It's late. It's large. But Microsoft's much heralded Windows XP Service Pack 2 has finally arrived. Right now, manufacturers and large-systems operators are getting their first look at the final version of SP2. By the end of August, automatic desktop downloads will be available via Windows Update, then on free CDs.
At first glance, the release suggests that Microsoft has finally become serious about upgrading Windows' security. But before you get too excited, let me take a moment to slice through some of the hype coming out of Redmond, Washington. When it comes to eliminating Internet threats, there's still a lot of work yet to be done -- both by Microsoft and by you and me.
Windows XP -- the second edition
Windows XP SP2's biggest news is the new Windows Security Center -- and it's about time. Now, from one location within Windows, complete with system-tray alert notifications, you can monitor whether your antivirus and firewall protection are enabled and whether Windows is up-to-date with the latest patches. Windows XP SP2 also improves its built-in firewall (now called Windows Firewall) and turns it on by default, blocks pop-ups and malicious code within Internet Explorer, and turns off HTML images (such as spam pornography) within Outlook Express.
Some XP SP2 changes are harder to see. Microsoft used this release to harden its operating system; in other words, Microsoft recompiled all its Windows system binaries to include a new flag, GS, which will mitigate buffer overflows, a common method used by criminal hackers (crackers) to overwrite legitimate code with malicious code on your PC. A buffer overflow is the method the Sasser worm used to infect PCs. Windows XP SP2 also makes important changes to core Windows components, such as DCOM and RPC (flaws within the DCOM RPC led to the damaging MSBlast attack last year). And SP2 will also bring every Windows XP system up-to-date, whether or not you've ever performed a Windows update post-install. Once you've installed SP2, you'll have SP1's updates plus all the security patches released up through MS04-025.
No more buffer overruns? Read the fine print
Are we all clear now, then? No need to worry about malicious attacks that take advantage of Windows weaknesses? Not so fast. To fully block the aforementioned buffer overflow and the Internet worms that feed on them you'll need to follow fine print: turns out the necessary No Execute (NX) setting isn't present in the current hardware architecture of most 64-bit and 32-bit processors on the market today. This Data Execution Prevention, or DEP, is currently available only on newer AMD and a handful of Intel's Itanium server chips. In other words, the new Windows DEP changes won't help you unless you're running XP SP2 on a machine with AMD or Intel Itanium processors. My colleague, David Berlind, has suggested that large companies looking to upgrade their hardware fleet should wait until after the first of the year, after Intel has released its chips.
For you and me, it's going to take even longer before this final layer of Microsoft data protection trickles down. Not everyone will upgrade their PCs based on the fact that these new chips won't execute malicious code, and unless you're particularly anxious about buffer overrun, the new security probably isn't a compelling enough reason to hold off purchasing a new desktop PC. In fact, you and I are likely to see good prices on the old chipsets as soon as the new DEP/NX chips hit the market early next year.
And, of course, pre-XP Windows operating systems still have a sizable share of the PC market and have numerous vulnerabilities that SP2 won't fix -- all targets for virus writers and script kiddies. It's going to take years for all the new hardware and software changes introduced to Windows XP to trickle down to the masses worldwide. In the meantime, I expect to see about the same level of virus-writing activity, if not more, as virus writers attempt to snag XP customers before they upgrade.
No more Internet worms? Read the fine print
And remember what I said above about the XP firewall? That it's new and improved? Well, I need to qualify that statement. Despite the firewall's improvements, it's not invincible. A month ago, I asked Fred Felmen, vice president of marketing for Zone Labs, what impact Windows XP SP2 might have on third-party firewalls such as Zone Labs' ZoneAlarm. He said the Microsoft firewall protects only against inbound threats, not outbound threats, such as keystroke-logging Trojans that report your passwords and credit card info to others. Also, the lack of outbound protection means your infected PC could still participate in distributed denial-of-service attacks. In short, I recommend keeping your third-party firewall enabled alongside Microsoft's. Two firewalls are better than one.
Finally, since we're talking about Microsoft software here, it's entirely possible that virus writers will soon write code that turns off the Windows Security Center, or at least leads it to falsify its status reports (saying, for instance, that a security measure is enabled when it's really not). So don't just rely on the Security Center's status messages. Periodically check your antivirus and firewall programs independently.
Some known issues with SP2
I'm not just paranoid. Numerous sources are now reporting that the Windows Security Center is misrepresenting Norton AntiVirus's status -- even after the antivirus program is enabled and freshly updated. Symantec is aware of the problem and says it will release a LiveUpdate shortly that should enable the program to better communicate with the Windows Security Center. Other than that, the SANS Institute has set up this forum to report real-world problems with Windows XP SP2. Luckily, so far, the issues involve slower boot times and sluggish Internet Explorer performance.
Microsoft has made significant progress towards remedying its past problems, but the company still falls far short of putting itself on the leading edge in PC security. Install Windows XP SP2 when you get the opportunity, but don't expect this one update to solve all your Internet security issues. To be safe, keep and maintain third-party antivirus and firewall programs.
Talkback
Two firewalls are better than one? That's a strange statement, offered with no supporting explanation. One firewall the internet and your network, and another on each PC, has advantages, including defending against threats originating inside your network. But two on one PC would just seem to add complexity of configuration and understanding. One firewall on a PC is all you should activate. Microsoft's updated firewall is good, but if you are concerned about policing outgoing data, turn it off and use a third party product. There is no sense in using both on the same PC.
Let everyone use two firewalls!!!??
All of us in independent IT support will then be earning much more money. To begin with, the average user will find troubleshooting impossible with two firewalls, after all, the traditional route begins with:
First turn off your firewall. Have you got internet access now? Can you ping....?
Poor advice to suggest people use two firewalls, even one can interfere with Windows, Symantec antivirus, etc.
I take this to have been a slip of the tongue.
Two firewalls are not better that one. It adds unneccessary complexity. That's like saying two word processors are better than one. It's far better to use one tool if you can rather than patch together other tools just to re-create the functionality of one.
So let me get this straight - in order to have more comprehensive protection (DEP) I will have to upgrade my hardware as well as my software?
So I spend the best part of 2 grand on a computer that was supposed to be great, then finding out it's full of security holes that Microsoft promises to patch with SP2, and I now find out that I need to buy A WHOLE NEW PC just to get the computing experience my Mac & Linux using friends get everyday?
Give me another 6 months to a year, (around the time I was going to replace anyway), and you'll see me with a brand new Powerbook under my arm.
Not True, a lot of companies employ a dual firewall policy such as PIX and Netscreen, that way if one is buggy the other one should protect.
Whilst expaning this to the PC is a pain in the ass, some enterprises may consider it worthwhile
Yes my thoughts exactly. 2 firewalls? I work for an isp on technical support. One of the main issues that has generated large call volumes is linked to firewall issues.
Now sp2 has just launched, we have already had a significant increase in problems with the features it has added. Especially on the wireless side, almost all of our wireless customers have experiences a loss of wireless connectivity after updating to sp2.
I just installed SP2 during reboot setup after the install, Microsoft said not run more than one fire wall or it can cause conflicts. MICROSOFT MEAN SOFTWARE FIREWALL'S.
Hmmm, have you guys got a clue what you are talking about.
My router has a hardware fire wall and I use Norton firewall on my PC's as the old windows firewall blocks the network shares, Microsoft firewall is now turned off.
ZoneAlarm and Sygate which I have used also work better than the old firewall built into window and are a lot easier to configure.
So I have 2 firewalls- big deal.
How about you experts doing a proper reply for people to understand that are not behind corporate firewalls or behind hardware firewalls.
Until you "EXPERTS" do a sensible reply, readers go and have aread at www.grc.com about firewalls and you can also check it is working there, Also go to www.sygate.com as you can also do a scan there to see if your firewall is working.
If you have not got a personal firewall use the Microsoft one as they have not spent there money developing it for nothing just to have it slated by er so called know alls .
(Thanks to ZDnet for educating me over the years and for for my continued education).
Dude, your comment made no sense whatsoever.