WinXP SP2 - to install or not to install?At a recent seminar, delegates were asked what really annoyed them about computers, and one of the answers was "bloatware". Most people who have installed any software and then tried to use it simply, find that there are so many features that have to be accepted, adjusted or rejected, assuming you can find the right menu options. Within security circles there has been a lot of discussion concerning keeping operating systems up-to-date. The antidote for the numerous computer viruses had been available as a system updates 6 months before the virus actually hit, but many users had not implemented the updates. Part of the reason for this is that there is always the unknown factor when making changes, and many of us do not have the facility for testing upgrades to ensure they do not affect anything else. There is currently some discussion surrounding the release of Service Pack 2 for Windows XP. Thomas C Greene has reported on an evaluation test done on the security features of Windows XP SP2 (as it is colloquially known). A clean machine was used with XP Pro installed using factory defaults, and the upgrade path using SP1 then SP2 was followed. It is worth noting that major upgrades to systems often require the previous upgrade to have been properly implemented. This can be a problem with major database systems such as Oracle, where an upgrade or two have been omitted, then the user finds a major problem in obtaining support when the latest upgrade cannot be installed. As many financial systems are dependent on Oracle database functionality, this is something that is worth raising with clients from time to time. Thomas C Greene reports that "overall, SP2 did little to improve our system's practical security, leaving too many services and networking components enabled, bungling permissions, leaving IE and OE vulnerable to malicious scripts, and installing a packet filter that lacks a capacity for egress filtering". The report goes on to say that "the new Security Center utility with its frequent Security Alert popups will certainly give users the impression that SP2 is a security-oriented package, as Microsoft's PR boilerplate promises. However, The Security Center does little beyond warning users that the firewall is disabled, that automatic updating is disabled, or that antivirus software has not been installed. It may look impressive, but the SP2 package fails to provide several of the most important, basic modifications required to run Windows safely on an Internet-connected machine". There are so many issues raised concerning the SP2 that are regarded as a real danger to single and home users that it would be invidious to attempt to list them here. However, two areas that give cause for concern are the automatic "Windows Ipdate" setting and protection over spyware activities. "Windows Update" is off by default. Microsoft would very much like everyone to enable it, and now urges users to do so every time Windows Update is run manually; but it is never a good idea to let a third party decide what software should be installed on your machine, or when. This service should remain off, and users should update Windows manually, though regularly, paying attention to the various update options and their relevance to one's system. Because of the vast amount of malware, spyware, and adware plaguing Windows, it is crucial that a packet filter warn users whenever a program attempts to send data to the Internet. SP2 is of no value in this regard. It does, however, warn users of third-party clients that will accept incoming connections, and offers users an opportunity to block or enable them individually. Nevertheless, Windows users must monitor outgoing connections, and must therefore continue to deploy a third-party firewall or packet filter capable of egress filtering in order to run Windows XP safely. It is easy to see that there are many things that need to be considered in simply setting up and running Windows XP safely. The previous edition of Chartech news highlighted the fact that any new computer being set up has a 20 minute window to avoid being infected from the internet. This is shorter than it takes some protection software to be updated. Hmmmm! Alan Phillips, 7Safe Information Security |