Microsoft Delays Windows XP Service Pack 2

Rinisari writes "DesignTechnica, among some others , explains that Microsoft has once again delayed its release of Service Pack 2 for Windows XP, though only until August. Microsoft has declined to comment on the reason for the delay. Windows Update v5, however, is online and operational (and works with Service Pack 1!), although not officially so. I know many smaller education institutions are chomping at the bit with the looming release, as they are worried about compatibility with some of the new features in Service Pack 2."

Good on them

[Sean80]

I, at least, say good on them for delaying the release if it means they can better deliver on some of the promises which they've made about this pack.

If nothing else, at least Microsoft is trying much, much harder at security nowadays.

Re:Windows Update v5?

[stinkyfingers]

Uh, why would it work with Firefox?

rolling delays

[to_kallon]

though only until August

correct me if i'm wrong, but i believe the original release was scheduled for june. when june came it got delayed until only july. now that we're in july it's been delayed just one more month....riiiight.
i for one will not be surprised to see it delayed until september next month. and who knows? maybe october after that....?

Bug time

[Metteyya]

As I understood, it means that a bulk of IE users (the ones that don't download small "security updates", but only full SPs) will be vulnerable to well-known bug till (hopefully) August?

Well, now that just shouldn't even be compared to Mozilla's bugfixes.
(because who would be able to compare 24 hours with 24 days and not laugh to death?)

Delays

[k4_pacific]

Hey, this means that Longhorn would likely get pushed back as well (if it ships at all). This gives us an extra month to make Linux a mainstream desktop OS before the NGSCB DRM (the RIAA's wet dream) ensures Microsoft forevermore. Hurry people!!

Re:Bug time

[Loligo]

>a bulk of IE users (the ones that don't download
>small "security updates", but only full SPs) ...

>... that just shouldn't even be compared to
>Mozilla's bugfixes. (because who would be able to
>compare 24 hours with 24 days and not laugh to
>death?)

Lemme make sure I got this right. A "bulk of IE users" don't download small security updates, but you think they'd get small security updates for Mozilla?

24 hour bugfixes are irrelevant to "a bulk of users" if they can't be bothered to download and install them, as you claim.

-l

Umm Duyoyoyoy

[stratjakt]

"I'm afraid now, I have somehow missed this message," says a Windows developer who asked not to be named. "Was it buried in too many marketing messages? Was it dependent on me searching it out?"

Was it SO OBVIOUS that you even had to be specifically told to test your apps on a new version of their target platform?

No news here. Next hot tip, some stuff may not work with the latest kernel image from linus and the gang.

NT4 Service Packs

[Webmoth]

Personally, since Microsoft doesn't seem to be releasing any more updates for NT4, I'd sure like to see them put out a Service Pack 7 so I don't have to go thru the steps SP6a - Post 6a SRP - Windows Updates every time I have to install a new component on an old NT4 system.

Re:Bug time

[tesmako]

I don't quite follow you at all, you first claim that people don't bother to download the fixes, then you appear to make fun of Microsoft for getting the fixes out later than Mozilla. Would seem that it does not matter one bit how fast you are fixing things if no one downloads the fixes anyway.

Re:Good on them

[Eberlin]

To paraphrase Lewis Black (referring to airport security) -- slower doesn't necessarily mean safer. Promises that don't get delivered don't mean much. Maybe they're perfecting it, or maybe they're sneaking features in...we don't really know.

How hard Microsoft is trying when it comes to security is strictly implied. Unfortunately, most should have EXPECTED it of them to begin with. "Trustworthy Computing" is primarily a marketing response...with technical consequences.

Re:Ok, so where to get new keys?

[DaHat]

Last I checked /. was not about software piracy, please take your warezing rear elsewhere or by a legit copy with a legit key.

Re:Maybe a Sensible Move...

[chris_mahan]

There is also the possibility that microsoft is having a hard time dealing with fixing all the vulnerabilities.

I wonder to what extent they find that fixing one vulnerability just break, and I mean mangles horribly, some functionality in Excel or Word that everybody has to have (like VBA or sum'thin).

It's like the domines are falling at microsoft, and that they are starting to realize that a rewrite from the ground up does not look to bad (at least you can start with a sound concept).

Of course, I doubt they could pull that off, so the next couple years are going to be really interesting.

Re:invalid product keys...

[superpulpsicle]

In 2002 - product activation was the biggest punishment I have ever seen for a paid customer

In 2003 - security and hotfix galore

In 2004 - SP2 compatibility problems and more browser disaster.

In 2005 - ???

SP5 worth it for criitcal update roll-up alone

[swb]

SP5 would be worth it simply for rolling up all the critical updates and Sp4 into a single executable. This would allow machines to be setup and patched offline and not worry about as many network-level vulnerabilities, as well as taking a lot of the patching burden off of needing a relatively high speed internet connection.

I've always wondered why MS didn't produce minor-version service packs (eg, 4.24) that included the last major service pack plus critical updates released since then as a single EXE. Since SPs essentially unpack and run an executable, you'd think it wouldn't be too hard to mod that system to produce SP+hotfix rollups.

Am I reading that right?

[bl8n8r]

"...online and operational (and works with Service Pack 1!).."

One would think this should be a requirement, it reads like more of a bonus.

Just more hoops?

[ps_inkling]

From the MSDN article:

When an application that needs to listen on a port or ports is being installed by an administrator, it will need to ask the user if he/she wants to allow the application to open ports in the firewall. If the user consents to this, then the application should use the INetFwV4AuthorizedApplication API to add itself to the AuthorizedApplications collection as enabled. If the user does not consent, then the application should use the INetFwV4AuthorizedApplication API to add itself to the AuthorizedApplications collection as disabled.

So, our spyware now is supposed to ask politely whether it can install itself as an AuthorizedApplication? Yeah, that's gonna work. For older spyware, it won't know to install; newer spyware will just make the API call automatically.

Last I checked, the problem wasn't whether I had permission to use RPC, it was a buffer overflow in the service that caused the exploit. It didn't matter whether or not I had permission to use RPC -- the mere act of sending a (malformed) packet to the service resulted in an crashed (or compromised) operating system.

All of the patches only serve to hide the RPC port unless it is in use. In fact, it makes any remote RPC applications much harder to deploy.

Maybe they're hoping that the NX extensions will imit to vulnerability of the buffer overflow exploit -- if you're using a processor which supports NX extensions...

I'll still install it, just for the popup and ActiveX blocking capabilities. But I have no illusions it will fix any of the other problems.

windows update V5.

[OneArmedMan]

Uh-oh

*snip*

Windows Update cannot continue because a required service application is disabled. Windows Update requires the following services:
Automatic Updates enables detection, downloading, and installation of critical updates for your computer.
Background Intelligent Transfer Service (BITS) enables faster, restartable downloading of updates.
Event Log logs Windows Update events for troubleshooting. To ensure that these services are enabled:
*snap*

so much for turning off services that you dont want and running things manually ...

Microsoft Crap....

[Run4yourlives]

Try updating and not rebooting right away... you can't get rid of the Icon on the systray... and every five minutes or so it'll nag you to reboot.

Fucking POS.

Dear Microsoft...

[SamMichaels]

After reading about XP SP2 and Windows Update v5 on Slashdot, I had a chance to play around with them. While I'm impressed at both the operating system and the updater as of late, I have to be honest and say you've failed to address the number one problem plaguing the computer industry: ignorance.

The average Joe--your primary customer--doesn't know about Windows Update. This person doesn't know about service packs. This person doesn't care to know. In fact, when you tell this person about how critical these updates are, the average Joe is going to say "I don't care."

I've been in the industry for quite some time. I've tried to explain it using jargon...using layman's terms...using fruity Powerpuff Girls language...EVERYTHING. The end user--soccer mom and Grandpa--just don't care. They don't see the importance of updates to software.

Maybe what they need is a scare tactic? YOU, Microsoft, tell them that they are a liability on the Internet. Their documents, taxes, pictures, money, passwords, et al are vulnerable to theft. Their machines are turned into zombies which wreak havoc on innocent Net users....use the new buzz word terrorism as it will get their attention. Nah...they won't listen after 6 months again.

Is the answer to cripple the operating system unless it phones home regularly? Was this part of the original plan when XP dialed home? Nah...won't work. You have millions of XP installations out there already which do not even have updates from 2001....there's no way those users will even think about updating to enable a mandatory update.

Remember this for your next Longhorn meeting.

Re:invalid product keys...

[Dun Malg]

In the years I've been running XP, the product activation has caused me _zero_ difficulty, and that's on home-built hardware that's been upgraded and changed quite a bit over the years.

I've had nothing but trouble with mine, but I change my hardware configuration the way some people change their underpants.After my second activation was invalidated by changing my network card and video card, I decided I'd had enough. I've been running RESET5 to keep my install perpetually in it's 30 day grace period.

Re:What about Windows 2000 (Service pack 5?)

[quantaman]

It is always embarrassing when you have to compete against your own products.

Microsoft are sort-of obliged to keep rolling out security fixes for 2K, but is a popup blocker a fix or a feature? They surely would love to have a lever to get us all moved onto XP.

Here we see one of the major disadvantages of monopolies, when your biggest competition is from your previous released it becomes very tempting to hold back on things like popup blocking and all these fixes for IE from current releases to save them for a future release. If it wasn't for mozilla suddenly becoming a threat I'm sure we wouldn't of seen these fixes to IE until Longhorn, no matter how bad it got, in fact the worse it got the better because that's simply a motivation to buy the new product. Now they have to try it earlier than they want and put it in XP because of competition from Mozilla but I'm sure we're not going to see these fixes backported to previous versions of windows, it would take away to incentive to upgrade.

Re:Cannot validate the product key

[vsprintf]

Hmmm, I guess MS has decided to take a little (read: tiny) more aggressive stance towards piracy, no more automagic updates for you.

When you think about it though, what good does it do MS? These days malware doesn't format your drive and pop up a box saying, "Ha ha. Yer a victem of DorkLord Seth." It uses the box to attack other Windows boxes (and generally cause grief for the rest of the computing world).

If they think denying patches to pirates is anything except self-defeating, they are mistaken. While what remains of their reputation is taking a beating, Microsoft's best policy would be to keep every Windows box as secure as possible - no matter what its legal status. If they want the BSA to go take some names later, well that's their business.

Re:Maybe a Sensible Move...

[FuzzyBad-Mofo]

It's a fairly well-known strategy to hype a product well before it's introduction in order to prevent a competitor from gaining ground. I don't think SP2 has been delayed at all, Microsoft's project planners would have to be completely incompetant to have delayed the patch for so long without a good reason. No, they want to string people along with the promise of a miracle cure-all for as long as possible.

Having trouble with popups? SP2 is coming soon! Need more security? SP2!! Want your computer to wash the dishes and feed the dog too? Good news, SP2!!

Re:Microsoft Crap....

[Keeper]

Yeah, because there is nothing better than patching a critical vulnerability on your computer and not having it take effect for 2 weeks because you didn't reboot your computer ...

Re:invalid product keys...

[ostiguy]

Yeah, i have not had any trouble with it at home or work.

home: xp pro license obtained thru a ms marketing package that cost my 39.99. i had it installed on a via based athlon mobo, i just having decommissioned that box, installed it on a sis based p4 mobo. activated cleanly.

work: no issues with machines that have been reimaged. we run the oem xp pro license, cuz software assurance for the client pcs was going to kick our brains in.

all in all, it is not as bad as i had feared.

ostiguy

Re:Ok, so where to get new keys?

[0x0d0a]

Last I checked /. was not about software piracy, please take your warezing rear elsewhere or by a legit copy with a legit key.

Not correct. Slashdot is mostly general tech discussion, and folks interested in pirating software can provide discussion just as interesting as folks interested in designing copy prevention stuff.

Personally, I find it a little offensive whenever someone tells either of them to shove off ("Don't talk about piracy here" or "DRM sucks, shove off"). I'd rather not try to suppress discussion.

Re:[ot] windows update, without IE?

[mabinogi]

You know, their machine isn't going to spontaneously combust if they use IE to go to Windows Update...

You do realise that, don't you?

If they've connected a Windows Machine to the internet, then they've already exposed themselves to 99.9% of anything they're likely to get, regardless of what browser they use. Firefox just means they wont get ActiveX stuff and probably wont get popups.

But I hardly think pointing IE at Windows Update is suddenly going to install porn autodialers and flood them with popups.

Re:invalid product keys...

[Tenareth]

At any point I have to use a phone to make a product I paid for work, it's completely broken.