code. The HTML code within Bagle.aq, for example, will automatically execute the download of a Trojan horse on some vulnerable PCs without a user's intervention. This setting is reversible; you can display images on a case-by-case basis. Another SP2 security feature cautions you against opening email and IM attachments. Whether you're opening or saving an attachment from your email or IM client, you'll be given a warning to make sure you trust the source. This is the software equivalent of being asked at the airport, 'Did you pack your bags yourself and have they left your sight since you packed them?' Yes, it's a good message to reinforce, but no, it's not a real security measure.

Don't forget about system memory
To combat viruses and worms that take advantage of buffer overruns in your system's memory (Sasser, for example), SP2 includes its so-called Data Execution Prevention (DEP) feature, sometimes referred to as No Execute (NX), which prevents portions of your system's memory from running this rogue code. Only a small percentage of PCs, however, support this feature so far. No current Intel Pentium 4-based PCs can take advantage of DEP, and Intel won't release chips with DEP support until the end of the year at the earliest. The only desktop CPUs that support DEP are AMD's Athlon 64 and Sempron chips. Regardless of the type of system you own now, it's a good idea to install SP2. If you are considering purchasing a new PC soon and are really worried about buffer-overrun attacks, however, we suggest that you choose a PC with a new AMD processor or postpone your purchase if you want an Intel-based system. SP2 also throws in a welter of retooled features, including DirectX 9.0b multimedia API for better graphics and sound, and a setup routine for SmartKeys. The service pack includes Windows Media Player 9.0, also with improved security features. And two special versions of Windows XP get a complete OS overhaul with SP2. Tablet PCs receive Windows XP Tablet PC Edition 2005, which improves handwriting recognition among other tablet-specific enhancements. And first-generation Media Center PCs will be upgraded to Windows XP Media Center Edition 2004, an updated version of the specialised OS for machines that also serve as media hubs. Finally, XP's wireless capabilities are improved. There's a new user-friendly interface for wireless LAN (Wi-Fi) setup. But there are still too many configuration pages underneath the fancy new interface, and they are mostly unchanged from the previous version of XP. More substantive is XP's new native Bluetooth support. We plugged a Linksys Bluetooth adapter into our test system. Using XP's new built-in user interface and native Bluetooth hardware drivers, we were able to easily connect with a Bluetooth phone to transfer images and use it as a modem.

Service & support
Technical support for Windows XP SP2 covers the usual bases: you can email questions to Microsoft or find answers to some questions on an online FAQ page. Phone support is available (at National Rate, typically 8p a minute) between 8am and 6pm Monday to Friday.