Microsoft Releases Changelist for Upcoming XP SP2

kylef writes "As we know from independent sources, Microsoft is busy readying Service Pack 2 for Windows XP. They have published on their website a changelist document (link goes to TechNet download page) detailing the nature of the security-related fixes and updates. The document is targeted towards XP admins and covers some interesting things such as the new Internet Explorer Pop-up Manager and various security policy changes. Some other juicy tidbits from the document: Internet Connection Firewall will be enabled by default, and there will be new support for something called "Execution Protection" which allows developers to make use of the NX (no execute) page guard flag on Intel's Itanium and newer AMD processors. An interesting read."

All this work

[ObviousGuy]

And they still can't prevent pop ups in Internet Explorer.

Firewall

[Anonymous Coward]

I hope that firewall let's in other video streams than Windows Media.

Just another angry Linux zealot post...

[Anonymous Coward]

Thanks again for the .doc format.

Why not put such documents in a more Portable Document Format? Even assuming I have Word Reader or Openoffice, why on earth would you dissemante information via a word processor document format?

Re:Program Error

[melevitt]

Uhh yeah, but it still shouldn't just crash!

How Microsoft thinks about security, in a nutshell

[ChangeOnInstall]

In earlier versions of Windows, there is a window of time between when the network stack was running and when ICF provides protection. This results in the ability for a packet to be received and delivered to a service without ICF filtering and potentially exposes the computer to vulnerabilities. This was due to the firewall driver not starting to filter until the firewall service was loaded and had applied appropriate policy. The firewall service has a number of dependencies which causes the service to wait until those dependencies are cleared before it pushes the policy down to the driver. This time period is based upon the speed of the computer.

What bugs me about this is that it strikes me as a problem that was well known about when the developers were writing the original code for ICF. They knew about it, and they didn't do shit about it.

Re:Program Error

[ErrorBase]

Just open it in OpenOffice.Org and all is fine, funny thoug that Word files are not suppoted by MicroSoft anymore. Sidenote : It is a 65kb file saved as OOo native format. Where does the 400+ kb extra stuff comes from (is it only the lack of compression ?)

Re:Program Error

[Anonymous Coward]

It doesn't matter if it's ment(sic) to or not, it should at least die gracefully.

Um, no

[Sanity]

I know you really hate Microsoft, but even the most zealotous zealot has to admit that they can't be held responsible when a third-party plugin causes IE to crash (it would do the exact same thing to Mozilla).

This feature is a great idea, it means that if, for example, Acrobat Reader is causing IE to crash then at least I know who is to blame and can uninstall or upgrade it.

Re:*POOOF*

[Tim Browse]

Not unless they up the feature set - when I looked into XP's firewall, it only blocked incoming connections, not outgoing. I use outgoing blocks as a matter of course to catch spyware, etc, and to prevent Outlook Express/MSNIM from fetching images/ads from web servers, etc. I was looking at the XP firewall for my laptop, because Kerio made my laptop's suspend/sleep functions stop working (grrr) so had to find an alternative. As it turned out, I tried Norton Personal Firewall, which was actually quite good, and not nearly as bad as I had feared. None of them are particularly great at config UI though. Norton especially requires a lot of clicks to set rules up.

It's just occurred to me that maybe MS don't want to implement an outgoing firewall, given that the number of Windows components that randomly connect to MS servers is quite high, and it would highlight this fact if they did outgoing connection blocking. Hmm.

Re:Internet Explorer Add-on Crash Detection

[Com2Kid]

Bleh, troll, or did you just skim the file? Either way. . . .

What this new feature does (and it IS rather nifty) is detects which piece of spyware loaded up with IE is causing crashes, and lets the user disable said spyware.

Nice actually. ^_^

Re:*POOOF*

[davidstrauss]

Was that the sound of the personal firewall market dying?

To take an objective perspective, firewalls seem best if they are part of the operating system, not wedged in, but I'm surprised they aren't taking the licensing path that they chose with CD burning and disk defragmenting (both are not written by Microsoft and licensed). The XP firewall, however, does lack outgoing connection control, which shouldn't be enabled by default but should be an option (how hard is it to use the same engine for outgoing connections too?).

Re:All this work

[Anonymous Coward]

>Doesn't the blocking of ads violate the terms of use of some sites?

Possibly. Who cares? I don't agree with such limitations - you put a site on the web for people to read, free of restrictions. I've yet to agree to anything on my computer other than EULAs. Reading a website does not signify I consent to anything.

Re:*POOOF*

[mshiltonj]

Nope. Like most things from MS, the power users and admins will realize that they need more protectin then what is standard. They will then tell their family/friends, and the market will continue like it was.

Yep, just like the web browser market.

Bad-dum-bump.

Thank you! Thank you! I'll be here all night!

Meh

[Anonymous Coward]

All of the things listed in the patch that are suppose to help security, such as the firewall, are useless. Why, you ask? Because Dell, HP, Compaq, whoever, they don't ship pre-patched like they should. Why doesn't Microsoft get off their fat ass and require that computer manf. patch with SP2? HMMM? Insert a freaking update CD into the box, setup a 1-800 number that the Windows installer contacts to get the latest updates. There's a ton of things Microsoft COULD do, patching isn't enough.

Rant over.

Fortress of Insanity [homeunix.org]

Re:Internet Explorer Add-on Crash Detection

[__aatgod8309]

Considering the complexity of modern spyware, does anyone else think there's a good possibility that disabling said spyware won't be that easy?

Re:Wow.

[Deleriux]

I second that, theres some preliminary sandboxing features to I.E too. This doesnt mean ill switch to windows at all, and after this is been released lots of gamers will find some of their more legacy type games not working which will be a headache for the next year. Other than that the headaches versus the fixes mean it will be worth the download. Very pleased with M$ for this. Have to add a conspiricy theory though.. with all these new features and extra functionality (thats not like MS) there will probably be a trade in. Anyone hear the death humm of DRM calling?

...where is tabbed browsing?

[BaconLT]

Conspicuously absent: tabbed browsing. It's a simple and popular feature and it surprises me they didn't include it. Psst-Bill, you can just borrow the code from one of the many open sources that already have it, then brag about how you invented it!

Now, that's marketing.

As an aside, when is Windows going to include multiple desktops in their shell? I've used a number of third party pagers, but each has its drawbacks and flaws, probably because it's not written with the privilage of truly understanding the Windows code.

Re:Quick, call the cops!

[Zocalo]

That's an interesting point and Microsoft must be torn over this issue. On one hand, they could take this as an opportunity to lock out a few more dodgy copies of Windows XP... for the few days it takes for the inevitable patch or workaround. On the other hand, by waiving that, they potentially get to vastly improve the security of deployed Windows XP installations. Given the amount of bad press that Microsoft gets each time some Internet worm is doing the rounds I wonder which way they will go...

who cares about ie blocking popups, still insecure

[Indy1]

one word: activeX

Ie is just too insecure. Look at all the spyware that utterly rapes it. With Mozilla as mature and stable as it is, there is just zero excuse to use ie for daily surfing. Sure there are the rare occasional times you need it for crappy sites that refuse to run on standard compliant browsers, but 99% of your surfing time should be in Moz (or opera or anything else).

Re:Wow.

[FrostedWheat]

For one, they've apparently made a lot of changes to IE that will make it less of a pain in the ass to use.

Biggest pain for me (as a non-IE user anyway) is that they *STILL* haven't added proper PNG transparancy support! Every other browser on the planet handles it fine, even IE on the Mac.

It's not like it's a big secret everyone's hiding from MS :)

Too many of us are affected by their software.

[Shivetya]

To ignore it would be to ignore what this site is all about. This stuff does matter to a great many people in their everyday business environment. /. != Linux

Re:How Microsoft thinks about security, in a nutsh

[zero_offset]

They knew about it, and they didn't do shit about it.

Alternately:

-- They knew about it, and management wouldn't let them do shit about it.

-- They knew about it, but addressing it would take significant time and effort, so they opted to defer that to a later release. After all, a million people running a mediocre firewall is better than a million people running no firewall at all.

-- They didn't actually realize it until later on. Are you psychic, or do you just happen to have a buddy who was on the ICF dev team?

But I suppose those angles would just mess up a good troll.

Re:*POOOF*

[graf0z]

when I looked into XP's firewall, it only blocked incoming connections, not outgoing

They are definitly intruding the personal fw market: Look into "Appendix B: Netsh Command Syntax for the Netsh Firewall Ipv4 Context" for the "add allowedprogram" command - finally, they realized that there is something like trojans...

They're still far away from other packetfilters like netfilter/pf/..:

• no match against source or dest ip
• nothing beyond TCP/UDP/ICMP (like GRE, ESP, AH)
• no subchains (or whatever You wanna call conditional ramifications/jumps)
• no rate-limiting (e.g. against SYN-flood)
• no NAT
• it's not clear how stateful it is (i.e. does it verify TCP sequence numbers?)
• protocol helpers for RPC/DCOM, but not for FTP, IRC, H.323
• no tweaky guru stuff like TCP-MSS mangling for tunnels (like VPN or PPPoE)

There's still a lot of work waiting for the ms devel team ...

/graf0z.

I Hope...

[vigilology]

Of course I haven't RTFA, but I hope it pops up a dialog box asking what to do instead of barging straight on in and changing all the (firewall) settings.

Re:*POOOF*

[Darren Winsper]

To be fair, the XP firewall is pretty basic, and I've not heard that Microsoft intend on fleshing it out that much. It pretty much does its job, prevent incoming connections, which is what most people want.

Re:Internet Explorer Add-on Crash Detection

[nmg196]

> So instead of finding the source(s) of the crashes and fixing it,
> they have apparently given up on that,

You've completely misunderstood. The entire point of the Crash Detection system is so that Microsoft ARE aware of when crashes are happening and CAN fix them. If this system wasn't there - they wouldn't even know your browser had ever crashed. Users rarely report bugs (and especially don't bother to give you detailed information) so this system is an excellent idea.

Additionally, this new system "Add-on Crash Detection" allows them to give you useful advice if a 3rd party (IE non MS) component causes a crash.

I don't know about anyone else, but my IE has been crashing quite a lot since I installed Macromedia Flash 7. This isn't obviously Microsofts fault, but they might be able to tell Macromedia what crashes are occuring and how they were caused.

I *really* hate stupid ill-thought-out comments like yours.

Re:who cares about ie blocking popups, still insec

[Haeleth]

So there you go. Now the whole site is unusable unless the user disables pop-up protection.

A site that broken, run by someone with that little regard for his users, is a site I have zero interest in visiting anyway. So what's the problem?

Re:I just hope

[code_echelon]

All of those automatic downloads and warning messages can be turned off, go to start, run and type services.msc . The problems you are having sound like you just left all the default installation settings. I mainly use Linux but boot into Windows XP to play games and even with the ATI drivers I have had no problems with XP at all. You just have to correct the default installation settings, this is also true on most other Operating Systems including some versions of Linux (ie. Redhat Linux 9). Honestly 90% of the problems I hear about from Windows users are problems that are created by the user and how they do not configure there system properly.

One could definitely make a case though that the default install should be more secure however that's another topic.

Re:*POOOF*

[gad_zuki!]

Look at all the Win2000 and 98 computers out there. One wonders why MS isn't porting their firewall to 2000, XP installs are a drop in the bucket compared to 2000.

Lastly, I don't believe this SP shuts off activeX by default, which is the biggest problem facing windows users as its a gateway to a semilegal spyware trojans.

There really should be a "shut off ActiveX day." 15th of the month anyone? I'm getting sick of doing it on every computer I come across after someone tells me "I have no idea how gator got on there!"

Re:Quick, call the cops!

[BobTheLawyer]

This is not possible. The DMCA says:

"to 'circumvent a technological measure' means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner"

As the copyright holder of the DLL is Microsoft, anything they do to the DLL (however stupid) will be "with the authority of the copyright holder". Hence nothing they do will be caught by the circumvention restriction.

Re:Confused by this part?

[EddWo]

PAE mode is not the same a 64bit.
PAE is for 32bit processors that want to be able to access more than 4Gb of memory.
Usually you would not enable PAE unless you needed that much memory, such as on a database server.
Because the AMD64 must be running in PAE mode for the NX bit to function desktop user will need to use PAE even though they don't have over 4Gb.

Most drivers for consumer equipment are not written to operate in PAE mode, so the HAL is emulating standard 32bit mode in order to ensure compatibility.

http://developers.sun.com/solaris/developer/supp or t/driver/notes/pae.html

If you are running the 64bit version of Windows you will not need to enable PAE as the NX flag is availible in 64bit mode.

Broken firewall?

[supabeast!]

"Internet Connection Firewall will be enabled by default..."

About damned time. I just hope that DHCP works through it by default, because right now it doesn't, and if it blocks DHCP, all of those broadband users who connect the PC right to the cable/dsl "modem" will deactivate the firewall to get online.

Of course, what we really need is for ISPs to include a user-manageable firewall in the damned devices in the first place.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Program Error

[SmittyTheBold]

The difference is it's not WordPad doing it. It's WordPad dying a painful implosive death, and WinXP recognizing that and forcefully terminating the program.

A program should fail gracefully, especially one that is to be used to open text documents of arbitrary size. After all, what's one to use to open such documents when one doesn't *have* a full-fledged word processor installed? For me, I have two basic choices: Notepad or WordPad. We all know Notepad's not an option for a document of serious length, but at least it usually fails gracefully by throwing up an error stating that the document is too large.

Also, WordPad's not so old. It's been updated with Unicode support lately, and supports the latest Word documents for opening. Why doesn't it fail gracefully instead of letting Windows terminate it?

Not the same thing

[SuperKendall]

With tabs I can see related sets of tab headers in one quick glance.

With the dreaded grouping, everything is hidden from you until you click below. While I enjoy having things wrapped for me at christmas, I would find it exceedingly annoying to have everything wrapped for me all year long, the actual contents hidden until I unwrapped them.

The grouping was the first thing I turned off in XP and the single most requested feature to help other people disable once they found it it was possible.

Re:All this work

[MrNybbles]

Doesn't the blocking of ads violate the terms of use of some sites? MS is very pedantic abut people obeying their own EULA, yet they create a software feature to violate someone elses. Hypocrits.

This reminds me of GeoCities where people with a GeoCities homepage (as they call it) were not allowed to put in HTML, JavaScript, or anything else that blocked or altered the adds. I have never heard of an EULA that had anything to do with agreeing to not block popup adds or add images.

Even if an EULA forbid people browsing the web from blocking the popup adds that would be very stupid because there is no way to inforce such an agreement and stop people from using Squid Guard and such software. Besides, HTML is an interpreted language. It's up to the web browser to figure out how it should look in the end.

Maybe someone could make an EULA that forbids blocking any images on the web page, altering the text size, defult font, colors, and forbids the use of text-only browsers such as lynx. If anyone does let me know so we can sterilize those people and their descendants so we can rid the gene pool of such people. :)