The significant (and overdue) changes in service pack 2, for which Microsoft has yet to announce a release date but has given a few details on its MSDN developer website, will save some grief for unwary users and make life more difficult for virus writers.
This column in September expressed concern that the company was putting too much effort into securing the next version of Windows, which is not due for two or three years, and not enough into looking after users of the existing systems. It seems only fair to revisit those points and see if they're still valid given the promise of service pack 2.
- Stop shipping consumer PCs with unneeded, secure services enabled. Activating ICF, the Internet Connection Firewall, is a good move. It’s the single best thing the company could do, especially for home users and small businesses. It may irritate a few P2P users who suddenly find they can’t use eDonkey or Kazaa anymore, but those are exactly the people who need to learn how to use a firewall.
- With ICF enabled, users won’t receive unwanted Windows Messenger spam, and most importantly won’t fall victim to exploits like Blaster that rely on vulnerable services such as Windows RPC.
- Make sure security updates don’t have other, unwanted changes. We expressed concern that users don’t have a ready way to know if an update brings a change to the user licence agreement. It’s possible service pack 2 will address this concern, but we’re not holding our breath.
Of course, services such as RPC are very useful running behind companies’ own firewalls. Presumably Microsoft will provide a way for system administrators to update XP machines without breaking their networks.
- Patching needs to be simple. In fact, recent patches have been easy to download and install, although Windows Update is sometimes criticised as unreliable. Microsoft has said it intends to revise its patch system, including Windows Update; it’s possible service pack 2 will introduce the changes.
- Security shouldn’t be used as a reason to need a paid upgrade. Microsoft hasn’t said whether the changes in XP service pack 2 will also be available in a service pack for Windows 2000 users, but it seems unlikely. To be fair, implementing the changes on two versions of Windows would be a much tougher job and probably delay the release.
Microsoft is certain to make other changes also, perhaps including changing the patch system to automatically install critical updates. That might cause some controversy, but there’s no doubt that the changes in service pack 2 should greatly reduce the opportunities for malware writers to attack Windows XP machines. Bravo.
So will we see a reduction in attacks? Probably not, at least in the short term. Many computers on the internet are running earlier versions of Windows, which won’t be updated by the XP service pack. Some computers just don’t get updated by their owners. And some common programming errors will still result in vulnerabilities, although the switch to managed code will lessen those holes.
And of course if Windows suddenly becomes an absolutely secure platform, virus writers will switch to their attentions to platforms easier to crack.
There’s a ready-made replacement: a platform that’s ubiquitous, features-driven, and popular with the great unwashed. Last week brought the news that some mobile phones from Nokia, Ericsson and the Sony-Ericsson joint venture are vulnerable to a flaw in Bluetooth. Crackers and phreakers will be eyeing the situation with interest; let’s hope the developers of our cellphone systems learnt some security lessons from the desktop.
Update: After this column was written, Microsoft announced that a future Windows 2000 service pack will also contain the security changes. The company is aiming to release the service packs by May.