Last Words On Service Pack 2

thejoelpatrol writes "So did Slashdotters call this one? Windows XP SP2 seems not to be so secure after all. A Register reporter goes in depth to find out just how safe a fresh install is. He provides a list of which dangerous ports are left open and which services are left on by default. I guess now we know why Microsoft's security timetable is 10 years." Reader ack154 writes "ZDNet is reporting that many Dell Inspiron users are reporting an extreme performance decrease since installing Windows XP SP2 - decreases as much as from 2.6ghz down to 300mhz. Dell claims no responsibility, claiming it is 'externally loaded software' and they don't support it. In the mean time there has been a fix posted on Dell's forums, which rolls back the processor driver." Finally, Marxist Hacker 42 writes "Amid complaints of too much XP Service Pack 2 coverage on ZD Net, David Berlind writes that Service Pack 2 deserved the scrutiny it got- and charges that it failed to live up to Gates' Trusted Computing Initiative." Finally, Microsoft warns that installing SP2 on a spyware-infested PC is a bad idea.

Why I didn't bother...

[gordgekko]

This is why I didn't bother. My XP Pro with SP1 is protected with a firewall, updated virus scanner and Spybot S&D's innoculator. Running Firefox and Thunderbird and anti-spam software doesn't hurt as well.

I might add that the free/OSS I have protecting my machine weighs in considerably less in terms of combined file size then does SP2.

From an Inspiron 9100 owner...

[SoCalChris]

I haven't had ANY decrease in performance. I have had a lot more stability with wireless networking now though.

not to be a jerk, but...

[Trailer Trash]

David Berlind writes that Service Pack 2 deserved the scrutiny it got- and charges that it failed to live up to Gates' Trusted Computing Initiative.

Okay, Mr. Berlind, did you actually fall for that and now you're surprised?

Firewall is on by default

[sparks]

Yes, perhaps there are things that could have been done better in SP2, but the simple act of filtering inbound connections is a massive step forward in security for Windows users.

I say it's a "massive step forward" because there are literally MILLIONS of windows machines which are never updated, don't run any firewall software, and which are directly connected to broadband ISPs. The people running these boxes truthfully don't know what they're doing in these matters.

Right now, those poeple have NOTHING. Now at least they will have something, albeit limited. This is a major improvement. Even the old XP internet connection firewall, if it had only been enabled by default, would have prevented Blaster from ever happening.

Of course there are some questionable exceptions in the new firewall default configuration, and no doubt the next generation of worms will take advantage of those - but at least the bar has been raised a little higher.

all in the spirit....and its manifestation...

[3seas]

.... The MS mindset of making people need them has resulted in a widely integrated manifestation of the user frustration function in their software.

Its this same manifestation of the application of doing things in software to "make people need them" that is causing all the security problems.

This security problem is not fixable by this mindset that cause it.

Its like an alcoholic or drug abuser, their mind is geard towards supporting the continuation of its vise. What I call a "self supporting dependancy". And under such conditions, as those who have admitted it and sough help, you have to have external help in order to be lead out of the blindness of the self supporting mindset.

Whos helping MS??? If anyone can?

Re:Why I didn't bother...

[halowolf]

My XP Pro is protected like yours as well. But I did do the upgrade and didn't suffer many negative effects. I had to turn off the firewall and a few unneeded services that were activated but all in all it wasn't a particularly traumatic experience.

The biggest problem I had was trying to actually get the update through Windows Update. I did set Windows Update to automatically download it (but not install) but that didn't work for 3 whole days after SP2 had been released. So I tried to use Windows Update manually but the Windows Update site was so busy that I was told that I couldn't download it and would have to try again later. That amused me no end for some reason. All in all Windows Update reported i needed 75 Mb of patches, instead downloaded 111 Mb of patches, turned on a crappy firewall and some services that were not worth running.

However I know what I'm doing when it comes to maintaining my Windows box. I have a Linux box too so don't bother telling me to go use Linux instead :)

Re:Why I didn't bother...

[Junior J. Junior III]

Well, there's that bit where, at the login screen, if I don't have an account on the system, I can get root access by hitting Esc...

Re:Why I didn't bother...

[Flower]

Do it yourself.

That isn't feasible. The mass majority of users out there are not going to have the time to become security aware. The curve to getting there is too steep and requires devoting too much time. Somehow, systems out there will have to be redone to have a secure foundation and security measures, like patching, will require automation. This is as true for a corporate system as it is for a home system.

I can't believe this got published

[JebusIsLord]

Among this guy's rediculous suggestions, he says users at home have no need for DNS and DHCP client services to be running. How in holy hell are people supposed to get on the net??

I can't believe they published this bullshit.

Slowed Down?

[Jon.Laslow]

I'm currently running on a Toshiba Tecra 8100 (500Mhz, 192MB RAM), and after slipstreaming SP2 on to my Windows CD and doing a clean install it's running faster than ever. On SP1 I had to turn off all of the visual options (drop shadows, ClearType, Themes, etc...) or the thing would run at a crawl. Now I can have everything on and use custom themes without any slowdown.

Re:any time now...

[dncsky1530]

Just watching Generation 'e' on NBC and a senoir research from gartner expects people to be using windows XP well into 2010. I was surprises how he also offered no notable reason to upgrade to longhorn simply quoting the features that would also be available for XP. It seems that MS's new pitch may be just 'it's more secure' and for most people that's not worth the big bucks.

Ok, so...

[jd]

The fix is broken on computers that have already been compromised. Which is probably a fair number of them. This bothers me.

Think about it, for a moment. The firewall is blocking internally-generated connections. Which is fair enough. (Though silently dropping would likely have been safer.) However, to lock the machine up, the TCP stack has got to be taking the error as cause to retransmit the packet.

Why am I so certain that this is what's happening? Because Windows has had some degree of preemption for a while. It's not great, but it works. Sort-of. Lock-ups should be next to impossible on a totally pre-emptive OS, as the locked-up program would simply be interrupted. It'd slow the machine down, slightly, but it wouldn't be fatal.

What we're getting here, though, looks like something fouling up big-time in a non-blockable part of Windows. Odds are pretty good that it's the network code. My suspicion is that the TCP stack and firewall are in an unbreakable infinite loop, with the error generated by the firewall causing the TCP code to resend the packet, ad infinitum.

A lot of people have argued that Microsoft isn't to blame for other people's crappy code. Which is fair enough. But they are very much to blame for their own crappy code. If you're going to have non-blockable code (a VERY bad idea!) then you've got to be damn sure that there are no scenarios in which that code will put itself into a spin-dry cycle.

It seems as though Microsoft merely added firewall code, with absolutely no thought as to the possible impact it could have on the rest of Windows.

Further, if my suspicion is correct (and I'm pretty confident it is), then it should be possible to crash any Windows box remotely. Simply generate a packet that Windows cannot reply to. By forcing the TCP stack and the firewall to fight it out, you'd paralyze the machine.

The correct way to handle this kind of situation is to recognise when a connection is administratively prohibited or impossible, and to not keep retrying. You'd then escape out of the non-blockable code, and pre-emption would allow you to continue as normal.

If you want slightly "smarter" behaviour, then if a process repeatedly keeps retrying a connection or activity that is prohibited, every time it gets woken back up, it should drop in priority, be slept a reasonably long time (in the hope the problem can be cleared by then) or get kicked off the system. ("Three strikes and you're out." logic.)

It should absolutely not be possible for any user process, no matter how badly written, to create a situation in which an uninterruptable infinite loop can develop. Either there needs to be some mechanism to interrupt any loop that might be infinite, OR there needs to be a mechanism for recognising when a loop is running unacceptably long.

It's no use Microsoft whining that customers should clean their computers first. That would be like McAffee arguing that you should clean your computer of viruses before running their software. And how are you supposed to do that, if you've no software installed for detecting and/or cleaning the damn things in the first place?

The only way you can know (for certain) that there's nothing trying to access an unauthorised port is by blocking the ports and seeing what happens when you try to use the computer as normal. And the only way you can then do anything about it is if the computer can cope with that situation in a controlled manner.

Re:WinXP happiness

[dzarn]

That's not SP2. RDC is off by default in XP, when you turn it on, the firewall opens its port (3389). Just because your admins can't use Group Policy to turn off RDC across the domain doesn't mean SP2 inherently sucks.


his account was magically created on my system and the default policy was to allow him the access to modify all the files on MY HD

DUH. That's the whole purpose of a domain - he logs on with an AD UN, he gets the same permissions on whatever machine. Again, your admins should be using permissions to provide you with protected storage on a central server, NOT on your machine. If you want stuff stored on your machine, safely, then setup your own damn permissions.

much more complex....

[jazzman75]

The problems with this service pack are much more complex than what most people and the media are making them. I don't think anyone will disagree that Microsoft has a huge user base, or that they have some flaws in their software.

Implementing major security upgrades, a very necessary thing to do, comes with difficulties. The main problem is trying not to cause problems with too many other applications; else MS would have more issues to deal with. The trick is to balance the fixes with their effect on applications and corporate network configurations where questionable Windows services are most commonly utilized.

Don't get me wrong, I am not trying to defend MS. But I think people need to see that problem this big can only be fixed in stages, else it will create so many problems that no one will install it. The 10% rate of SP2 problems recently cited is a very acceptable rate overall. Had MS locked much more down, we'd most likely be seeing problem rates closer to 50%.

I think we can all think of at least one past experience with a flawed application where the manufacturer went too far and basically destroyed their user base thanks to a fix or update. MS is not going to do that. In addition, end users have to take responsibility for implementing known measures to ensure their system is as secure/virus free as possible. I recently read an article I concur with based on years of working with end users. The article stated that a very high percentage of users do not bother to keep their virus scanners up to date. In addition, at least one company has made a good firewall available for end users to use FREE for one year. Microsoft has had a link to that software for quite some time now. If a user is not doing the minimum known procedures to keep their system secured and virus free, they have no one to blame beside themselves.

Give it time. As Windows grows up, is fixed further, it will slowly become a secure product. The only part of Windows that I'd saw in an unfixable mess is IE, and there are known, easy to obtain alternatives. One can do a lot to plug the security holes now, but they have to get over blaming MS for the problem and take responsibility for their system(s).

Ok, this concludes my rant. Let the flames begin. ;)

Bogus write up by the register

[Zebra_X]

The register generally has very whitty and sharp commentary surrounding many facets of the computing industry. Their review of SP2 however, lacked a reasonable level of objectivity.

The first section of the article goes on to explain how a number of services are left on that "shouldn't be". This is for the most part a subjective rant about services that have traditionally been a source of system compromise. The "Hate On Microsoft" stick was made apparent when the author went so far as to proclaim that the DHCP client service and DNS client service should be off by default, "DHCP Client, automatic. Unnecessary on most home machines. Should be disabled by default. "DNS Client, automatic. Unnecessary on most home machines. Should be disabled by default." that wouldn't be a very useful computer would it? How about hitting up google for an answer to "Why can't I check my mail, browse the web, or do ANYTHING online?" - oh, wait...

Among some of the old favorites that were left on, file and print services made the list. That would be pretty bogus if the system's firewall wasn't turned on by default:

"The new "Windows Firewall" packet filter is turned on by default, finally. However, an exception for Remote Assistance connections is enabled, which is preposterous, although file and printer sharing, and UPnP, are blocked by the firewall as they should be."

Since it's firewalled, it's a non-issue. In fact, most of the article is written as if the system's firewall is not installed. Remote assistance is referenced in almost all of the help documents it would be a pretty bad user experience if you wanted help - but couldn't get it. As far as I can tell there has been no exploit based on this service since the introduction of XP.

Generally speaking unused services should be turned off. The only reasonable way to address this would have been yet another wizard that would ask the user how they use the computer and set services setting accordingly. However, the question of "Is sp2 remotely exploitable out of the box? More to the point is it secure from a network perspective, now and into the future?" The answer to that question is generally yes. Unless there is a nasty buffer overflow of some kind in the firewall (one hasn't been found, not to say it won't) an SP2 box is pretty safe on the network.

Wasn't that the point of SP2?

When evaluating the effectiveness of SP2 the net result needs to be evaluated. Many critics have evaluated the implementation. A lot of people might NOT AGREE with File sharing, RPC, Remote Assistance, or any number of the other services being on by default for that matter, but does it matter from an exploitability perspective? Only if that port is available for remote exploitation -- which is not the case.

Network issues aside, IE and the shell both do a good job of throwing up warning dialogs when the user is about to run an executable. There is also the "Data Execution Prevention" feature that detects when "data" is trying to execute as a program, though for it to work well the hardware has to support non-executable memory regions. Only time will tell how well those measures aid in stopping the propagation of worms.

Windows XP SP2 treats "password" as a special case

[Spoing]

This is a defect I noticed a few hours ago;

1. Boot up the system and go into an account with admin-level access.
2. Give that admin-level account a password of "password".
3. Leave the system alone till the screensaver kicks in or intentionally 'switch users'.
4. At the login screen, select the admin-level account. It will ask for a password now.
5. Enter in "password" for the password.
6. The login dialog reports that "password" is an incorrect password.
7. (Consider getting out that Knoppix linux boot CD and resetting the password to null. Skip that idea for now.)
8. Select one of the non-admin, not password protected, user accounts to switch to.
9. The non-admin account comes up fine.
10. From the non-admin acount, switch users and select the admin-level account.
11. Enter in "password" for the password.
12. The login dialog accepts "password" and switches to the admin-level desktop.

This is odd. Now, repeat the steps again *after* switching the password from "password" to "test". The results? The login dialog does not report that "test" is an invalid password.

While I am not doing any more debugging of XP for Microsoft (a detail or two might not be 100% correct), what I have seen is enough to make me wince. Microsoft did not test this one well enough.

Note: It may be necessary to have a program running in the admin account to trip up this bug.

Re:Interesting...

[value_added]

Someone can correct me if I'm wrong, but I believe that unless you're participating in an AD domain, you can indeed disable the DNS client service and still be able to resolve names. You'll lose caching of course, so name resolution will be a bit slower.

Blame

[glass_window]

And it isn't the stupid^^^dents fault for getting spyware onto their computer in the first place, let alone ensuring it gets removed when it is? It's not like it's a regular thing to have on a well-kept computer. I have a laptop runing XP that has yet to see anything that doesn't belong on it (except MS messenger, but that was before I even got ahold of it, didn't take long to remove it). My wife has a win95 box that is basically on an open broadband connection and as long as it's not left on, I might find myself removing malicious files off of it every two months or so, it's not hard to ctrl+alt+del and make sure you recognize what's running and find a way to kill anything that shouldn't be. Maybe they should make this a lesson in the freshman 101 class or the computer 101 class that nearly every college/university requires?

This article is just dead wrong.

[jabels]

* NetBIOS name service, port 137. This is the WINS (Windows Internet Naming Service) server for a NetBIOS network, and unnecessary on home machines.

This service is off by default in SP2. Believe me on this one, NetBIOS name is a primary source of information for my job, and it's going away slowly as we roll out SP2.

* Error Reporting is on by default. However, there is no reason why a machine should phone home every time it encounters an error. This is better left disabled.

No, this is not better left disabled. Ask the mozilla team how "useless" crash reports are. Automatic crash reporting can very quickly tell a software vendor where crash trends are occurring.

* Automatic Update is off by default. Microsoft would very much like everyone to enable it, and now urges users to do so every time Windows Update is run manually; but it is never a good idea to let a third party decide what software should be installed on your machine, or when. This service should remain off, and users should update Windows manually, though regularly, paying attention to the various update options and their relevance to one's system.

Wasn't this the selling point of SP2? In every SP2 I've seen, this is on by default. This was the same idiotic argument trotted out when XP was first released, and we all saw how effective manual updates are. Remember Blaster? Someone should take this idiot out and shoot him... with a rusty gun. If you don't want software installed automatically, fine. Turn of automatic updates. Bu the idiotic masses MUST have it!

If the past year has proven nothing else, it's that we can't afford to let the Windows masses to have control over their own machines. The paranoid rants of a few slashdotters gave us Blaster, and I really don't think they can be forgiven for that.

Re:What crap

[Anonymous Coward]

He also whines about these network drivers being installed:
Client for Microsoft Networks, File and Print Sharing, and the QoS Packet Scheduler

But perhaps he assumes everyone has one and only one PC in their home and has no wish to share files between them (yeah right).

No, I think he is quite correct on this one. I recently installed win2k for a client of mine with cable access. She took the standard package from the cable company which included a cable modem/router which was delivered with the internal firewall disabled! I spent an entertaining hour looking at all the shared drives on her local cable segment.

This was just stupidity on Microsoft's part. No way should shared drives and printers have been mapped to the Internet. They then compounded the stupidity with the hidden shares that NT (and 2k and XP) puts in place automatically. Before they deprecated NetBUI, I used to bind file and print sharing exclusively to this protocol and deliberately not binding it to TCP/IP. NetBUI couldn't be IP'd.

I maintain a lot of home computers in my area. The norm is still one computer per household with a dial-up connection. Lately I am seeing more DSL and cable hook-ups but the majority is still dial-up. They do not need nor should they have file and print sharing enabled by default!

Missed the big stuff.

[Anonymous Coward]

This guy missed out the most important feature of SP2: the buffer overflow protection being compiled into all system services.

There are always going to be new buffer overflows found. What SP2 will do is make these unexploitable. If this sort of protection was in XP previously the vulnerability blaster used would not have worked even with the same coding mistake that resulted in an overflow.

I suspect the author would only have been happy if Microsoft had gotten rid of every networking feature of the OS. SP2 while not prociding the super secure magic bullet which the commentators want definitely raises the bar greatly for a default configured workstation.

Port 445

[Vlad_the_Inhaler]

The thing that amazes me is that Port 445 has apparently been left open. Switching over to my Firewall screen shows that I block a 445 scan every 10 seconds on average. It is not just one or two IP-Addresses which try it, each Source Address will try 3 times and then move on.
Two machines a minute are saying 'Hello' on 445, 95% of my scans are on that Port and it has been left open. Sheesh.

The other unblocked Port where I often saw scans is 135, but the frequency there has dropped almost to zero recently.

Re:Port 445

[Anonymous Coward]

The thing that amazes me is that Port 445 has apparently been left open.

It's possible to close that port by unloading the NetBIOS over TCP/IP kernel driver. Kinda like Linux's rmmod, the sc program can remove these. Try typing

sc stop netbt

then run a netstat -an to verify that the port is closed.

If you want to permanently unload it type the following. I haven't tested it much, so it might prevent you from booting.

sc config netbt start= disabled

To undo the previous command:

sc config netbt start= system

Re:SP2 is actually more funny than secure...

[kosmosik]

Well it is not here obviously. Read my posting again then... As for SUS of course it is but it is not free it requires Windows Server... And really this are just details. What with MSIE? It is still buggy like hell and SP2 does not change it... What about services and so on? Windows still leaves to many ports open... What about privilege separation? Windows still encourages users to work on Administrator account and does nothing to prevent such behavior. Add up unsecure MSIE and working on Administrator account and you have same security level as without SP2 -what has changed? Tell me please. As for privilego separation I remember that some applications (even certified as XP compatible) won't run nonadministrative account... See this is exactly opposite to Linux. In Linux some applications won't run from root account. :-)