After long delays and whining Microsoft has released Service Pack 2 for Windows XP (at least to us OEMs, anyway). More than just a collection of updates, this service pack aims to fix some of the more serious security problems with the product. You can read more about what it does if you feel the urge.
Some initial thoughts:
SP2 adds something called the Security Center to help make the task of managing security easier. It includes three prominent status sections similar to the status windows of Norton Internet Security: one for the firewall, one for automatic updates, and one for your virus scanner. The status sections tell you what’s working and what isn’t. On a default install the Virus Scanner section will be off and red. More on that later. At the bottom, it also provides shortcuts to the Settings applets for Internet Security, the Firewall, and the Automatic Updates so you can easily change the behavior of these things.
After you install SP2 the first thing it does following the obligatory reboot is ask you to turn on the automatic updates. This is not a bad thing to do. By default, it uses BITS to quietly download the updates when you are online and installs them at 3:00am or on the next reboot, whichever comes first. Naturally, serious gamers will want to change the default install time, which could seriously slow down late night gaming, to a more reasonable time of maybe 10:00am.
The improved firewall is easier to configure, but on the surface doesn’t appear all that much different from the last one, other than it is enabled by default. It has a section for exceptions and looking at this section reveals that remote assistance is exempted from the firewall by default. Since this seems like an obvious avenue for attack, I would recommend unchecking the box so RA requests will be blocked. The firewall is supposed to tell you when it blocks something, but I haven’t yet seen the behavior. ICMP (ping) is also blocked by default. I used nmap on an XP SP2 box and it didn’t reveal too much.
The shortcut to Internet Security Options is the same as the Security Tab in the Internet Options section of the Control Panel. A quick breeze through the Custom settings for the Internet Zone shows that some stuff has been added, most notably a setting for a Pop Up Blocker, which is enabled by default. I guess the Microsoft guys finally got sick of popups too.
The virus scanner part seems broken right now, as it requires the virus scanner to support the reporting feature. Even a current copy of NAV 2004 did not make the Security Center believe that there was actually a virus scanner running. I suspect that this problem is going to be short lived, not just because major anti-virus vendors will want to make their products work with it, but because Microsoft is going to start selling Antivirus software any day now. And you just know that their version is going to work flawlessly.
There is also a long list of long overdue changes to Internet Explorer aimed to protect the user from nasty scripts and websites by changing how windows runs webpage scripts automatically. Unfortunately none of these seems to address the core problem that a regular Internet user doesn’t know well enough to not to run bad scripts when the browser asks. The default behavior is still to ask, meaning that users are still going to click yes so they can keep getting their cartoons, smileys, porno or whatever else they are after. Also, scripts continue to have too much control over of the functionality of the browser. Really, instead of using their current, complicated Zones and Digital Signatures scheme, IE should adopt the Java principle of the sandbox, and not allow anything to run outside of the current instance of the browser. And the browser should have a “Reset Me” feature that gets rid of every non-standard add-on and setting. Too many of the changes to the browser’s security seem to be comprimises aimed at accommodating the bad habits of web developers.
To make a long story short, I’m a bit underwhelmed by Service Pack 2, what with all the hype it’s got lately. The improved browser security stuff is nice, but seems like a hack for an idea that’s already way too complicated. A lot of the fixes also seem like Johnny-come-lately stuff. For example, reducing the RPC attack vectors is nice, but this vulnerability has already been exploited to death — the virus writers are now on the next big vulnerability that no one knows about.