jump to navigation

Windows XP Service Pack 2 not secure enough? August 15, 2004

Posted by rjdohnert in Software reviews.
trackback

Slashdot and others are already writing shoddy reviews on Service Pack 2. Saying its not secure enough, they dont know how service pack 2 is going to protect systems. Well folks, thats a normal day in Slashdot and other Linux technical writers (how they can call themselves non-biased is beyond me). I have been beta testing SP2 since the crappy RC1 days when they broke everything, followed by the fixes and the RC2 series and yes, Micosoft has done a good job with this release. One problem i see with these “SP 2 sucks” articles is that they are assuming that everyone is using their systems for pro use, they dont take in the practical knowledge that 75 percent of Internet users are home users, you know the type I mean, the ones that when you ask “Do you have Java?” their response is “Sure, 2 creams and a sugar please!” the type who do not know what FTP means, they dont know what Telnet is nor do they care. To test seucrity in SP2 i did a self test. I used the common MyDoom virus as well as others I had access to just to see just how good Service Pack 2 really is. I set up a dummy network and embedded viruses in Web Pages using ActiveX, made the virus files Manual downloads, etc. Even tried a DoS attacks on a Service Pack 2 system. First, to infect your system you have to manually allow the file to do so. Automatic execution really doesnt work anymore. I kept getting the yellow bar on IE. Embedding a virus as a ActiveX control doesn’t work without user interaction. With SP2 everything requires user interaction and I found the dialogs not terribly confusing, pretty much straightforward and easily understood even when using the mindset of a non-tech. Nothing is automatic anymore.

Memory errors and DoS attacks are another thing. I effectively shut myself down but it was extremely difficult to do so making Service Pack 2 very resilient in those types of attacks. I wll not disclose too many technical details on what I did to shut it down as to not entice the low lifes but I have supplied Microsoft with all the information so that they can effectively correct the situation if they so see it critical enough to do so. Mind you, no OS will be perfect and no OS can really prevent DoS attacks or counter them so that DoS attacks are not effective.

My thoughts on the Windows Firewall:

To the tune that not many people even use a firewall, the Windows Firewall is really good enough. Most Pro users will not even use the Windows Firewall, instead relying on other solutions. I use 2, the Windows Firewall and Sygates Pro Firewall on my SP2 systems. Using the Windows Firewall cant hurt. Most home users like my mother, sister-in-laws and my aunt do not run FTP services, web servers or telnet so their systems wont get queried near enough as someone like me that has these services enabled for use. Considering that most home users use dialup, even broadband home users shut down their systems when they are done using them even makes them less of a target of a DoS or hacking attempt. Do I think the Windows Firewall is the best? No, but it is good enough for a home user who is not really a Pro, and I wouldnt charectorize the Windows Firewall as “slapping a band-aid on a broken leg” analogy I keep hearing. I will add that home users that allow their children to play online games, yeah use Sygate Personal Firewall or ZoneAlarm.

The improvements to IE are substantial and fix mst of the past problems that they have had, Shutting down local zones was really something that should not have been rocket science. Enabling local zones to begin with was an extremely stupid idea and the engineer that even thought about it should have been fired and his colleagues should have gone medieval on his ass, Im talking pitchforks and torches here, lynching doesnt sound like a bad idea either. Microsoft will have to earn my trust to using IE again, and {subliminal message}put TABS into IE{/subliminal message}. Im going to get off topic here for a minute but on a Channel 9 Dean Hachamovitch wants to know whats the big deals with tabs, well dude while you are looking for reasons for tabs, I will keep using Firefox. just for 2 cents, I like tabs becuse its less clutter, it doesnt eat resource power because everytime you open a new window in IE its a seperate instance of IE running so it hogs resources. Dean suggests grouping them, well bucko I have a 1280 screen it takes 12 IE windows to start grouping, if you can tell me how to manually start grouping them by all means let me know.

My take on businesses holding off on SP2 deployment:

Good idea, there are undoubtedly programs that businesses have that will break so the best thing to do would be to hold off until you test eveything. Best advice I have heard so far. Just dont buy into all the “SP2 Sucks” articles that float on IT rags.

My Take on Home users holding off on SP2 deployment:

This would be reasonable if the user deploys software on their home PC that they use for work and their IT manager asked them to hold off. For regular home users turn on your Automatic Updates and get it, if you have multiple computers get this package

Improvements:

Make the geeks happy and improve Windows Firewall so that it compares to other firewalls, be careful though that vendors don’t start the “Microsofts monopolizing again” war cry. Add Tabs to IE and continue to improve IE. Do not use Service packs just to distribute IE mprovements, keep up with the public betas and continue to keep developers and users informed every step of the way and I do think these things do influence the overall perception of Microsoft.

Overall, Service Pack 2 has been flawless in my deployments and there is enough improvement in SP2 that it should be deployed. For those vendors that wish to trash SP2 because it broke their apps I say “Tough, fix it” dont complain because really its your own fault. Is Windows XP Service Pack 2 secure enough? In my opinion No, the game never ends you keep going, there is no finish line nor is there any point to stop. Its a chess game you make a move, your opponent makes a move. One thing I will note though, when XP was released it only took a few hours before the first exploit was reported, its been 12 days since the release of SP2 and I have yet to see a exploit reported.
{Knock On Wood}

Advertisements

Comments»

1. Anonymous - August 15, 2004

Nice article man. Microsoft Windows will never be as good as the Linux OS but SP2 was a waste of time just like reading your article. But it looks like you put some thought into it. I suggest you try Linux. It has no flaws and its free.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: