Microsoft Releases Changelist for Upcoming XP SP2 524
kylef writes "As we know from independent sources, Microsoft is busy readying Service Pack 2 for Windows XP. They have published on their website a changelist document (link goes to TechNet download page) detailing the nature of the security-related fixes and updates. The document is targeted towards XP admins and covers some interesting things such as the new Internet Explorer Pop-up Manager and various security policy changes. Some other juicy tidbits from the document: Internet Connection Firewall will be enabled by default, and there will be new support for something called "Execution Protection" which allows developers to make use of the NX (no execute) page guard flag on Intel's Itanium and newer AMD processors. An interesting read."
Smart. (Score:5, Interesting)
Wordpad crashed (Score:1, Interesting)
I just hope (Score:5, Interesting)
With WinXP I got into some serious trouble with my computer and trying to play games. At first everything worked as it should then after a weekend not a single game would play, black screen on launching a game.
After A LOT of work the conclusion was that quickfix 'SP2 Q328310', which had been auto download from MS, did something which stopped a lot of games which need 3D support from working.
Now I always gets a message when I start windows, about 'new updates available': -Yeah sure! It's still buggering me to download the patch.
This really helps MS too, I'm so much more willing to download updates/patches when I know that a quickfix to lets say notepad, might break something totally unrelated; like the ability to shut down WinXP >:(
Re:Wordpad crashed (Score:2, Interesting)
Re:Quick, call the cops! (Score:1, Interesting)
Re:*POOOF* (Score:3, Interesting)
Undocumented Security fixes? (Score:5, Interesting)
Re:Just another angry Linux zealot post... (Score:3, Interesting)
Processor support for NX flag, performance impact? (Score:5, Interesting)
The 32-bit version of Windows currently leverages the "no-execute page protections" processor feature as defined by Advanced Micro Devices (AMD). This processor feature requires that the processor run in Physical Address Extension (PAE) mode.
Although the only processor families with Windows-compatible hardware support for execution protection that are currently shipping are the AMD K8 and the Intel Itanium processor families, it is expected that future 32-bit and 64-bit processors will provide execution protection.
This sounds nifty, too bad x86 CPUs don't support it (barring AMD's x86-64 offerings). However, doesn't PAE mode result in significant I/O performance degradation?
Re:Just another angry Linux zealot post... (Score:2, Interesting)
Until they design their own proprietary closed-source format I think we'll have to live with DOC.
Internet Explorer Add-on Crash Detection (Score:0, Interesting)
Whenever Internet Explorer crashes, the Add-on Crash Detection program is launched. Add-on Crash Detection is an error analysis program that examines the state of the Iexplore.exe (Internet Explorer) process. It collects the list of dynamic link libraries (DLLs) that are loaded, and the value of the instruction pointer register (EIP) at the time of the crash. Add-on Crash Detection then attempts to find the DLL whose memory range the EIP lies within. This DLL is often the cause of the crash.
So instead of finding the source(s) of the crashes and fixing it, they have apparently given up on that, but now run an add-on to detect the crash and attempt to clean up after that. Way to go, M$!!
Re:All this work (Score:1, Interesting)
Improve ICS DHCP ? (Score:1, Interesting)
I saw the XPSP2 document handed out at the LA PDC, and it said there would be unspecified improvements in ICS, as I recall, but I don't recall exactly.
Anyone know a better solution than ICS to do NAT in XP ? (Eg, ipchains -- haha.)
No Execute on Linux (Score:1, Interesting)
Hopefully this will create some political impetus for Linux to support this too... and hopefully not only on ia-64 and xp-64, but also on x86 and ppc, by adopting and perfecting one or more of various patches that accomplish this (to various extents) and have been around for a while.
Re:Processor support for NX flag (Score:2, Interesting)
Re:*POOOF* (Score:5, Interesting)
Re:*POOOF* (Score:4, Interesting)
I have "Norton Internet Security" installed on this machine. It is impossible to unintstall. If you unintstall it, your internet connection will be irrepairably harmed, especially when it comes to secure pages. However, with Internet Security enabled, the internet is freeking useless.
The only solution is to load internet security and then disable it after it's running. That, or clean install the operating system.
You might think that this is an isolated problem. It's not. We routinely get support requests on our secure ecommerce sites saying "when I click on (secure link), i get a page error". Our #1 response to this is "have you recently unintstalled norton internet security?" Answer: "yes, by coiincidence i just did that this morning!"
This '12 year technology strategy consultant' wants to know what you think of her view of e-mail list buying. why don't you tell her what you think? [typepad.com]
Re:lol...crashes allready (Score:4, Interesting)
Re:I did RTFDoc (Score:5, Interesting)
I wish they would fess up and tell the truth... they are making outlook safer to use.
My unix email clients never have opened and executed a virus, as it is still stupid to allow someone to execute an attachment without forcing them to save it ti a location first.
also, have they disabled the stupid "feature" to hide file extensions? this one thing is one of the worst securtiy holes in existance.
Re:Processor support for NX flag (Score:1, Interesting)
Re:AMD grabs key security advantage (Score:2, Interesting)
So the implication is that Intel is only supporting this security feature on enterprise servers (Itanium), while AMD is supporting security on desktops and servers. Combine this with "cool and quiet" in desktop chips, like the mobile chip power saving technology, and 64 bit processing and AMD has quite a value proposition.
Re:who cares about ie blocking popups, still insec (Score:5, Interesting)
I've switched to Firebird, finally. I got sick of finding that my HOSTS file, favourites, and start page were being rewritten by malicious web pages.
On the other hand, Firebird doesn't use the MS JVM, it uses the Sun JVM, which occasionally decideds to use 99% of my system resources. It behaved the same way when I tried to use it for IE as well.
On the other, other hand (what, three hands???) I love tabbed browsing, though I haven't yet adjusted - I keep dragging the cursor towards the taskbar looking to switch processes before redirecting to the tabs.
On the fourth hand (this is getting weird) I now see the effects of all the tiny errors in my hand-coded HTML that IE was running - and a proper browser is refusing to display. I actually like that, since forcing compliant coding on me makes my work accessible to more browsers than just IE... of course since they're just vanity pages for me and the wife, it was never critical which is why the errors were never checked for before.
I'm out of hands, now.
Conspiracy or paranoia? (Score:2, Interesting)
This google search turns up a link "Commentary: Working with Microsoft to plug a big hole"
now the funny thing is that this morning the link was called "AMD grabs key security advantage" and that's also in the title bar of the page and in big caption. Interesting how that was replaced with the subtitle that downplays a big win for AMD. I had trouble even finding the link which was obvious this morning. Things that make you go 'hmm.
the new Internet Explorer Pop-up Manager (Score:2, Interesting)
Re:Processor support for NX flag, performance impa (Score:3, Interesting)
doesn't PAE mode result in significant I/O performance degradation?
No, or at least on older processors it wouldn't, I don't know much about newer processor design. This is done in hardware, and it can be done in parallel with the usual work of the processor. That means it will make the processor an insignificant bit larger, but not slower.
Meta info? (Score:5, Interesting)
Since it's in MS Office format, has anyone found any intering meta info in it yet? :-)
zRe:who cares about ie blocking popups, still insec (Score:5, Interesting)
The whole "IE is inferior because it can't block popups" charade existed only _because_ the dominant browser didn't block those. Most people were content to make their pop-ups IE only.
Now that IE has changed, let's think like one of those dishonest marketers. So you were making money serving on-load pop-ups. They no longer work. What next?
How about looking at a little detail: IE, just like Mozilla and Opera, will not block stuff resulting from a user click.
Does it give you ideas yet?
If still not: Want to bet how long until you'll see sites where all links are done with JavaScript that also opens a pop-up window? Where every single drop-down and button and link is accessible only through JavaScript, which incidentally also opens a pop-up or three?
But wait, surely people will start blocking pop-ups completely, right?
Again, let's think like a slimeball some more. Remember, the goal of this exercise is to think not like the user annoyed by those pop-ups, but like the slimeball who pushes them onto you.
He doesn't care if you're annoyed, nor how annoyed. He just wants to make a buck. That's all that matters. He's really got the same moral standards as the spammer filling your inbox with V14GR4 ads.
So in that state of mind: Hmm... what to do against those users still blocking your valuable pop-ups, even when they're triggered by a click?
Well, blimey, make the whole site unusable or crippled without pop-ups. E.g., if you have to log in or fill a form, stuff it in a pop-up window. E.g., all the links to other sites are surely best opened in a separate window, via JavaScript. (All in the name of convenience for the user, of course;) E.g., the site-map, search, articles, etc, surely are best viewed in a separate window opened through JavaScript.
So there you go. Now the whole site is unusable unless the user disables pop-up protection.
Fat lot of good did that pop-up blocking do, eh?
Re:Quick, call the cops! (Score:2, Interesting)
>DMCA violation.
I know the comment was made in jest, but you actually raised an actual technical issue. If you were to write a program that relies on some MS dll for a copyright protection scheme and the dll ends up having a serious security flaw, could you sue MS for producing software the circumvents a copyright protection scheme? Afterall, fundamentally it's the dll that's making the copyright protection scheme insecure, providing for the circumvention. An analogy might be that if a law made it illegal to make a device to circumvent a lock to get into a house. and the one major door manufacturer makes doors so fundamentally flawed that all locks attached to it are inately circumventable; doesn't that make the door a form of circumvention device?
Re:*POOOF* (Score:5, Interesting)
The rest ist not packetfiltering:
ps: Don't get the impression that i like the SP2 packetfilter - it's really inferior to professional packetfilters.
Re:lol...crashes allready (Score:4, Interesting)
Oh dear. My original post was supposed to be "tongue in cheek humour"
I've written thousands of pages of documentation in Word for my job...
If by that you mean ten or so documents of ~100 pages or so with a few pictures then yes, you will probably be ok. (Despite using a style sheet, you will probably end up with structural problems but that's another issue)
If on the other hand, you had written a "thousand page document", including a couple of hundred graphs, tables few hundred bibliographic entries, equations and cross refereces all with a rigourously inforced style (otherwise known as a large book) then I would sit up and take notice.
The basic issue appears to be memory limitation. On a 256MB machine once you get beyond about 200 pages with ~100 equations or so you will start getting "issues" with Word (based on a friends thesis).
Can't comment on the XP version but this is on Word 2000. In a similar manner to the original parent post (regarding Wordpad crashing) memory "issues" should result in a nice friendly error message telling you to "buy more memory" [*] rather than a resulting cataclismic failure.
These days, 99% of people dumping Word for Latex are either doing it for political reasons...
Is this the result of a long process of statistical testing; or like 80% of all statistics did you just make it up on the spot? [*]
And no, I don't have to write mathematical formuals very often, so Word suffices.
Good for you. If you did have to write equations often (several hundred or so) then you would see what I mean.
------
[*] Yes this is supposed to be moderate cheesy humour.
Re:Um, no (pleeeeeease) (Score:2, Interesting)
So what if IE crashes on its own? Will it please please please allow me to uninstall it?
Some thoughts on this stuff (Score:5, Interesting)
Especially things like "by default, only local machines can talk to the windows network messenger (a.k.a. winpopup), windows file sharing and etc ports".
But, its still not a good substitute for a server-based firewall solution (e.g. a linux box with ipchains/iptables) or for a firewall box like the "firewall+DSL modem+router+switch/hub+nat+etc boxes" that are popular with home broadband networks.
Execution Protection is a good feature, I am surprised that intel didnt add support for marking pages as "execuatble" or "not execuatble" way back when with the 386,486, pentium or whatever.
Given the number of Internet Explorer addons in the lists of Spyware programs like Ad-Aware and Spybot Search & Destroy, the Add-on Manager is something thats long overdue. This should at least prevent those who are clued up enough to check it once in awhile from being hit with Spyware addons.
As for the Java stuff, I think the best thing would be for MS to modify all future operating systems and service packs to completly remove the MSJVM if it is present and to install the sun Java VM instead (I expect that as long as they were shipping it unmodified and shipping as recent a version as possible, sun would just love this)
The MSJVM is a piece of garbage that should disappear for good, along with any lame-braned sites/content/software designed to work with it and only with it.
Now, the MIME type handling stuff.
IMO, the best solution is for IE to completly ignore the file extention and contents if it has a MIME type.
Basicly, if it gets a MIME type, it uses that and ignore both the extention and the content. If it doesnt have a MIME type (e.g. local disk file or FTP server, it should use the extention only and ignore the content).
If the MIME type it has is for something like text/plain or image/png or text/html or something else that IE can handle, it should handle it.
If the MIME type is one for which a system program has regisered itself (for example, ms word could register itself for application/x-msword-document), it gets handed off to that.
Otherwise, windows will display a dialog box asking the user to select from:
1.open with the application registered to handle the extention passed in (for example, if its a
2.open with an application of the users choice.
or 3.save to disk
With an option to save this as the default action for this file extention (and the case of no mime type) and a way to remove that "save as default" and re-specify later on, this would be the ideal solution. Plus, unlike what the MS proposal says, it would actually force web-servers to do away with the "send text/plain as default for anything we dont understand" features and configuractions. The right response (IMO, I havent read the RFCs or anything) is to send no MIME type at all for files that you dont have a specific MIME type for.
As for pop-up manager, here is what MS should do:
1.turn off any features in HTML that allows the changing of the "z-order" of windows (e.g. to make a window move to the back like with a pop-under)
and 2.turn the pop-up blocker on by default
But personally, I think the fault lies with the idiot that invented window.open() in the first place. What legitimate use is there for being able to open a new browser window in this maner?
Many web-sites use links that use the TARGET attribute of the tag to create a new window with content in it and thats pefectly fine.
The only uses for window.open() that I know of are:
1.popups, popunders
Re:*POOOF* (Score:5, Interesting)
Pop-up ad blocking, Banner ad blocking, Cookie control, Policies for pop-ups, scripting, ActiveX and so on handled on a per-site basis - content-filtering transparent http proxy (hint: use a more secure browser instead)
Ran into this one when a friend tried to check out my online photo gallery while using Norton "Firewall". Norton happily disabled all Javascript on the page because it apparently didn't like my DHTML.
In my opinion, a "Firewall" has no business interpreting HTML and Javascript. Norton should be taken to task for this, else we risk creating defacto standards.
Execution Protection vs PROT_EXEC on noexec mounts (Score:4, Interesting)
Re:Meh (Score:4, Interesting)
I work at a custom shop and we don't patch anything either - DUR - we install XP SP1 OEM. I'm sure we'll be using XP SP2 OEM discs before too long.
MS: starting to shape up! (Score:3, Interesting)
Perhaps there is some remote code that manipulates pixels on your screen to subliminally flash messages to you thus making you relinquish your spiritual ownership and connection to your soul. You are now one of them.
Re:I did RTFDoc (Score:2, Interesting)
Disclaimer: I absolutly HATE Outlook and Exchange...
But in the defense of MS (yikes) they have managed to cobble together enough bandaid fixes to make Outlook rather sane. In this day and age downloading stuff before you run it simply isn't enough. Of the three near virus problems I've had on the network, people downloaded something that was from someone they didn't know, didn't even have a double extension, and was labeled something suspicous ("sexyfun.exe"? If that doesn't scream virus, I don't know what does).
With the latest update of Outlook 2000, & Exchange 2000 MS simply crippled ALL "dangerous" file formats. At first I was going to re-enable them but thinking about it, I decided not to. There is no reason to send an exe file directly through email, and if you do wrap it in a zip file and save some bandwidth while you're at it.
Obviously if I didn't have to use exchange for mail I could easily filter mail at the server, but I have to work with what I've got. MS has at least taken some steps in the right direction (although it's still not a substitute for designing something with security in mind).
Re:lol...crashes allready (Score:3, Interesting)
LaTex is much more structured; and to be honest, if you've ever done any sort of programming, it's a dead ringer for use in making any large, multipage document. And it's free, open-source,... all that goodness.
Re:How Microsoft thinks about security, in a nutsh (Score:4, Interesting)
Also, keep in mind that having a running firewall is going to break a lot of apps and cause a lot of pain. I predict the number of calls to MS phone support (and to XYZ company's phone support) will explode after this service pack rolls out.
Suddenly gamers won't be able to host multiplayer games, for one. People's distributed file sharing clients won't let them share anything. etc...
I suspect that this anticipated user pain is the reason the ICF was not on by default at XP ship time.
MOD PARENT UP PLEASE (Score:2, Interesting)