Microsoft Releases Changelist for Upcoming XP SP2 524
kylef writes "As we know from independent sources, Microsoft is busy readying Service Pack 2 for Windows XP. They have published on their website a changelist document (link goes to TechNet download page) detailing the nature of the security-related fixes and updates. The document is targeted towards XP admins and covers some interesting things such as the new Internet Explorer Pop-up Manager and various security policy changes. Some other juicy tidbits from the document: Internet Connection Firewall will be enabled by default, and there will be new support for something called "Execution Protection" which allows developers to make use of the NX (no execute) page guard flag on Intel's Itanium and newer AMD processors. An interesting read."
Re:All this work (Score:3, Informative)
IE has a popup manager in SP2
Prevent popups, ads, banners etc... (Score:0, Informative)
Re:All this work (Score:5, Informative)
Internet Explorer Pop-up Manager
Q. What does Pop-up Manager do?
A. Pop-up Manager blocks most unwanted pop-up windows from appearing. Pop-up windows that are launched when the end user clicks a link will not be blocked.
End users and IT administrators can let specific domains launch programmatic pop-up windows. Developers will be able to use or extend the pop-up functionality in Internet Explorer for applications hosting Internet Explorer.
Q. Who does this feature apply to?
A. For end users, browsing the Web will be less annoying, because unwanted pop-up windows will not automatically appear.
For Web developers, Pop-up Manager affects the behavior of windows opened by Web sites, for example, by using the window.open() and showHelp() methods
For application developers, there is a new user interface: InewWindowManager.
Applications that use the rendering engine in Internet Explorer to display HTML can choose to use or extend the Pop-up Manager functionality.
Re:Program Error (Score:5, Informative)
Re:Program Error (Score:3, Informative)
Re:Smart. (Score:3, Informative)
Why is this change important? What threats does it mitigate?
Pop-ups have been misused in many ways. By blocking pop-ups, the Web is safer for our end users, and the customer has more control over their browsing experience.
The document is filled with explanation of security related fixes.
Re:Prevent popups, ads, banners etc... (Score:4, Informative)
Re:Internet Explorer Add-on Crash Detection (Score:3, Informative)
Wow. (Score:5, Informative)
They also seem to have made a lot of changes to the firewalling stuff - firewalling is on by default, too. They also made it so that the File Sharing and Networking ports only work in the local subnet -this means people won't be able to hit you with Windows Messenger spams from the 'net anymore, or access your RPC ports... good stuff.
Maybe, just maybe, MS will eventually get security right. This Service Pack appears to be a sizable step in the right direction.
Re:Firewall (Score:1, Informative)
Read more carefully next time.
Comment removed (Score:5, Informative)
Re:All this work (Score:3, Informative)
Re:Wow. (Score:2, Informative)
(Isn't this even mentioned in the article description? I mean, really, how kneejerk can you get)
Re:I just hope (Score:3, Informative)
Installing that patch breaks BattleField 1942 (black screen), Asheron's Call (a really curious bug here) + a few more games I don't remember right now, removing it makes the games run like normal.
Sure thing. The patch might not do anything which directly affects the 3D rendering, but it's without doubt the trigger for a strange bug that DO affect the 3D rendering.
For Asheron's Call the bug will actually let you start the game and go ingame, but it won't render any 3D graphics. Your ingame panel will be visible but nothing from the game world will be drawn. But again, removing patch SP2 Q328310 fixes the bug, installing patch SP2 Q328310 introduces the bug.
What have me a bit worried right now, is that MS will include this patch in the service pack.
Re:Prevent popups, ads, banners etc... (Score:3, Informative)
Re:Meh (Score:1, Informative)
What breaks or works differently? (Score:2, Informative)
Each section detailed in the document has this Orwellian subheading. But I feel it's missing the appropriate emphasis...
What breaks or "works differently"?
I think I'll wait a while before applying it so other users can find all the new "features".
AMD grabs key security advantage (Score:2, Informative)
So the implication is that Intel is only supporting this security feature on enterprise servers (Itanium), while AMD is supporting security on desktops and servers.
Re:*POOOF* (Score:5, Informative)
I expect they will supply default behaviours that allow their own programs to phone home. But hopefully it is properly configurable so you can decide if you want that or not.
I don't know if it is feature comparable to the third party offerings, but it is significantly improved on the version that shipped with WindowsXP
Re:No Execute on Linux (Score:5, Informative)
Re:*POOOF* (Score:2, Informative)
Re:...where is tabbed browsing? (Score:5, Informative)
Re:WTF? is this playschool? (Score:1, Informative)
Also you are right NT doesn't stand for "New Technology" it stand for "NTen", but I guess you already knew that being the smart guy you are.
In addition if you had updated your Outlook you would have already found that they did fix that vb-script problem, but I guess you don't pay any attention to those patchs do you. In addition the OS Service Pack is different from the Office Service Pack.
Do you expect the Linux Kernel team to fix problems with Open Office? NO YOU DON'T! So why do you expect it from Microsoft?
Congradulations you are probably one of the most uninformed people on Slashdot, and that is hard to do because the
No CSS improvement for IE? (Score:5, Informative)
pop up blocker (Score:5, Informative)
ustomers will still see pop-ups launched in the following cases:
The pop-up is opened by a link which the user clicked.
The pop-up is opened by software that is running on the computer.
The pop-up is opened by ActiveX controls that are instantiated from a Web site.
The pop-up is opened from the Trusted Sites or Local Intranet zones.
I sense an increased use of ActiveX by ad-ridden websites in the future. What this is really, is not a way for MS to help out the user by eliminating annoyance. It is a strategy to get everyone who wants pop up ads on their site to use ActiveX. And hopefully when they're using ActiveX they'll make important parts of their site with it. Like say, the navigation bar. I'll stick to Firebird tyvm.
PNG support (Score:5, Informative)
Argh.
Re:All this work (Score:3, Informative)
remember, you can embed VBScript in an HTML page and set it to run on the user's end.
And then, there's my favorite hack for getting PNGs to display transparent in IE (breaks links if you're using the transparent PNG as a background, if the link is on top of the PNG...but it still looks pretty).
filter:progid:DXImageTransform.Microsoft.AlphaI
now, really, that's not even valid CSS. but place that in your CSS rule where you want a transparent background, and BAM! Transparent PNG.
So say what you will about jerkoffs writing pop-up spam not being able to access the pop up manager, i'm firmly placing myself in the skeptic arena.
Re:lol...crashes allready (Score:1, Informative)
I'd like to learn Word, but I'm still on the waiting list for an aesthetic-sense bypass (bloody NHS).
Re:TCPA? (Score:3, Informative)
Re:Processor support for NX flag (Score:3, Informative)
That's how it works now, and the CPU won't execute from instructions in areas marked nonexecutable. Problem is, the stack is executable, and that's where buffer overruns happen. And a certain code technique called a trampoline, which generates asm on the stack to execute, requires an executable stack. Trampolines aren't strictly necessary, but they are fast and easy, and they're not going to be easy to get out of everything that needs it. I'm told there's ways around the nonexecutable stack as well, though I'm not certain what they are. Regardless, I'm not sure if it's even possible to make the stack nonexecutable on IA32...
Re:Execution Protection vs PROT_EXEC on noexec mou (Score:3, Informative)
Drepper is talking about being able to mount disks with the noexec flag, which prevents programs on that partition from being executed. This is most often used on filesystems that could possibly be written by public users, like
Execution Protection is probably referring to making the code pages of a program non-writeable. The goal is to prevent buffer overflows from allowing a script kiddie to write to the code segments and load the shell code. Take a look at OpenBSD's W^X (write xor execute) for more info.
Re:Execution Protection vs PROT_EXEC on noexec mou (Score:3, Informative)
The "Execution Protection" is a feature of the CPU, which operating systems can add support for. If it isn't already in Linux I'd expect to see it soon.
The Linux stuff is about marking entire *disks* (mountpoints, really) as containing only data, and not programs you want to run. That prevents someone from uploading a nasty program onto your disk, then running it. (For example, you could mount your operating system / built-in programs on a read-only disk, then mark everything else as 'noexec' -- making an attacker's job much tougher).
Re:*POOOF* (Score:3, Informative)
It's unlikely in the extreme that MS would ever ship a comparable firewall as part of the OS, simply because that's not what the vast majority of their target userbase needs or wants.
Re:*POOOF* (Score:2, Informative)
And it DOES have protocol helpers for H.323. I should know -- I was the dev lead on that team. Think before you just mumble.
Anyone who needs GRE- or AH-specific functionality knows where to find it. ICS/ICF is targeted at home users, and it does that job very well. There will always be a market for super-fancy firewalls. But for the vast majority of people, XP's does the trick.
OpenBSD has it on i386 (W^X) (Score:3, Informative)
From http://www.openbsd.org/34.html#new :
It's a bit of a kludge on i386 (unlike amd64 or ppc), but it can still be done.Strategy to get people to use ActiveX? (Score:4, Informative)
I can't remember the last time I read an article on MSDN or any other MS developer website where it was suggested you should use a client side ActiveX component to provide a rich interface.
They have already recognized its major shortcomings (notably "all or nothing" trust of components) and are now pushing new alternatives to a rich web experience (.NET smart clients, Avalon XAML apps in Longhorn, etc).
The reason they can't block ActiveX controls is that an ActiveX control can do whatever it wants if the browser allows it to execute. There is no fine grained control over what it is allowed to do.
No conspiracy here.
Re:Quick, call the cops! (Score:2, Informative)