Forgot your password?
typodupeerror
Microsoft Operating Systems Software

Microsoft Releases Changelist for Upcoming XP SP2 524

Posted by simoniker
from the times-they-be-a-changing dept.
kylef writes "As we know from independent sources, Microsoft is busy readying Service Pack 2 for Windows XP. They have published on their website a changelist document (link goes to TechNet download page) detailing the nature of the security-related fixes and updates. The document is targeted towards XP admins and covers some interesting things such as the new Internet Explorer Pop-up Manager and various security policy changes. Some other juicy tidbits from the document: Internet Connection Firewall will be enabled by default, and there will be new support for something called "Execution Protection" which allows developers to make use of the NX (no execute) page guard flag on Intel's Itanium and newer AMD processors. An interesting read."
This discussion has been archived. No new comments can be posted.

Microsoft Releases Changelist for Upcoming XP SP2

Comments Filter:
  • by ciaran_o_riordan (662132) on Thursday December 18, 2003 @06:32AM (#7752577) Homepage
    > detailing the nature of the security-related fixes

    DMCA violation.
  • Smart. (Score:5, Interesting)

    by starfurynz (676822) <starfurynz.yahoo@com@au> on Thursday December 18, 2003 @06:34AM (#7752589)
    Looks like MS is finally doing somethin intelligent for once. We'll have to wait to see how intelligent though.
    • Re:Smart. (Score:3, Informative)

      by MoonFog (586818)
      It sure seems that way. From the .doc document where they talk about the pop up manager:
      Why is this change important? What threats does it mitigate?
      Pop-ups have been misused in many ways. By blocking pop-ups, the Web is safer for our end users, and the customer has more control over their browsing experience.


      The document is filled with explanation of security related fixes.
    • Re:Smart. (Score:4, Funny)

      by Daengbo (523424) <daengbo AT gmail DOT com> on Thursday December 18, 2003 @07:10AM (#7752714) Homepage Journal
      Are they going to be upgrading to the new 2.6 kernel? I have a new chipset I was hoping would be supported.
  • I downloaded the doc file, and tried to open it with WordPad (which is supposedly compatible with MS Word (which I refuse to buy), at least up to the level of displaying the text (without tables/pics)

    Guess what ? WinXPpro SP1 is very sorry for the inconvenience but decides to throw up on me (an exception that is) and bail out !
    • This will be corrected in Service Pack 2, you'll have to wait ...
  • by rehabdoll (221029) on Thursday December 18, 2003 @06:41AM (#7752618) Homepage
    "wordpad.exe has generated errors and will be closed by Windows.
    You need to restart the program.

    An error log is being created."

    nice.
  • I just hope (Score:5, Interesting)

    by -noefordeg- (697342) on Thursday December 18, 2003 @06:43AM (#7752624)
    this Service Pack doesn't break anything 'useful'... *sigh*

    With WinXP I got into some serious trouble with my computer and trying to play games. At first everything worked as it should then after a weekend not a single game would play, black screen on launching a game.
    After A LOT of work the conclusion was that quickfix 'SP2 Q328310', which had been auto download from MS, did something which stopped a lot of games which need 3D support from working.

    Now I always gets a message when I start windows, about 'new updates available': -Yeah sure! It's still buggering me to download the patch.

    This really helps MS too, I'm so much more willing to download updates/patches when I know that a quickfix to lets say notepad, might break something totally unrelated; like the ability to shut down WinXP >:(
  • *POOOF* (Score:5, Funny)

    by MagerValp (246718) on Thursday December 18, 2003 @06:45AM (#7752630) Homepage
    Was that the sound of the personal firewall market dying?
    • Re:*POOOF* (Score:3, Interesting)

      by tx_kanuck (667833)
      Nope. Like most things from MS, the power users and admins will realize that they need more protectin then what is standard. They will then tell their family/friends, and the market will continue like it was.
    • Re:*POOOF* (Score:5, Insightful)

      by Tim Browse (9263) on Thursday December 18, 2003 @07:15AM (#7752730)

      Not unless they up the feature set - when I looked into XP's firewall, it only blocked incoming connections, not outgoing. I use outgoing blocks as a matter of course to catch spyware, etc, and to prevent Outlook Express/MSNIM from fetching images/ads from web servers, etc. I was looking at the XP firewall for my laptop, because Kerio made my laptop's suspend/sleep functions stop working (grrr) so had to find an alternative. As it turned out, I tried Norton Personal Firewall, which was actually quite good, and not nearly as bad as I had feared. None of them are particularly great at config UI though. Norton especially requires a lot of clicks to set rules up.

      It's just occurred to me that maybe MS don't want to implement an outgoing firewall, given that the number of Windows components that randomly connect to MS servers is quite high, and it would highlight this fact if they did outgoing connection blocking. Hmm.

      • Re:*POOOF* (Score:5, Informative)

        by EddWo (180780) <eddwo@hotpop . c om> on Thursday December 18, 2003 @08:21AM (#7752922)
        The new one in SP2 does incoming and outgoing connections, blocks udp and multicast and enables ports on a per-program basis without requiring the program to specifically open or close them. It is also on by default and covers all network interfaces.

        I expect they will supply default behaviours that allow their own programs to phone home. But hopefully it is properly configurable so you can decide if you want that or not.

        I don't know if it is feature comparable to the third party offerings, but it is significantly improved on the version that shipped with WindowsXP
      • Re:*POOOF* (Score:5, Insightful)

        by graf0z (464763) on Thursday December 18, 2003 @08:47AM (#7753017)
        when I looked into XP's firewall, it only blocked incoming connections, not outgoing

        They are definitly intruding the personal fw market: Look into "Appendix B: Netsh Command Syntax for the Netsh Firewall Ipv4 Context" for the "add allowedprogram" command - finally, they realized that there is something like trojans...

        They're still far away from other packetfilters like netfilter/pf/..:

        • no match against source or dest ip
        • nothing beyond TCP/UDP/ICMP (like GRE, ESP, AH)
        • no subchains (or whatever You wanna call conditional ramifications/jumps)
        • no rate-limiting (e.g. against SYN-flood)
        • no NAT
        • it's not clear how stateful it is (i.e. does it verify TCP sequence numbers?)
        • protocol helpers for RPC/DCOM, but not for FTP, IRC, H.323
        • no tweaky guru stuff like TCP-MSS mangling for tunnels (like VPN or PPPoE)

        There's still a lot of work waiting for the ms devel team ...

        /graf0z.

    • Re:*POOOF* (Score:5, Insightful)

      by davidstrauss (544062) <david@@@davidstrauss...net> on Thursday December 18, 2003 @07:19AM (#7752741)
      Was that the sound of the personal firewall market dying?

      To take an objective perspective, firewalls seem best if they are part of the operating system, not wedged in, but I'm surprised they aren't taking the licensing path that they chose with CD burning and disk defragmenting (both are not written by Microsoft and licensed). The XP firewall, however, does lack outgoing connection control, which shouldn't be enabled by default but should be an option (how hard is it to use the same engine for outgoing connections too?).

      • Re:*POOOF* (Score:5, Funny)

        by bmajik (96670) <matt@mattevans.org> on Thursday December 18, 2003 @11:27AM (#7754219) Homepage Journal
        actually, the disk defragmenter is 100% MS code now. The old one was outsourced to Executive Software, a bunch of scientologists. I think we had to do the defragmenter in house to get the scientologist bits out of it for certain governments to approve XP. (or it might have been because the code wasn't fully disclosed to us, or something along those lines).

        In any case, the defragger is no longer outsourced code :)

    • Re:*POOOF* (Score:5, Interesting)

      by Zocalo (252965) on Thursday December 18, 2003 @07:47AM (#7752826) Homepage
      Taking a hit maybe, but not dying (at least not to the power user). Here are some of the features I get from my Windows personal firewall of choice (Agnitum's [agnitum.com] Outpost Pro) that are not offered by ICF:
      • Outgoing connection filtering
      • Application checksumming (with MD5)
      • Protocol level mail attachment scanning
      • *Really* detailed logging
      • Pop-up ad blocking (OK, this is going to be in IE but is off by default)
      • Banner ad blocking (not in SP2 IE at all as far as I can see)
      • Cookie control
      • Policies for pop-ups, scripting, ActiveX and so on handled on a per-site basis
      And the list goes on... This is not the first time this kind of thing has happened; Microsoft used to bundle an Anti-virus product with DOS and Windows, and that didn't kill the market. It still does bundle a disk defragmenter, yet Diskeeper [diskeeper.com] seems to be be doing just fine.
      • Re:*POOOF* (Score:5, Interesting)

        by graf0z (464763) on Thursday December 18, 2003 @09:51AM (#7753357)
        This is the usual misunderstanding of the word "firewall": Classically a firewall is just a packetfilter (that means it filters packets due to rules which only consider packetheaders). This MS document uses "firewall"="packetfilter". But most "firewall products" offer packetfilter + host IDS + content-filtering, virus-scanning transparent proxies + network IDS + more gimmicks. They are sometimes referred as "application level firewalls". This is an example:

        • Outgoing connection filtering (that's included in SP2)
        • *Really* detailed logging (seemed to have improved in SP2)

        The rest ist not packetfiltering:

        • Application checksumming (with MD5) - host IDS (more precisely: file integrity checker)
        • Protocol level mail attachment scanning - virus scanning (transparent) smtp/pop3 proxy
        • Pop-up ad blocking, Banner ad blocking, Cookie control, Policies for pop-ups, scripting, ActiveX and so on handled on a per-site basis - content-filtering transparent http proxy (hint: use a more secure browser instead)

        /graf0z.

        ps: Don't get the impression that i like the SP2 packetfilter - it's really inferior to professional packetfilters.

        • Re:*POOOF* (Score:5, Interesting)

          by FuzzyBad-Mofo (184327) <fuzzybad AT gmail DOT com> on Thursday December 18, 2003 @10:42AM (#7753786)

          Pop-up ad blocking, Banner ad blocking, Cookie control, Policies for pop-ups, scripting, ActiveX and so on handled on a per-site basis - content-filtering transparent http proxy (hint: use a more secure browser instead)

          Ran into this one when a friend tried to check out my online photo gallery while using Norton "Firewall". Norton happily disabled all Javascript on the page because it apparently didn't like my DHTML.

          In my opinion, a "Firewall" has no business interpreting HTML and Javascript. Norton should be taken to task for this, else we risk creating defacto standards.

    • Re:*POOOF* (Score:4, Interesting)

      by mumblestheclown (569987) on Thursday December 18, 2003 @07:48AM (#7752833)
      Not really. Norton, a company that has become infinitely more evil than MS on several fronts, has a "clever marketing strategy."

      I have "Norton Internet Security" installed on this machine. It is impossible to unintstall. If you unintstall it, your internet connection will be irrepairably harmed, especially when it comes to secure pages. However, with Internet Security enabled, the internet is freeking useless.

      The only solution is to load internet security and then disable it after it's running. That, or clean install the operating system.

      You might think that this is an isolated problem. It's not. We routinely get support requests on our secure ecommerce sites saying "when I click on (secure link), i get a page error". Our #1 response to this is "have you recently unintstalled norton internet security?" Answer: "yes, by coiincidence i just did that this morning!"


      This '12 year technology strategy consultant' wants to know what you think of her view of e-mail list buying. why don't you tell her what you think? [typepad.com]

    • Re:*POOOF* (Score:3, Insightful)

      by gad_zuki! (70830)
      Look at all the Win2000 and 98 computers out there. One wonders why MS isn't porting their firewall to 2000, XP installs are a drop in the bucket compared to 2000.

      Lastly, I don't believe this SP shuts off activeX by default, which is the biggest problem facing windows users as its a gateway to a semilegal spyware trojans.

      There really should be a "shut off ActiveX day." 15th of the month anyone? I'm getting sick of doing it on every computer I come across after someone tells me "I have no idea how gator
  • by Anonymous Coward on Thursday December 18, 2003 @06:50AM (#7752647)
    Thanks again for the .doc format.

    Why not put such documents in a more Portable Document Format? Even assuming I have Word Reader or Openoffice, why on earth would you dissemante information via a word processor document format?
  • by Raindeer (104129) on Thursday December 18, 2003 @06:51AM (#7752649) Homepage Journal
    I really wonder if there will be undocumented securityfixes included in this Service Pack. I recently heard a director of Microsoft say that when Microsoft finds a security vulnerability, they don't disclose it, but just fixed it in a service pack. I hope I misinterpreted him, but it makes me wonder if a pre SP build of some Microsoft products might have something under the hood for bad guys to use.
    • I dunno what the undocumented security fixes and fixes to social engineering exploits will be, but there were quite a lot of documented fixes, at least for being Microsoft. :-) Actually, most of that 70+ page document details security fixes.
  • by Alereon (660683) on Thursday December 18, 2003 @07:03AM (#7752687)

    The 32-bit version of Windows currently leverages the "no-execute page protections" processor feature as defined by Advanced Micro Devices (AMD). This processor feature requires that the processor run in Physical Address Extension (PAE) mode.

    Although the only processor families with Windows-compatible hardware support for execution protection that are currently shipping are the AMD K8 and the Intel Itanium processor families, it is expected that future 32-bit and 64-bit processors will provide execution protection.

    This sounds nifty, too bad x86 CPUs don't support it (barring AMD's x86-64 offerings). However, doesn't PAE mode result in significant I/O performance degradation?

    • Way back in my Comp Sci days, I could have sworn that when a 386 (and to some extent a 286) was running in protected mode, different areas of memory could be marked as 'code' for execution and for 'data' that could not be executed. Trying to read or write to the code area, or execute a data area would result in exceptions. It was many years ago though ...
      • Way back in my Comp Sci days, I could have sworn that when a 386 (and to some extent a 286) was running in protected mode, different areas of memory could be marked as 'code' for execution and for 'data' that could not be executed. Trying to read or write to the code area, or execute a data area would result in exceptions. It was many years ago though ...

        That's how it works now, and the CPU won't execute from instructions in areas marked nonexecutable. Problem is, the stack is executable, and that's whe
    • doesn't PAE mode result in significant I/O performance degradation?

      No, or at least on older processors it wouldn't, I don't know much about newer processor design. This is done in hardware, and it can be done in parallel with the usual work of the processor. That means it will make the processor an insignificant bit larger, but not slower.

    • That's read as "write XOR execute". If a page is writable it cannot be executed, and vice versa, so even if there was a buffer overrun bug in a daemon, the arbitrary code you insert couldn't be executed.

      From http://www.openbsd.org/34.html#new :

      Further W^X improvements, including support for the i386 architecture. Native i386 binaries have their executable segments rearranged to support isolating code from data, and the cpu CS limit is used to impose a best effort limit on code execution.

      It's a bit of

  • by Savage-Rabbit (308260) on Thursday December 18, 2003 @07:03AM (#7752689)
    Executio Protection

    Old man Saddam could use feature that right about now.
  • In earlier versions of Windows, there is a window of time between when the network stack was running and when ICF provides protection. This results in the ability for a packet to be received and delivered to a service without ICF filtering and potentially exposes the computer to vulnerabilities. This was due to the firewall driver not starting to filter until the firewall service was loaded and had applied appropriate policy. The firewall service has a number of dependencies which causes the service to wait
    • by zero_offset (200586) on Thursday December 18, 2003 @08:26AM (#7752943) Homepage
      They knew about it, and they didn't do shit about it.

      Alternately:

      -- They knew about it, and management wouldn't let them do shit about it.

      -- They knew about it, but addressing it would take significant time and effort, so they opted to defer that to a later release. After all, a million people running a mediocre firewall is better than a million people running no firewall at all.

      -- They didn't actually realize it until later on. Are you psychic, or do you just happen to have a buddy who was on the ICF dev team?

      But I suppose those angles would just mess up a good troll.

      • by sgasch (239701) on Thursday December 18, 2003 @02:33PM (#7756076) Homepage
        -- They knew about it, and management wouldn't let them do shit about it.

        Also, keep in mind that having a running firewall is going to break a lot of apps and cause a lot of pain. I predict the number of calls to MS phone support (and to XYZ company's phone support) will explode after this service pack rolls out.

        Suddenly gamers won't be able to host multiplayer games, for one. People's distributed file sharing clients won't let them share anything. etc...

        I suspect that this anticipated user pain is the reason the ICF was not on by default at XP ship time.

  • Wow. (Score:5, Informative)

    by JanusFury (452699) <kevin.gadd@gm[ ].com ['ail' in gap]> on Thursday December 18, 2003 @07:19AM (#7752742) Homepage Journal
    I just read through that thing - there are a lot of good fixes in there. For one, they've apparently made a lot of changes to IE that will make it less of a pain in the ass to use. Some major changes to popup windows in general - they're making it much harder to trick users with popups.

    They also seem to have made a lot of changes to the firewalling stuff - firewalling is on by default, too. They also made it so that the File Sharing and Networking ports only work in the local subnet -this means people won't be able to hit you with Windows Messenger spams from the 'net anymore, or access your RPC ports... good stuff.

    Maybe, just maybe, MS will eventually get security right. This Service Pack appears to be a sizable step in the right direction.
    • Re:Wow. (Score:5, Insightful)

      by FrostedWheat (172733) on Thursday December 18, 2003 @08:14AM (#7752901)
      For one, they've apparently made a lot of changes to IE that will make it less of a pain in the ass to use.

      Biggest pain for me (as a non-IE user anyway) is that they *STILL* haven't added proper PNG transparancy support! Every other browser on the planet handles it fine, even IE on the Mac.

      It's not like it's a big secret everyone's hiding from MS :)
  • Meh (Score:2, Insightful)

    by Anonymous Coward
    All of the things listed in the patch that are suppose to help security, such as the firewall, are useless. Why, you ask? Because Dell, HP, Compaq, whoever, they don't ship pre-patched like they should. Why doesn't Microsoft get off their fat ass and require that computer manf. patch with SP2? HMMM? Insert a freaking update CD into the box, setup a 1-800 number that the Windows installer contacts to get the latest updates. There's a ton of things Microsoft COULD do, patching isn't enough.

    Rant over.

    Fortre [homeunix.org]
    • Re:Meh (Score:4, Interesting)

      by back_pages (600753) <.back_pages. .at. .cox.net.> on Thursday December 18, 2003 @11:46AM (#7754414) Journal
      Dude, like you've never heard of OEM Windows discs that come with that patch on the OEM disc? I'm sure there will be some turn around time before Dell & gang get into OEM copies of XP SP2, but it'll happen.

      I work at a custom shop and we don't patch anything either - DUR - we install XP SP1 OEM. I'm sure we'll be using XP SP2 OEM discs before too long.

  • by BaconLT (555713) <spam@@@tomainoonline...com> on Thursday December 18, 2003 @07:48AM (#7752829) Homepage
    Conspicuously absent: tabbed browsing. It's a simple and popular feature and it surprises me they didn't include it. Psst-Bill, you can just borrow the code from one of the many open sources that already have it, then brag about how you invented it!

    Now, that's marketing.

    As an aside, when is Windows going to include multiple desktops in their shell? I've used a number of third party pagers, but each has its drawbacks and flaws, probably because it's not written with the privilage of truly understanding the Windows code.

    • by Junior J. Junior III (192702) on Thursday December 18, 2003 @09:14AM (#7753116) Homepage
      Since XP already groups multiple windows open in the same application and puts them on their own pseudo-tabs on the task bar, it's probably considered redundant. I know it isn't quite the same thing, but they probably think of it has having implemented tabbed apps as an OS-wide feature already.
      • Not the same thing (Score:3, Insightful)

        by SuperKendall (25149) *
        With tabs I can see related sets of tab headers in one quick glance.

        With the dreaded grouping, everything is hidden from you until you click below. While I enjoy having things wrapped for me at christmas, I would find it exceedingly annoying to have everything wrapped for me all year long, the actual contents hidden until I unwrapped them.

        The grouping was the first thing I turned off in XP and the single most requested feature to help other people disable once they found it it was possible.
  • by Indy1 (99447) <spamtrap@fuckedregime.com> on Thursday December 18, 2003 @08:06AM (#7752879) Homepage
    one word: activeX

    Ie is just too insecure. Look at all the spyware that utterly rapes it. With Mozilla as mature and stable as it is, there is just zero excuse to use ie for daily surfing. Sure there are the rare occasional times you need it for crappy sites that refuse to run on standard compliant browsers, but 99% of your surfing time should be in Moz (or opera or anything else).
    • by Baron_Yam (643147) on Thursday December 18, 2003 @08:22AM (#7752925)

      I've switched to Firebird, finally. I got sick of finding that my HOSTS file, favourites, and start page were being rewritten by malicious web pages.

      On the other hand, Firebird doesn't use the MS JVM, it uses the Sun JVM, which occasionally decideds to use 99% of my system resources. It behaved the same way when I tried to use it for IE as well.

      On the other, other hand (what, three hands???) I love tabbed browsing, though I haven't yet adjusted - I keep dragging the cursor towards the taskbar looking to switch processes before redirecting to the tabs.

      On the fourth hand (this is getting weird) I now see the effects of all the tiny errors in my hand-coded HTML that IE was running - and a proper browser is refusing to display. I actually like that, since forcing compliant coding on me makes my work accessible to more browsers than just IE... of course since they're just vanity pages for me and the wife, it was never critical which is why the errors were never checked for before.

      I'm out of hands, now.

    • by Moraelin (679338) on Thursday December 18, 2003 @09:03AM (#7753071) Journal
      Who cares about pop-up blocking in IE? How about: _you_ will care, when you start seeing pop-ups in Mozilla or Opera.

      The whole "IE is inferior because it can't block popups" charade existed only _because_ the dominant browser didn't block those. Most people were content to make their pop-ups IE only.

      Now that IE has changed, let's think like one of those dishonest marketers. So you were making money serving on-load pop-ups. They no longer work. What next?

      How about looking at a little detail: IE, just like Mozilla and Opera, will not block stuff resulting from a user click.

      Does it give you ideas yet?

      If still not: Want to bet how long until you'll see sites where all links are done with JavaScript that also opens a pop-up window? Where every single drop-down and button and link is accessible only through JavaScript, which incidentally also opens a pop-up or three?

      But wait, surely people will start blocking pop-ups completely, right?

      Again, let's think like a slimeball some more. Remember, the goal of this exercise is to think not like the user annoyed by those pop-ups, but like the slimeball who pushes them onto you.

      He doesn't care if you're annoyed, nor how annoyed. He just wants to make a buck. That's all that matters. He's really got the same moral standards as the spammer filling your inbox with V14GR4 ads.

      So in that state of mind: Hmm... what to do against those users still blocking your valuable pop-ups, even when they're triggered by a click?

      Well, blimey, make the whole site unusable or crippled without pop-ups. E.g., if you have to log in or fill a form, stuff it in a pop-up window. E.g., all the links to other sites are surely best opened in a separate window, via JavaScript. (All in the name of convenience for the user, of course;) E.g., the site-map, search, articles, etc, surely are best viewed in a separate window opened through JavaScript.

      So there you go. Now the whole site is unusable unless the user disables pop-up protection.

      Fat lot of good did that pop-up blocking do, eh?
  • by SpaceRook (630389) on Thursday December 18, 2003 @10:02AM (#7753442)
    God, IE could really use some better CSS handling. I'm disappointed they didn't add any with this service pack.
  • pop up blocker (Score:5, Informative)

    by Apreche (239272) on Thursday December 18, 2003 @10:18AM (#7753569) Homepage Journal
    I read the document and apparently the pop up blocker is crap. Here's why

    ustomers will still see pop-ups launched in the following cases:

    The pop-up is opened by a link which the user clicked.

    The pop-up is opened by software that is running on the computer.

    The pop-up is opened by ActiveX controls that are instantiated from a Web site.

    The pop-up is opened from the Trusted Sites or Local Intranet zones.

    I sense an increased use of ActiveX by ad-ridden websites in the future. What this is really, is not a way for MS to help out the user by eliminating annoyance. It is a strategy to get everyone who wants pop up ads on their site to use ActiveX. And hopefully when they're using ActiveX they'll make important parts of their site with it. Like say, the navigation bar. I'll stick to Firebird tyvm.
    • by spideyct (250045) on Thursday December 18, 2003 @04:42PM (#7757309)
      That is absurd. Microsoft wants to kill ActiveX on the web just as much as you do.
      I can't remember the last time I read an article on MSDN or any other MS developer website where it was suggested you should use a client side ActiveX component to provide a rich interface.

      They have already recognized its major shortcomings (notably "all or nothing" trust of components) and are now pushing new alternatives to a rich web experience (.NET smart clients, Avalon XAML apps in Longhorn, etc).

      The reason they can't block ActiveX controls is that an ActiveX control can do whatever it wants if the browser allows it to execute. There is no fine grained control over what it is allowed to do.

      No conspiracy here.
  • by jonwil (467024) on Thursday December 18, 2003 @10:32AM (#7753701)
    Firstly, the firewall stuff is good.
    Especially things like "by default, only local machines can talk to the windows network messenger (a.k.a. winpopup), windows file sharing and etc ports".
    But, its still not a good substitute for a server-based firewall solution (e.g. a linux box with ipchains/iptables) or for a firewall box like the "firewall+DSL modem+router+switch/hub+nat+etc boxes" that are popular with home broadband networks.

    Execution Protection is a good feature, I am surprised that intel didnt add support for marking pages as "execuatble" or "not execuatble" way back when with the 386,486, pentium or whatever.

    Given the number of Internet Explorer addons in the lists of Spyware programs like Ad-Aware and Spybot Search & Destroy, the Add-on Manager is something thats long overdue. This should at least prevent those who are clued up enough to check it once in awhile from being hit with Spyware addons.

    As for the Java stuff, I think the best thing would be for MS to modify all future operating systems and service packs to completly remove the MSJVM if it is present and to install the sun Java VM instead (I expect that as long as they were shipping it unmodified and shipping as recent a version as possible, sun would just love this)

    The MSJVM is a piece of garbage that should disappear for good, along with any lame-braned sites/content/software designed to work with it and only with it.

    Now, the MIME type handling stuff.
    IMO, the best solution is for IE to completly ignore the file extention and contents if it has a MIME type.
    Basicly, if it gets a MIME type, it uses that and ignore both the extention and the content. If it doesnt have a MIME type (e.g. local disk file or FTP server, it should use the extention only and ignore the content).

    If the MIME type it has is for something like text/plain or image/png or text/html or something else that IE can handle, it should handle it.
    If the MIME type is one for which a system program has regisered itself (for example, ms word could register itself for application/x-msword-document), it gets handed off to that.
    Otherwise, windows will display a dialog box asking the user to select from:
    1.open with the application registered to handle the extention passed in (for example, if its a .rar file, winrar might be specified, if no applocation is registered to handle this, it wont display this option. Also, anything thats executable e.g. *.bat, *.pif, *.scr, *.exe, *.com wont be allowed to execute and must be saved to disk and/or opened with a seperate application. And, certain things like the program that runs *.vbs scripts would be banned so that they dont appear in this list and you cant say "open with this app by default")
    2.open with an application of the users choice.
    or 3.save to disk
    With an option to save this as the default action for this file extention (and the case of no mime type) and a way to remove that "save as default" and re-specify later on, this would be the ideal solution. Plus, unlike what the MS proposal says, it would actually force web-servers to do away with the "send text/plain as default for anything we dont understand" features and configuractions. The right response (IMO, I havent read the RFCs or anything) is to send no MIME type at all for files that you dont have a specific MIME type for.

    As for pop-up manager, here is what MS should do:
    1.turn off any features in HTML that allows the changing of the "z-order" of windows (e.g. to make a window move to the back like with a pop-under)
    and 2.turn the pop-up blocker on by default

    But personally, I think the fault lies with the idiot that invented window.open() in the first place. What legitimate use is there for being able to open a new browser window in this maner?
    Many web-sites use links that use the TARGET attribute of the tag to create a new window with content in it and thats pefectly fine.
    The only uses for window.open() that I know of are:
    1.popups, popunders
  • PNG support (Score:5, Informative)

    by 0x0d0a (568518) on Thursday December 18, 2003 @10:56AM (#7753899) Journal
    Why, why, why no full IE PNG support?

    Argh.
  • WinXP SP2:
    and there will be new support for something called "Execution Protection" which allows developers to make use of the NX (no execute) page guard flag on Intel's Itanium and newer AMD processors. An interesting read."
    Linux v2.6.0:
    <drepper@redhat.com> [PATCH] Fix 'noexec' behaviour We should not allow mmap() with PROT_EXEC on mounts marked "noexec", since otherwise there is no way for user-supplied executable loaders (like ld.so and emulator environments) to properly honour the "noexec"ness of the target.
    Is there any relation? Are these entirely seperate things, or is one a software implementation and the other a more direct processor instruction for the same task?
    • Those are two totally different things.

      Drepper is talking about being able to mount disks with the noexec flag, which prevents programs on that partition from being executed. This is most often used on filesystems that could possibly be written by public users, like /var, to prevent any programs there from being uploaded and then run to take advantage of an exploit or other such issues.

      Execution Protection is probably referring to making the code pages of a program non-writeable. The goal is to prevent
    • "Execution Protection" marks pages *in memory* as data rather than code. That helps prevent buffer overrun and stack-smashing attacks -- where cleverly arranged faulty data can be executed as though it's a program.

      The "Execution Protection" is a feature of the CPU, which operating systems can add support for. If it isn't already in Linux I'd expect to see it soon.

      The Linux stuff is about marking entire *disks* (mountpoints, really) as containing only data, and not programs you want to run. That prevents s
  • by DroopyStonx (683090) on Thursday December 18, 2003 @11:53AM (#7754490)
    Is it me or are they actually beginning to shape up? I know it's blasphemy to praise MS, but after reading that document I was quite impressed. A few times I was surprised and uttered, "Wow, they actually fixed that!" to myself as I was reading.

    ...but what's the catch? Seems too good to be true.

    Perhaps there is some remote code that manipulates pixels on your screen to subliminally flash messages to you thus making you relinquish your spiritual ownership and connection to your soul. You are now one of them.
  • Broken firewall? (Score:5, Insightful)

    by supabeast! (84658) on Thursday December 18, 2003 @12:16PM (#7754727)
    "Internet Connection Firewall will be enabled by default..."

    About damned time. I just hope that DHCP works through it by default, because right now it doesn't, and if it blocks DHCP, all of those broadband users who connect the PC right to the cable/dsl "modem" will deactivate the firewall to get online.

    Of course, what we really need is for ISPs to include a user-manageable firewall in the damned devices in the first place.

There's a whole WORLD in a mud puddle! -- Doug Clifford

Working...