Latest SP2 News 483
Xformer writes "It seems that SP2 for Windows XP isn't as secure as Microsoft touts it to be. Heise Security has uncovered two flaws in SP2's bolstered security measures, both of which may be used to get around the new trusted/untrusted executable origin checks. Of course, who would be surprised by this?" Reader EtherNetFreak writes "Well it appears that at least one hotfix is already available to fix yet another bug in Windows XP, post SP2 application." Reader Finalnight writes "'Microsoft Corp. yesterday delayed yet again its oft-delayed Windows XP Service Pack 2, this time postponing the patch's distribution through the company's Automatic Update service.'"
sp2 (Score:2, Funny)
I wouldn't laugh about this too much (Score:5, Insightful)
Yes, I couldn't suppress a first smirk upon seeing this article. But then again, there are two major reasons we shouldn't be laughing too much about this:
a) While uncertainty about Micro$oft brings some more people to Linux (which is touted to be more secure, but then again - it can just as well be penetrated by hackers), it also turns people away from using the Internet because they get too scared of what's going on there. The latter are mostly elderly people, but nevertheless - even they should be free to use the Internet, something which a number of them dread now because they feel their privacy (through spyware) and/or financial background (due to phish scams) may be at risk. And this is not a good thing.
b) Staying still, laughing about Micro$ofts misfortune here has to more immediate effects: (a) it will spurn M$ developers even more to deliver better software - and (b) has Linux people potentially stay back and enjoy M$'s misfortune (and hence giving M$ more time to catch up, security-wise, that is). Do you want to sit at the "other" end of the story in a year or two - once M$ has sorted out most of its security issues, while linux might be more and more negligent of these issues (because everyone "knows" that it's Windows that's insecure).
Personally, I've had some of my machines broken into about 2 years ago - and that was out of negligence (thinking Linux would be safe enough on its own). In the end, it probably was just a couple of script-kiddies breaking into the box to install - of all things - an IRC proxy/cache/logger on the machine. I don't know how the originally got into the machine, as I am not even quite sure WHEN it happened. But it went far enough that they even replaced the system's own ps/netstat/... to make sure those wouldn't display the "wrong" processes. I only noticed a problem when I inadvertently stumbled across it...
Since that time, I've done some more work trying to secure the box as far as (with MY knowledge) possible - but I'll no longer think my machines are inherently better than a M$ server might be. M$ *will* catch up - and they DO have the money they need to fix these kinds of problems.
The question is - do WE have the idealism to hunt down every single bug? (M$ people don't need the idealism for it - they get well PAID to do it).
Isn't that the ideal of OpenBSD (Score:3, Insightful)
Anyway linux isn't anymore secure or insecure then windows. It is just that most linux users got a tiny bit of a clue. But a cluefull person could also be able to setup a secure windows machine.
I keep waiting for MS to be really smart and adopt a more gentoo like approach to new windows installations. A very real problem is that a new "legal" installation is unpacthced and will not survive long enough to download patches. But this is only because MS
Re:Oh? I can't run linux as root? (Score:5, Informative)
Like most things with computers, it's a matter of user-education. (Including users of other OS's which bash it because they don't know how to properly run it)
Re:Oh? I can't run linux as root? (Score:3, Interesting)
For a while, I had my primary accout be a restricted user and was using Run As... to get adminstrator privileges for programs that needed that. After realizing that basically every single program I used required administrator rights, I gave up, and made my account an administrator account. (Most annoying was WinAmp - it turned out it required "Power User" privilege levels (or higher) to operate properly.)
(To be fair, I primarily use Windows for playing games, a
Re:Isn't that the ideal of OpenBSD (Score:3, Insightful)
'Flaws' Not that big of a deal (Score:5, Insightful)
Re:'Flaws' Not that big of a deal (Score:4, Insightful)
Until CodeWeavers comes up with a nice patch for wine to make SP2 work, please stop the presses!
Re:'Flaws' Not that big of a deal (Score:5, Insightful)
I think you have too high an opinion of Slashdot. Why would microsoft care one way or the other about a website whose readers are 1) a minority of windows users and 2) heavily biased towards linux.
On the other hand it makes sense for slashdot to post these stories because there is almost certainly some admins here who want to hear the latest news about sp2.
Re:'Flaws' Not that big of a deal (Score:5, Interesting)
In the real world, we have jobs and PHBs and spouses who don't want to disrupt things or break working apps (Sims for the missus, god help me if I break that one!).
I think the SP2 stories are required reading at the moment, and at the same time, I am glad the comments are littered with cynical remarks and questions. We need to question the motives of these companies, and we need to test SP2 to breaking point.
We want Linux to "take over the desktop", but at this point, as a compromise I am happy running Firefox and OO.org.
I won't try and say I dual boot, I find the thought of having to reboot an entire computer just to run one program absolutely stupendous, but when I get my linux bug I always have a knoppix disk lying around
Re:'Flaws' Not that big of a deal (Score:3, Informative)
"Curiously, a poll on Slashdot suggests that approximately half of all Slashdot visitors actually use a Microsoft Windows operating system with only a third using some form of Linux".
There is also a quote by CmdrTaco that I can't find at the moment.
I don't want to get all pedantic but did you read what I said ?, I already knew that the majority of slashdotters run windows.
I said that the slashdot readership makes up a minority of all windows users.
You said that the slashdot readers
Re:'Flaws' Not that big of a deal (Score:5, Interesting)
2) heavily biased towards linux.
So we are heavily biased towards linux, but still using windows. Right...
How are the two mutually exclusive ?
Linux is a very successful server operating system but so far it's desktop penetration is relatively low. Many people may be reading slashdot at work where they have no choice of what operating system is run on the desktop.
I personally run WinXP (cause I like games) but have used a Linux box as router in the past. So technically I use both windows and linux.
In fact there are many reasons to explain the windows desktop dominance even in a techie demographic like the slashdot readership.
Re:'Flaws' Not that big of a deal (Score:4, Interesting)
Getting 3 kb/sec and continuous alert sounds, I wondered what the heck happened, checked logs.
A new stupid lamer virus checking my port 135. I am on OS X right? FreeBSD based? Got firewall? nothing helps. I am effected by STUPID windows and some jerks opening attachments.
So, I really hope SP2 will work as advertised, at least stopping viruses coding in VISUAL BASIC for Gods sake... I am not making any sarcasm. I hope it works and guess what? Only owning Macs, I watch all stories about SP2 with Yahoo alerts etc.
Re:'Flaws' Not that big of a deal (Score:3, Insightful)
Re:'Flaws' Not that big of a deal (Score:2)
Re:'Flaws' Not that big of a deal (Score:3, Interesting)
pretty, it's a fractal.
Re:'Flaws' Not that big of a deal (Score:2, Informative)
Re:'Flaws' Not that big of a deal (Score:3, Informative)
Re:'Flaws' Not that big of a deal (Score:3, Insightful)
Is it really?
On the phone it's great to be able to say "Press Alt-F2 and then P-R-O-G-R-A-M", it's much more efficient and straightforward than "Press Start, then go to that submenu, then go to that submenu, then search for PROGRAM, then click it"
Re:'Flaws' Not that big of a deal (Score:2, Insightful)
The issue at hand is that there exists a way to execute programs without checking the ZoneIDs. That's less secure than desirable. All methods of execution should be secured. There are bound to be scenarios where this could be exploited that don't involve the user opening up a cmd window and typing the command.
That said, yeah yeah yeah, Windows isn't secure, blah blah blah, Linux rules, etc.
Re:'Flaws' Not that big of a deal (Score:5, Insightful)
Re:'Flaws' Not that big of a deal (Score:2, Insightful)
Does anyone use/trust these things anymore?
Re:'Flaws' Not that big of a deal (Score:5, Interesting)
Re:'Flaws' Not that big of a deal (Score:5, Insightful)
It's like the social engineering attack: "Can I have your username?". People are told not to dish out their passwords, but usernames should be fine, right? Attacker then calls tech support (at the same company) saying: "Hi, I've forgotten my password. My username is . Please reset it for me."
Re:'Flaws' Not that big of a deal (Score:3, Interesting)
Re:'Flaws' Not that big of a deal (Score:3, Interesting)
Re:'Flaws' Not that big of a deal (Score:3, Insightful)
Re:'Flaws' Not that big of a deal (Score:2, Interesting)
The specific flaws may not be big deal today, but Jürgen Schmidt's article Microsoft: A matter of trust [heise.de] makes some very good points about what the response says about Microsoft's attitude to the problem. One of the biggest obstacles to security it the "it hasn't been exploited yet so it isn't a problem" attitude in those who hold the purse strings. It is a recipe for always doing too little, too late.
Re:'Flaws' Not that big of a deal (Score:2)
On the contrary I think these are some very interesting bugs.
Microsoft's response: (Score:3, Interesting)
*Shrugs*
Re:Microsoft's response: (Score:2)
Boss: The CD looks very attractively packaged. Let's try...
-
Isn't it normal? (Score:2, Insightful)
So they patch up to SP2 and they continue to patch. I would hope so.
So there's issues with SP2. I dare you to do a similar number of changes and then have no issues with the resulting code.
Yet another slow news day we we see headlines like "Ask Slashdot; I want to install a text editor, what do slashdot recommend?"
Service Patch 2 (Score:5, Funny)
I'm curious how long it takes them to release Service Patch 2 for SP2...
Outsourcing a problem? (Score:3, Insightful)
If this is the case, it is very easy to see why Microsoft has so many problems with security. They have no control over the hires, no control over the code (you can review it, but thats a lot of code), you have no control over security of the code.
I sometimes wonder if people purposly put in backdoors or buffer issues to allow this to happen. A unhappy coder is a dangerous coder, and lets face it, if you work for an outsource company, you probly are not too happy. I sure wasn't.
Re:Outsourcing a problem? (Score:2)
Re:Outsourcing a problem? (Score:5, Interesting)
Managing large projects (Score:5, Interesting)
Making it small is the trick (Score:5, Informative)
You implement a very small "core" or "security kernel" or "call it what you like". It is called a "reference monitor" in TCSEC. It is a piece of code that will be asked "can subject X do operation Y on object Z", whenever a user or program attempts any operation on any object (like a file or a network connection). This piece of code is so small and simple that you can inspect it and possibly even formally *prove* it to be correct.
The operating system kernel will then guarantee that the reference monitor is consulted on all such operations. This is, after all, what operating system kernels do, among other things.
Now; you can write a simple security policy for each subsystem in your operating system. One policy for your browser, one for your word processor, one for your regular secretaries, one for your accountants, etc. (a real OS with these features will of course have the majority of all policies set up and ready by default).
The system will now enforce the security policies on everything that goes on in the system. Because the OS is enforcing these policies, and because the subsystems cannot magially change the security policies set up for them, this is called "Mandatory Access Controls", or MAC for short.
MAC ensures that a bug in, say, your browser, cannot be exploited to, say, go thru your documents and harvest e-mail addresses. Simply because the system policy does not allow a browser with internet access to access local documents. Just an example.
This is how secure systems are built. This is what SELinux is trying to do, and this is what Trusted Solaris has done for a while. This is what is required if you want a TCSEC certification in the B (or A) class, not the kindergarten-security of the C class.
Or, under the common criteria, this is what you need to get certification against the LSPP (as Trusted Solaris has), instead of the kindergarten-security CAPP (as Win2000 can have in certain restricted setups), or even the home-grown "security targets" (which SuSE got).
This is old and well known technology. Too bad big businesses and governments never put pressure on the vendors to actually have real security built in.
Good to see SELinux coming along nicely, and Sun moving Trusted Solaris features into Solaris 10.
All is not lost - but trust me, they will be selling snow-cones in hell before you see MAC in Windows.
The Heisenberg Patch (Score:5, Funny)
Re:The Heisenberg Patch (Score:4, Funny)
Re:The Heisenberg Patch (Score:4, Funny)
Is it there or isn't it? What is it? It's the Heisenberg Patch!
Well, I'm glad my OS comes with Heisenberg Patch Compensators. :-)
zLame Microsoft bashing (Score:5, Insightful)
The best security measure would be some device that read the mind of the user and warned if you were too stupid. Or maybe even easier:
if(spywareCount > 20) stupidUser = true;
I'd actually be surprised if there are no bugs in (Score:5, Interesting)
Having said that, it's all about risk management. If you're willing to postpone SP2 roll out in your org you've got to estimate the risks of not rolling it out, too. As I said it fixes a lot of issues, and if there's a bug or two the benefits still outweigh the risks by a wide margin.
Re:I'd actually be surprised if there are no bugs (Score:2, Flamebait)
It can't be very deep when you allow this "bug" to go through a command-window. Then it's just a patch to explorer, and explorer-alternatives like Litestep and o
Execute.me (Score:5, Interesting)
Re:Execute.me (Score:4, Insightful)
If SP2 has introduced as standard blocking execution based on ADS data, it has to be uniform across the OS. The fact that CMD does not do the check means that the check is not on kernel level. It is a userland check, most likely in explorer libraries which are universally used by MSFT software at the moment. This means that there is likely to be a way to do this without asking and this protection is not likely to apply to any 3rd party executables that do not rely on IE. This also means that SP2 enforces the use IE to access filesystem and launch executables
So MSFT did one of its usual stunts - it decreased the security of the system, screwed the competition while getting some publicity of for a security feature. Good marketing...
Re:Execute.me (Score:4, Informative)
But does SP2 take out the trash as well? (Score:5, Insightful)
Yes, you can do something convoluted to get something to misbehave (save the file, open up a command prompt, run the file) etc, but seriously, if a normal user does this, then they are beyond help that we can expect an OS to provide.
Remember, you can get *ROOT* access to linux by rebooting and adding 'single' to the boot line. Does this mean that it should be fixed in the next kernel/distro?
You can only do so much to protect the user. If you go out of your way to bypass security measures, then the OS should not be expected to protect you.
SP2 Borks iPODS it seems... (Score:5, Interesting)
I just got a new 4th gen iPOD, which I can write to on Linux, but can't get to work on my XP-SP2 Windows dual boot machine.
Guess what I'll be uninstalling next...
Depends on the condition of the PC at the time. (Score:5, Informative)
No problems under Service Pack 2 whatsoever, though Windows Firewall did fuss about iTunes wanting to connect o the Internet.
From my experience, many of the times when an OS/feature breaks from a service pack installation, it's because the user's PC was already damaged by corrupt files, registry entries, or"tweaks". The Service Pack simply exposed them.
Re:But does SP2 take out the trash as well? (Score:2)
Wrt single user booting, sure, no system is secure when an attacker has physical access to the hardware. But I can see how these flaws are remotely exploitable, which is much worse. The first flaw is more a social engineering issue, but I can see how flaw #2 can cause real problems.
Re:But does SP2 take out the trash as well? (Score:2)
How about a
Only 2 for a new OS release? (Score:5, Interesting)
Re:Only 2 for a new OS release? (Score:3, Funny)
Functionality vs Control (Score:3, Insightful)
BTW, here is the SP2 fix list SP2 fix list [microsoft.com]
Some great stuff here e.g. -> 823830 Your Windows XP computer stops responding after you log on
Another potential remote exploit found!! (Score:5, Funny)
Even with the service pack applied, Windows does nothing to guard against the user revealing their password to a complete stranger in a train station in exchange for some crappy pen. [theregister.co.uk]
MICROCRAP WINBLOWS!!!!!!!
Re:Another potential remote exploit found!! (Score:5, Insightful)
Microsoft has added protection to some things, but not others, so its a 'flaw' that the protection only protects these certain things. But it most likely a design decision - you have the security stopping the dumb user from accidentally opening something in explorer without realising what it is, without handicapping advanced users using cmd or having say security pop-ups every time a program internally invokes another etc.
Mod article down (Score:5, Insightful)
Mircrosoft is finally playing the right tunes, but someone on a vendetta can't accept this, so they nitpick after _anything_ to pin on SP2.
For Christ's sake, Sendmail. Sendmail had a brand new remote execution (That's translates to your unpatched box being rooted.) exploit posted a week or two ago, and not a word was said.
This isn't news. This is hypocrisy.
--
Re:Mod article down (Score:5, Informative)
By SearchSecurity.com staff
02 Aug 2004 | SearchSecurity.com
SCO fixes two critical flaws in Sendmail
The SCO Group of Lindon, Utah has issued a fix for two old vulnerabilities in Sendmail that malicious people could use to launch a denial-of-service attack or compromise a vulnerable system. IT security firm Secunia of Copenhagen, Denmark calls the flaws "extremely critical." The first problem can be exploited to cause a denial-of-service attack and could allow a remote attacker to execute arbitrary code with the privileges of the Sendmail daemon, typically root, according to SCO's advisory. The second problem is in the prescan function in Sendmail 8.12.9, which allows remote attackers to execute arbitrary code via buffer overflow attacks. The vulnerabilities affect OpenServer 5.0.6 and 5.0.7. The SCO recommends users install the latest packages.
Re:Mod article down (Score:4, Informative)
Re:Mod article down (Score:5, Funny)
actually, this is slahdot
Low tech (Score:5, Funny)
DeMe
News at 11... (Score:3, Funny)
*cue the Microsoft ad*
*cut to Microsoft Windows ad*
Mr. Ballmer, how does this delay affect your company's efforts to ensure the security of your customers? What does this mean in your plans to release the Longhorn operating system?
"Well, Stan, we here at Microsoft have been long at work making things safe and secure for every single person, and we don't plan to change that now. As for Longhorn, that will be put on delay until we can secure what we have now. Beyond that, I can't comment."
Do you give any credence to the rumors that more and more of your customer base might be slipping to Windows?
"Yes, but they'll be back, when they discover that the costs of going to Linux is higher than staying with us. Our plans of world...
Thank you, Mr. Ballmer. Back to you, Charlie.
*cut to Charlie*
Thank you, Stan. When we come back, a look at your money, and a surprising look at SCO's evidence, proving once and for all, it's ownership of UNIX and Linux...
*cut to MSN Ad*
Darl McBride, CEO of the SCO Group, uncovers an amazing discovery that could turn the tables in their court case against IBM, who they allege had taken UNIX code, the recipe for a computer to work, as they provided this evidence this afternoon in court...
*cut to scene where Darl is in a straitjacket, screaming that Linux is his and if he can't have it, no one will*
*cut to scene where SCO lawyers present the Chewbacca Defense*
No question, IBM's claims make no sense. So, here we have conclusive evidence that Linux rightly belongs to the SCO Group.
In an unrelated incident, Darl McBride, surprised at the effectiveness of the maneuver, lost his sanity, and shouted about his ownership of Linux.
*whisper: Do you think they'll buy that? What?* *looks at camera* Oh, when we return, we'll cover your money, and it's safety in MS-backed stocks.
Enough already... (Score:5, Interesting)
Put it this way. If the average user took the time to learn just a little more about this device that is a BIG part of their lives, and how to keep it and their private information secure, would security really be as massive of an issue as it is today? I will say this, though - I'm glad Microsoft has turned the firewall on by default in SP2. I know it's going to cause a lot of headaches, but think about it - a lot of people are hearing about a firewall for the first time thanks to SP2. Hearing about it, and being FORCED to deal with it, is a big step for the average user towards learning more about security.
I have problems too since SP2 (Score:4, Funny)
kinda funny but i don't remember installing that...
seriously, if a user is dumb enough to follow instructions to do something he never asked for from somebody (he probably doesn't even know) he got an email from, you might just as well ask them to install backdoor.exe because it will make their computer faster.
Have they fixed this? (Score:2)
News for Nerds. Stuff that matters. (Score:5, Insightful)
Why is it harmful to stoop to clutching at any desperate cheap swipe at MS ignoring any similar commentary on OSS software?.... because there's a large number of NERDS that miss a lot of useful "stuff that matters" on Slashdot because they're not prepared to deal with the rabid hypocrisy of articles like this one.
Secondly it makes the OSS comunity look like a bunch of immature fanboys rather than the dedicated professionals most of the community is made up for... that directly impacts adoption of OSS by business.
If you've ever wondered why OSS struggles for credibility in many businesses, bullshit like this article and the culture it encourages are a significant factor.
Articles like this one hurt the OSS community way way more than they ever hurt MS and feed back into the fact that the OSS community itself is all the advertising MS needs.
"News for OSS Nerds. Any desperate shot at MS."
Grow the hell up.
Get back to news for ALL nerds, and stuff that genuinley does matter. Because **gasp** there are Nerds that also develop on the MS platform, and not suprisingly they're more likely to hear the OSS side of the argument if they're actually around rather than on the other side of the room rolling their eyes at you... and maybe... just maybe... you have as much to learn from them as they have to learn from you.
Re:News for Nerds. Stuff that matters. (Score:4, Interesting)
I'm one of those developers. I write OSS on Windows, because Windows does for me what I want. I'm not starting a windows vs. linux debate, but a maturity vs. immaturity debate. I can totally understand why people use linux. I really can. I even use it myself (tho not on my own desktop). I'd defend someone's right to use linux with all my might. Why do I get the feeling that sentiment wouldn't be reciprocated by the /. community? It's called objectivity, folks. If you want OSS to be respected, start respecting other operating sytems. Start respecting closed-source apps and developers, and they'll start respecting you more (they already respect you, but this cheap pot-shot name-calling only hurts that).
I find it increasingly difficult to talk to people who don't know about OSS and tell them how cool it is, because the community behind it is cheap. Really cheap. Are you all proud that you're bashing an operating system that your favourite OS is aspiring to replace? If linux had 95% of the desktop share, would you love it if people bashed it without any reason what-so-ever? Of course not. So don't do it to windows. Sure, pick up on the truly bad stuff, but also pick up the good stuff. Do the same for linux, as well. Be fair, that's all. Objectivity. It's your friend.
Anyway, I'll be called a troll for this. I don't care any more. I waste so much time wading through people talking out of their asses on here, it's hard to get to the actual stuff that matters.
Microsoft and Lucasarts (Score:3, Funny)
post.replace("SP", "EP", 0);
Look, SP2 sucked, noone liked it, we are all waiting for SP3, although most of us have this feeling that it will be more of the same.
It gets complicated with SP4-6 due to something called the time-space continuum.
2.6.8 kernel so buggy... (Score:3, Insightful)
Zero Mission (Score:3, Interesting)
While SP2 is more secure than the original release and SP1 that doesn't reduce the number of Blaster hits my firewall blocks. It also doesn't affect the 50% of Windows users that will never download the update and will continue to be hammered by viruses and worms. Microsoft's delays and incompatibility problems just exacerbate the matter.
It's good to see Microsoft taking real heat from the industry press over their problems in SP2. The industry as a whole rolling over for Microsoft is what led to the situation as it stands now. The original release of Windows XP was riddled with holes and and was summarily exploited. No one seriously called Microsoft on this fact and SP1 was little more than a collection of security patches and minor bug fixes. The changes made in SP2 should have come out years ago. Maybe then you could plug a Windows system into a cable modem and last more than twnety minutes without being exploited.
Linux is improving in the usability and management arena and MacOS X is gaining mindshare as Apple improves its hardware. Both of these OSes are designed much more securely yet have a high level of technical capability. I really hope people begin to see there are alternatives to Windows and they're not nearly as bad as Microsoft would have you believe. SP2 is going to teach their management a hard lesson; despite being a monopoly power in the industry they still have to improve and maintain their OS.
Awwwww, FUUUUUDGE! (Score:3, Interesting)
Well, I learned something. Apparently, for some time now, Windows XP has been completely willing to execute executables that do not have an executable file extension. For example, if you rename notepad.exe to notepad.gif, you can "CMD
The point?
Those of us using RENATTACH [pc-tools.net] on our mail servers to filter out malware and viruses now have another hole to plug.
Thanks, Microsoft.
Dorks.
Let me get this straight (Score:4, Funny)
Pretty soon we'll have Longhorn exploits coming out.
Difference between CLIs in OSes (Score:3)
Example: yesterday I tried to FTP from a Windows 2003 server to another box. For the sake of speed, I tried using IE as my FTP client. Windows 2003 locked down the box by default, so that client wouldn't work without tweaking IE settings. However, I tried the Windows FTP command line app and it worked fine.
The "safeguard" described in the article really isn't meant to be a safeguard at all. It doesn't follow any of the low-level security features that the system provides (like permissions). It's just a quick tag for Joe User to remember that a file was downloaded and not placed by them.
I have respect for ... (Score:5, Insightful)
I have nothing but contempt for someone with an axe to grind whose only response is the "exploit" in the linked article. It's pretty lame. Come back when you've written enough of your own code to present an attack surface.
Grow up. Sheesh.
Software has bugs. Deal with it. (Score:5, Insightful)
If you really must discredit Microsoft, at least do it on fair ground and acknowledge that the operating system(s) you hold dear also have some bugs. And please, do not call them Micro$oft, M$ and other lame variants. It is Microsoft Windows, not Micro$haft Windblowz. If you can't even have the common decency to refer to somethign by the proper name, then nobody worth listening to is evey going to take you seriously.
If you want your community to be seen in a decent light, then you must behave decently.
Re:Where is SP2... (Score:2, Insightful)
You just don't realize how lucky you are...
Re:Where is SP2... (Score:4, Informative)
Re:Where is SP2... (Score:5, Informative)
Re:Where is SP2... (Score:3, Informative)
- August 18: Release to Automatic Updates for users running XP Home only
- August 25: Release to Automatic Updates for all XP users, including those running XP Pro, and to Windows Update for interactive user installations
Re:Where is SP2... (Score:3, Informative)
Actually it is available both ways. The auto update method is kind of neat because it does not show up as an available download but downloads as a background download. Eventually the computer advertises updates to install and SP2 is one of them. I do not know if there is a special way to cause this behavior or not. I administer about 70 PCs and of those SP2 has appeared on aroun
Re:Where is SP2... (Score:5, Informative)
XP SP2 was definitely made available on the 16th (Monday) for Software Update Services [microsoft.com] (SUS - soon to be called WUS), 'cause it shows up in my list of downloaded updates (and there was a big spike of incoming traffic in my MRTG logs on Monday morning) - not that I'll be approving it just yet ;) Whether they've pulled it from this distribution channel I'm not sure, but given that most SUS installs update daily it's probably too late to bother.
BTW, for any small NT network admins I'd highly recommend SUS. It's basically the same as Automatic Updates but centralized to one (or more) of your servers, saving you bandwidth and allowing control of which patches are approved for internal distribution (so can hold back until you've done your testing), amongst other things. For more info see the link above; it's remarkably easy to set up and roll out.Re:Where is SP2... (Score:2, Informative)
Re:Where is SP2... (Score:4, Informative)
Also, for modem users, getting it via automatic updates is a much better idea, as that can (I believe) handle resuming downloads, which using windows update probably can't do.
Spreading the load... (Score:2, Interesting)
So the bandwith excuse is not an option...
Re:Where is SP2... (Score:2, Interesting)
Re:Where is SP2... (Score:5, Informative)
Yes, those external installers are very hard to come by [microsoft.com] indeed! But hopefully downloading directly from Microsoft's gigabit backbone qualifies as being fast enough for ya.
Re:In general, Microsoft seems sloppy. (Score:5, Funny)
Come on, guys, if you're going to bash the Beast of Redmond, at least put some effort into it!
-MT.
Re:In general, Microsoft seems sloppy. (Score:3, Insightful)
Re:In general, Microsoft seems sloppy. (Score:2)
Microsoft have been implementing that system for some time now.
-MT.
Re:In general, Microsoft seems sloppy. (Score:5, Funny)
Developers vs Rest-of-company:
Pre-release-phase:
Rest-of-company : Come on, we _need_ SP2 now!
Developers : But it isn't finished yet...
Rest-of-company : If we don't get it NOW, we will
Developers : Oke, but there are too many problems with SP2...
Rest-of-company : We'll release some hotfixes, just give it to us _NOW_!
Developers : *shrugs* Oh well... Just don't forget we warned you guys...
Post-release-phase:
Rest-of-company : WHOA, There is a problem with xxx. How is that possible?
Developers : Well, SP2 just isn't quite finished yet...
Rest-of-company : Not finished? What the f**k?!
Developers : We told you so, before the release, but...
Rest-of-company : I don't want to hear that, just go and work on the hotfix...
Developers : *shrugs* Oh well...
Re:In general, Microsoft seems sloppy. (Score:2)
Re:is it serious enough? (Score:5, Informative)
No.
The attack vectors described are:
and (in an email)
Neither seem likely to be able to self-replicate without use intervention. So no worm then.
Re:is it serious enough? (Score:3, Informative)
If they are prepared to sacrifice security for the sake of start-up performance by caching the ZoneID and not checking the file-modified date, which I guess is why the second flaw is present, it doesn't bode well for the future security of SP2.
Re:Currect track record (Score:5, Insightful)
Re:Currect track record (Score:2, Informative)
XP SP2. Websites go out of their way to find security flaws and come up with this in a feeble attempt to keep the anti-MS flow going...sorry, but if this is the worst exploit they can manage to dig up from SP2 perhaps they need to point their arrows elsewhere...
Re:Currect track record (Score:5, Insightful)
Win95 - ground-breaking. Paved the way for the GUIs in use in every subsequent windows version, and lots of *nix guis
Win98 - great for games (still is), supports the latest DirectX (still), has a very small footprint, boots fast and offers great hardware support
WinME - disappointing for some, exceedingly usable for most others. Say what you will, lots of people loved it
Win2000 - fantastic. Offered stability, great driver support, great networking, easy installs, perfect for the corporate environment (hence most places still using it)
WinXP - incredible. We're talking excelleng games/multimedia support, almost unlimited software catalogue, integrated auto-updating, visual themes, etc. etc. etc.
XPSP2 - a great step in the right direction, executed very well. If you can find fault in it, you can find fault in anything
2003 - One of the best server operating systems out there. Exceedingly fast, secure, stable, yet with great driver support, lots and lots of software, etc. Again, if you think it's bad there's something wrong.
At least get your arguments straight. Just because you label something as "disappointing" doesn't instantly wipe out the popular history that it was anything but. I know you have your head in the clouds, but even that shouldn't stop you from recognising truly important software.
Re:Sensible Color Scheme (Score:2)
Re:Vapourware? (Score:3, Informative)
Re:SP2a (Score:5, Insightful)
Get rid of that "fuck micrsoft" attitude, start thinking for yourself, and actually take a look at it. It's a great addition to XP, and those who say it isn't have an alterior motive.