LONDON (02/10/2004) - If you've been longing for a more secure version of Windows, Windows XP Service Pack 2, due mid-year, is designed to fit the bill. A response to the electronic attacks that crippled Windows systems worldwide last year, Windows XP SP2 is a crucial upgrade centered on what Microsoft Corp. calls security technologies.
It is designed to address many of the issues that XP has suffered since its release and to that end includes an improved firewall and wireless networking, a clampdown on spyware, pop-ups, and improved email attachment control. But before we go into Microsoft's remedies, let's review those security issues.
And what a lot of issues. According to a trawl of Microsoft's security bulletins, since last June it has issued patches to fix the following vulnerabilities in XP and Internet Explorer (IE), many of which create security breaches when users click on a link in a dodgy Web site and/or opens an HTML-based email:
-- Five breaches of IE's cross-domain security, allowing the local execution of scripts or code giving access to the system.
-- Two vulnerabilities involving DHTML and drag-and-drop that could allow a file to be saved on the user's system and its code to be executed if the user clicked a link.
-- A vulnerability that involves the incorrect parsing of URLs that contain special characters, resulting in a misrepresentation of an authentication URL.
-- A vulnerability involving the way zone information is passed to an XML object within IE, allowing an attacker to read local files on a user's system.
-- A vulnerability in Authenticode that, under certain low memory conditions, could allow an ActiveX control to download and install without presenting the user with an approval dialog.
-- A buffer overrun problem in the Messenger service that could allow arbitrary code execution, allowing code to be run with full access privileges. A subsequent fix had to be issued after it emerged that the patch did not properly place the updated wkssvc.dll into the correct path.
-- A vulnerability in the help system because a file associated with the HCP protocol contains an unchecked buffer, potentially allowing an attacker to construct a URL that executes code with full privileges.
-- A buffer overrun problem in User32.dll that generates list and combo boxes in certain (mainly European) language-specific versions of XP that could cause the execution of arbitrary code.
-- Four instances of IE incorrectly determining object types returned from a Web servers, allowing arbitrary code to be run on a user's system.
-- An unchecked buffer in the Windows shell or UI that compromised the system, allowing an attacker to create a networked Desktop.ini file containing corrupt custom attributes causing the Windows shell to fail or an attacker's code to run with the user's privileges.
-- Buffer overrun in the DCOM RPC interface allowing code execution with full access privileges.
-- A buffer overrun because of incorrect validation of SMB packets leading to data corruption, system failure, or execution of arbitrary code.
-- A flaw in the way Windows media services logs multicast transmissions, exploitable by an attacker using specially formed HTTP requests that cause IIS to fail, or executing code on the user's system.
-- A flaw in an ActiveX control in Media Player 9 that allows access to information on the user's computer. Invoked from a script, it could allow access to the PC's media library.
-- IE incorrectly implementing an appropriate block on a file download dialog box, allowing arbitrary code to be run on a user's system.
At that's not the end of it either. Microsoft issued a further 14 patches between November 2002 and May 2003 to fix vulnerabilities. And so onto the software giant's apparent solution:
Service Pack 2
The beta of XP SP2 is said to sport a simple installation, much-needed security enhancements and a friendlier front end to wireless networking. It will be free, but Microsoft hasn't yet said how it will distribute the pack.
One component of the original Windows XP is the Internet Connection Firewall, but this line of defense is disabled by default, and is difficult to find and configure. The version in XP SP2, now renamed Windows Firewall, receives more prominent advertising and is enabled by default, providing a decent level of network protection even when the system is booting up.
In addition, the new Windows Firewall is more powerful than the previous version, with both inbound and outbound scanning capabilities similar to those of third-party firewalls such as ZoneAlarm. For example, the first time an application wants to access the Internet, Windows Firewall pops up a dialog box in which you can configure the firewall to grant such access.
Windows XP included wireless networking support but Microsoft then hobbled the feature somewhat with SP1, forcing users to log on manually to insecure networks (a hassle for most home users). With SP2, the software giant has significantly improved the user interface for wireless networking, simplifying the tasks of browsing, configuring and connecting to wireless networks. it also allows users pick the default wireless network when it's within range.
Pop-ups and spyware
IE has been updated to include pop-up ad blocking, a key feature that some competing browsers have had for months. And if you do choose to allow pop-ups, Internet Explorer prevents questionable Web sites from altering those windows in ways that might harm your system; this innovation should put an end to the annoying proliferation of windows at some Web sites.
In another welcome nod to security, Internet Explorer includes a new browser add-on module that helps deter spyware by controlling how XP installs, configures and enables add-ons. In the short term, some IE add-ons -- for example, various Netscape-style plug-ins -- may not work after the upgrade; but even so, the additional security and stability are likely to be worth it.
Both Outlook Express and Windows Messenger will now protect you from dangerous file types, isolating attachments so that they cannot attack your system. Outlook Express has also been updated with a feature drawn from Outlook 2003: By default, HTML e-mail messages will not download images; this keeps spammers from figuring out that your e-mail address is valid by having the embedded images phone home. This is a fine feature, but the ability to set up a white list of approved senders whose images aren't to be filtered could save IT managers a lot of time.
Microsoft has significantly changed Windows Update for use with SP2, placing the most critical software updates into a friendly, new, single-step installation routine. Other software and driver updates are available separately.
Under the hood
Behind the scenes, Microsoft has made many low-level changes to XP in SP2 to make the operating system as secure as possible. A new memory protection system guards XP against common buffer overrun errors that many viruses and worms exploit to compromise the operating system. There's a useful explanation of how buffer overruns compromise security here. And new networking technologies will help ensure that attackers find fewer vulnerabilities when probing SP2-protected Windows systems over the Internet.
A must-have upgrade?
Windows XP SP2 may not solve all of security problems since Windows will continue to be the target of choice for hackers. It's also too early to tell whether SP2 will generate any woes similar to those that plagued many users who installed SP1. Nevertheless, this update does look as if it will provide much of the basic plumbing required for a more secure OS.