Despite continued improvements catching and fixing bugs, Microsoft's software products continue to be the favored targets of intruders, and their terrorist-like attacks continue to hammer away at Microsoft's credibility. In the past few weeks alone, Microsoft issued a controversial and massive set of security fixes, delayed the security-oriented Windows XP Service Pack 2 (SP2) release from mid-2004 to late summer 2004, and watched as malicious hackers launched an electronic worm attack last week that exploited one of the vulnerabilities the company had just patched. That worm is expected to affect millions of users, although its payload, thankfully, doesn't delete data. If you're faced with the unenviable task of administering Windows systems and figured you had some breathing room, think again. Make no mistake, we're officially in quagmire territory now.
Of the above-mentioned troubles, I believe the constant XP SP2 delays are the most problematic. Despite potential compatibility concerns that will likely affect a significant portion of the computer-using populace, XP SP2 finally gives XP users the automated functionality and tools they need to keep their systems--and their personal information and data--reasonably safe from attack. The problem is that Microsoft has been building up XP SP2 as a security panacea for months, and now that the late June rollout date is a suddenly distant memory, this product might as well be Longhorn. Security is going to be better in the future--but we need it to be better now.
This week's worm attack is proof enough. Dubbed Sasser, the worm spreads automatically across the Internet and doesn't require unknowing users to manually email it, trigger it by opening an email attachment, or perform some other overt action. Sasser exploits one of the many security vulnerabilities Microsoft fixed in April's monthly security fix release, so users of Automatic Updates or enterprises that allow critical updates through Software Update Services (SUS) or Microsoft Systems Management Server (SMS) will be protected. But millions of XP (and Windows Server 2003 and Windows 2000) systems remain vulnerable. If XP SP2 were available today, the update would have prevented Sasser from becoming yet another XP epidemic.
XP SP2 could have prevented such attacks because it enables the Windows Firewall by default. Had the company taken this simple, more secure step with the original XP release's Internet Connection Firewall (ICF), the predecessor of Windows Firewall, we wouldn't be having this discussion today. But bowing to compatibility complaints from its customers and partners, Microsoft shipped XP with ICF disabled. Smart.
Not coincidentally, the recent delay in the release of XP SP2 is because of compatibility problems, and customer education will be key to getting this update installed on as many XP systems as possible, as quickly as possible. In my own experience with XP SP2 Release Candidate 1 (RC1), I've encountered a few snags that will likely be representative of the problems the wider user base will face whenever SP2 does ship.
The first problem I encountered was that XP SP2 machines can't print to my network print server. I purchased a small, inexpensive NETGEAR print server, which lets you attach a parallel- or USB-based printer directly to the network. This setup lets you print to the printer from any machine on the network. Unlike some similar print servers, however, the NETGEAR device requires that you install a client utility. And unlike the Hawking Technology print server I've also tested, the NETGEAR print server refuses to work with SP2. I did a bit of testing and discovered that it also doesn't work with XP SP1 and later if ICF is enabled, so clearly the problem is a firewall issue. I haven't solved the problem yet; I have to temporarily disable the firewall just to print. It's not an elegant solution.
Another problem I ran across is that the safer new Microsoft Internet Explorer (IE) version that's included in SP2 recently prevented me from downloading an eBook from an e-commerce Web site because the site used an ActiveX control. No amount of fiddling with IE's security settings--or even selecting the "Allow downloading from this page" option from the new IE Information Bar--worked, so I eventually gave up and downloaded the eBook from an XP SP1 machine, which worked fine, go figure. But using an earlier OS version won't be an option for a lot of people. In enterprises that use such controls for more mission critical work than downloading an eBook, this behavior is going to be problematic.
These problems aside, I still strongly recommend that all XP users download, test, and then deploy XP SP2 as soon as they can. This release will go a long way toward protecting users from malicious attacks and supply a baseline of security functionality that's much higher than the crippled original release of XP.
I'm often asked whether Win2K will be supported by a similar set of security enhancements. The answer is yes, though I have few details at this time. Microsoft originally developed the security updates in XP SP2 under the code name Springboard because these enhancements were initially planned for Longhorn, the next major Windows release. Microsoft will also ship Springboard enhancements in Windows 2003 SP1--due in late 2004--and in Win2K SP5. I don't know when SP5 is due, but I do know that it won't ship until after Windows 2003 SP1. And I don't know which features, specifically, Microsoft will add to that release, though the company has publicly stated that Windows 2003 SP1 will get the Springboard features from XP SP2 that make sense in a server release.
Like you, I want to know how Microsoft plans to protect non-XP users. And as I write this, I'm on a plane heading to Seattle for Windows Hardware Engineering Conference (WinHEC) 2004, so I'll be speaking with Microsoft representatives this week. I can't guarantee that I'll discover the plans for Win2K SP5 this week, but I promise to keep asking.