Microsoft Releases Changelist for Upcoming XP SP2

kylef writes "As we know from independent sources, Microsoft is busy readying Service Pack 2 for Windows XP. They have published on their website a changelist document (link goes to TechNet download page) detailing the nature of the security-related fixes and updates. The document is targeted towards XP admins and covers some interesting things such as the new Internet Explorer Pop-up Manager and various security policy changes. Some other juicy tidbits from the document: Internet Connection Firewall will be enabled by default, and there will be new support for something called "Execution Protection" which allows developers to make use of the NX (no execute) page guard flag on Intel's Itanium and newer AMD processors. An interesting read."

Re:All this work

[Utopia]

Go read the doc. before you post.
IE has a popup manager in SP2

Prevent popups, ads, banners etc...

[Capeman]

Download Ad-Shield [ad-shield.com], it's the best app I've used to block all internet advertisements.

Re:All this work

[ottawanker]

Did you RTFA? (I hate saying that, it makes me feel .. like all the other assholes who say that)

Internet Explorer Pop-up Manager
Q. What does Pop-up Manager do?

A. Pop-up Manager blocks most unwanted pop-up windows from appearing. Pop-up windows that are launched when the end user clicks a link will not be blocked.

End users and IT administrators can let specific domains launch programmatic pop-up windows. Developers will be able to use or extend the pop-up functionality in Internet Explorer for applications hosting Internet Explorer.

Q. Who does this feature apply to?

A. For end users, browsing the Web will be less annoying, because unwanted pop-up windows will not automatically appear.

For Web developers, Pop-up Manager affects the behavior of windows opened by Web sites, for example, by using the window.open() and showHelp() methods

For application developers, there is a new user interface: InewWindowManager.

Applications that use the rendering engine in Internet Explorer to display HTML can choose to use or extend the Pop-up Manager functionality.
...

Re:Program Error

[ObviousGuy]

It opens in StarOffice just fine.

Re:Program Error

[dnaumov]

Wordpad is not ment for documents that big. Use MS Word or OpenOffice.

Re:Smart.

[MoonFog]

It sure seems that way. From the .doc document where they talk about the pop up manager:
Why is this change important? What threats does it mitigate?
Pop-ups have been misused in many ways. By blocking pop-ups, the Web is safer for our end users, and the customer has more control over their browsing experience.

The document is filled with explanation of security related fixes.

Re:Prevent popups, ads, banners etc...

[Jugalator]

Mozilla Firebird [mozilla.org] works quite well too, and isn't shareware either. And I heard you get a browser that's better than IE as a special offer! :-D

Re:Internet Explorer Add-on Crash Detection

[Jugalator]

This detection has nothing to do with the error reporting feature already in Windows XP. It's just designed to better handle crashes in 3rd party software attached to IE.

Wow.

[JanusFury]

I just read through that thing - there are a lot of good fixes in there. For one, they've apparently made a lot of changes to IE that will make it less of a pain in the ass to use. Some major changes to popup windows in general - they're making it much harder to trick users with popups.

They also seem to have made a lot of changes to the firewalling stuff - firewalling is on by default, too. They also made it so that the File Sharing and Networking ports only work in the local subnet -this means people won't be able to hit you with Windows Messenger spams from the 'net anymore, or access your RPC ports... good stuff.

Maybe, just maybe, MS will eventually get security right. This Service Pack appears to be a sizable step in the right direction.

Re:Firewall

[Anonymous Coward]

No it doesn't, it only allows file and printer sharing within the Windows Network Neighbourhood. And that's enabled by default.

Read more carefully next time.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:All this work

[ComaVN]

No, application developers that use the IE renderer can choose to use or extend the blocker functionality, NOT the website designers. You know, applications running locally?

Re:Wow.

[JanusFury]

RTFA. Popup blocker included.

(Isn't this even mentioned in the article description? I mean, really, how kneejerk can you get)

Re:I just hope

[-noefordeg-]

From the 5 star my post got on Dell user forums + all the 'thank you' mails from people having the same problem but got it fixed by removing patch 'SP2 Q328310' I'm pretty sure the problem was with that patch and I'm fairly certain it was not just me.....

Installing that patch breaks BattleField 1942 (black screen), Asheron's Call (a really curious bug here) + a few more games I don't remember right now, removing it makes the games run like normal.

Sure thing. The patch might not do anything which directly affects the 3D rendering, but it's without doubt the trigger for a strange bug that DO affect the 3D rendering.

For Asheron's Call the bug will actually let you start the game and go ingame, but it won't render any 3D graphics. Your ingame panel will be visible but nothing from the game world will be drawn. But again, removing patch SP2 Q328310 fixes the bug, installing patch SP2 Q328310 introduces the bug.

What have me a bit worried right now, is that MS will include this patch in the service pack.

Re:Prevent popups, ads, banners etc...

[Urkki]

Download Mozilla Firebird [mozilla.org] and you don't need that kind of potentially suspicious (Is it spyware? Does it like to get uninstalled nicely or will it leave something behind? Is the company making it really trustworthy?) closed-source software...

Re:Meh

[Anonymous Coward]

Actually Dell computers come prepatched with sp1 nowadays and I'm sure they'll update to sp2 once it's released.

What breaks or works differently?

[alib001]

Each section detailed in the document has this Orwellian subheading. But I feel it's missing the appropriate emphasis...

What breaks or "works differently"?

I think I'll wait a while before applying it so other users can find all the new "features".

AMD grabs key security advantage

[sundling]

http://cbs.marketwatch.com/news/story.asp?guid=%7B 605678E9-C043-4B7E-94C7-E693D2BBA696%7D&siteid=goo gle&dist=google

So the implication is that Intel is only supporting this security feature on enterprise servers (Itanium), while AMD is supporting security on desktops and servers.

Re:*POOOF*

[EddWo]

The new one in SP2 does incoming and outgoing connections, blocks udp and multicast and enables ports on a per-program basis without requiring the program to specifically open or close them. It is also on by default and covers all network interfaces.

I expect they will supply default behaviours that allow their own programs to phone home. But hopefully it is properly configurable so you can decide if you want that or not.

I don't know if it is feature comparable to the third party offerings, but it is significantly improved on the version that shipped with WindowsXP

Re:No Execute on Linux

[The One KEA]

This already exists - Ingo Molnar has written something called the exec-shield patch which implements this functionality in a slightly different fashion. Here [kerneltrap.org] is a link to one of Ingo's patch announcements.

Re:*POOOF*

[mshultz]

Doesn't the Internet Connection Sharing thing take care of NAT? It's not the prettiest way to do it, but hey, it's there.

Re:...where is tabbed browsing?

[Junior J. Junior III]

Since XP already groups multiple windows open in the same application and puts them on their own pseudo-tabs on the task bar, it's probably considered redundant. I know it isn't quite the same thing, but they probably think of it has having implemented tabbed apps as an OS-wide feature already.

Re:WTF? is this playschool?

[nberardi]

Come on you had to hear about this when they were talking about the new IE. They are intigrating a pop-up killing in the new version of IE, in addition to "fixing" the problem where those annoying gator program plug-ins pop-up and some stupid user clicks yes to install. Also the firewall is getting a make over, now no ports will be open by default unless a program like AIM requests an Open Port for a file transfer. In addition this will help stop the spread of worms if the unknowing user has the Firewall turned on by default.

Also you are right NT doesn't stand for "New Technology" it stand for "NTen", but I guess you already knew that being the smart guy you are.

In addition if you had updated your Outlook you would have already found that they did fix that vb-script problem, but I guess you don't pay any attention to those patchs do you. In addition the OS Service Pack is different from the Office Service Pack.

Do you expect the Linux Kernel team to fix problems with Open Office? NO YOU DON'T! So why do you expect it from Microsoft?

Congradulations you are probably one of the most uninformed people on Slashdot, and that is hard to do because the /. community is amoung the smartest.

No CSS improvement for IE?

[SpaceRook]

God, IE could really use some better CSS handling. I'm disappointed they didn't add any with this service pack.

pop up blocker

[Apreche]

I read the document and apparently the pop up blocker is crap. Here's why

ustomers will still see pop-ups launched in the following cases:

The pop-up is opened by a link which the user clicked.

The pop-up is opened by software that is running on the computer.

The pop-up is opened by ActiveX controls that are instantiated from a Web site.

The pop-up is opened from the Trusted Sites or Local Intranet zones.

I sense an increased use of ActiveX by ad-ridden websites in the future. What this is really, is not a way for MS to help out the user by eliminating annoyance. It is a strategy to get everyone who wants pop up ads on their site to use ActiveX. And hopefully when they're using ActiveX they'll make important parts of their site with it. Like say, the navigation bar. I'll stick to Firebird tyvm.

PNG support

[0x0d0a]

Why, why, why no full IE PNG support?

Argh.

Re:All this work

[self assembled struc]

actually $10 says there's some sort of security bug/error that DOES let people access the pop-up manager directly from HTML.

remember, you can embed VBScript in an HTML page and set it to run on the user's end.

And then, there's my favorite hack for getting PNGs to display transparent in IE (breaks links if you're using the transparent PNG as a background, if the link is on top of the PNG...but it still looks pretty).

filter:progid:DXImageTransform.Microsoft.AlphaIm ag eLoader(src='/img/text.png', sizingMethod='scale');

now, really, that's not even valid CSS. but place that in your CSS rule where you want a transparent background, and BAM! Transparent PNG.

So say what you will about jerkoffs writing pop-up spam not being able to access the pop up manager, i'm firmly placing myself in the skeptic arena.

Re:lol...crashes allready

[Anonymous Coward]

You may be able to just about knock up a memo with it, but you have to be insane to try to set a moderately complex document with it. A statistician friend of mine (and fromer Word fan) tried to do her thesis on it, after the second crash she decided it was quicker to learn LaTeX from scratch, just to do her thesis.
I'd like to learn Word, but I'm still on the waiting list for an aesthetic-sense bypass (bloody NHS).

Re:TCPA?

[Ann Elk]

"Execution Protection" (NX) has nothing to do with TCPA. NX means the heap and stack are not executable unless you take specific measures to make them so. NX should make it MUCH more difficult for worms and viruses to execute arbitrary code via buffer overruns. Unfortunately, NX is not possible on current 32-bit Intel processors.

Re:Processor support for NX flag

[scrytch]

Way back in my Comp Sci days, I could have sworn that when a 386 (and to some extent a 286) was running in protected mode, different areas of memory could be marked as 'code' for execution and for 'data' that could not be executed. Trying to read or write to the code area, or execute a data area would result in exceptions. It was many years ago though ...

That's how it works now, and the CPU won't execute from instructions in areas marked nonexecutable. Problem is, the stack is executable, and that's where buffer overruns happen. And a certain code technique called a trampoline, which generates asm on the stack to execute, requires an executable stack. Trampolines aren't strictly necessary, but they are fast and easy, and they're not going to be easy to get out of everything that needs it. I'm told there's ways around the nonexecutable stack as well, though I'm not certain what they are. Regardless, I'm not sure if it's even possible to make the stack nonexecutable on IA32...

Re:Execution Protection vs PROT_EXEC on noexec mou

[cobar]

Those are two totally different things.

Drepper is talking about being able to mount disks with the noexec flag, which prevents programs on that partition from being executed. This is most often used on filesystems that could possibly be written by public users, like /var, to prevent any programs there from being uploaded and then run to take advantage of an exploit or other such issues.

Execution Protection is probably referring to making the code pages of a program non-writeable. The goal is to prevent buffer overflows from allowing a script kiddie to write to the code segments and load the shell code. Take a look at OpenBSD's W^X (write xor execute) for more info.

Re:Execution Protection vs PROT_EXEC on noexec mou

[mithras the prophet]

"Execution Protection" marks pages *in memory* as data rather than code. That helps prevent buffer overrun and stack-smashing attacks -- where cleverly arranged faulty data can be executed as though it's a program.

The "Execution Protection" is a feature of the CPU, which operating systems can add support for. If it isn't already in Linux I'd expect to see it soon.

The Linux stuff is about marking entire *disks* (mountpoints, really) as containing only data, and not programs you want to run. That prevents someone from uploading a nasty program onto your disk, then running it. (For example, you could mount your operating system / built-in programs on a read-only disk, then mark everything else as 'noexec' -- making an attacker's job much tougher).

Re:*POOOF*

[Tim C]

No, because there's absolutely no way they're going to sell ISA Server to home users, but a lot of home users will be using XP (Home, if not Pro, although that's what I have). On top of that, no business IT dept worthy of the name would rely on software firewalls on every desktop to secure their network, no matter how good.

It's unlikely in the extreme that MS would ever ship a comparable firewall as part of the OS, simply because that's not what the vast majority of their target userbase needs or wants.

Re:*POOOF*

[bratmobile]

Uhhh, you're wrong on the NAT claim. XP has provided a NAT from day 1. It's called Internet Connection Sharing, and it is totally integrated into the XP firewall (Internet Connection Firewall).

And it DOES have protocol helpers for H.323. I should know -- I was the dev lead on that team. Think before you just mumble.

Anyone who needs GRE- or AH-specific functionality knows where to find it. ICS/ICF is targeted at home users, and it does that job very well. There will always be a market for super-fancy firewalls. But for the vast majority of people, XP's does the trick.

OpenBSD has it on i386 (W^X)

[Gandalf_007]

That's read as "write XOR execute". If a page is writable it cannot be executed, and vice versa, so even if there was a buffer overrun bug in a daemon, the arbitrary code you insert couldn't be executed.

From http://www.openbsd.org/34.html#new :

Further W^X improvements, including support for the i386 architecture. Native i386 binaries have their executable segments rearranged to support isolating code from data, and the cpu CS limit is used to impose a best effort limit on code execution.

It's a bit of a kludge on i386 (unlike amd64 or ppc), but it can still be done.

Strategy to get people to use ActiveX?

[spideyct]

That is absurd. Microsoft wants to kill ActiveX on the web just as much as you do.
I can't remember the last time I read an article on MSDN or any other MS developer website where it was suggested you should use a client side ActiveX component to provide a rich interface.

They have already recognized its major shortcomings (notably "all or nothing" trust of components) and are now pushing new alternatives to a rich web experience (.NET smart clients, Avalon XAML apps in Longhorn, etc).

The reason they can't block ActiveX controls is that an ActiveX control can do whatever it wants if the browser allows it to execute. There is no fine grained control over what it is allowed to do.

No conspiracy here.

Re:Quick, call the cops!

[10101001 10101001]

> to ... impair a technological measure, without the authority of the copyright owner If the dll is written very badly then anything that relies on the dll as part of a technological measure is impaired. The copyrighted work being impaired is not the dll but the copyrighted work protected by the dll. The maker of DeCSS can't claim copyright as protection for DeCSS because DeCSS doesn't impair itself. DeCSS does impair CSS, though, which is the issue. As a simple example, imagine a competitor's product was being pirated and the chief fault was a dll made by MS. Even if the fault was unintentional, under the DMCA MS was at fault.