Well, it’s official. Microsoft isn’t going to force you into upgrading your customers’ XP systems to SP2 anytime soon. But, like it or lump it, maybe you had better start working on it sooner than later anyway.
Microsoft is giving everyone until April 12, 2005, before they start pushing SP2 to all Windows XP and Windows XP Service Pack 1 customers automatically via Windows Update and Automatic Update. If you do much work with Windows XP clients, you already know the reason why: incompatibilities.
Joe User at home playing Doom 3 may wonder what all the fuss is about, but many, way too many, XP business applications break under SP2. In particular, programs that rely on Internet Explorer pop-ups and ActiveX are having a lot of trouble.
So what’s the problem? We’ve got six months to work these problems out, right?
Do we? SP2 may have stuffed some security holes, but it also opened up a host of others. Some of those holes also hit SP1 systems.
For example, there’s an SP2 hole, still unpatched, that utilizes Internet Explorer’s drag-and-drop feature and the Windows “shell folders” to invisibly copy a malware program from a malicious Web site to a user’s startup folder. Once there, the program—a key logger, a spambot, whatever—will execute whenever the user logs on.
Worse still, according to Secunia Research, this “vulnerability is actively being exploited in the wild.” Oh boy.
For now, you can stop it in its tracks by either switching users to a safer Web browser like Firefox or by turning off some of Internet Explorer’s functionality by disabling active content.
Of course, eventually there will be a patch. But, there’s the rub. A patch for what? Just SP2? SP1 and SP2? I don’t know and, after more than a day, Microsoft hasn’t been able to give me an answer yet either.
You see where this is leading, right? We can be sure that there will eventually be a patch for this problem, and the other problems that are sure to show up, with SP2, but I’m not at all sure we can count on Microsoft delivering any more patches for SP1.
It takes a lot of time and money to test out a patch. Will Microsoft go to that much effort?
Since, as a Microsoft spokesperson told me Thursday, “SP2 delivers the latest security updates and innovations from Microsoft, establishes strong default security settings, and adds new proactive protection features that will help better safeguard computers from hackers, viruses and other security risks,” I doubt it.
Even if they do patch both versions of XP, that’s going to double the boys in Redmond’s workload. That, in turn, means security patches will come out even slower. Great, just great.
Microsoft is also encouraging people to “enable Automatic Updates after installing SP2, which helps make security easier by automatically downloading and installing all available security updates.” That may be the best idea for Joe User at home, but it’s a foolhardy philosophy for a business since patches, as SP2 has shown, can break mission-critical applications.
Hmmm … doesn’t sound good to me.
So what can we do about it?
Well, for starters, we need to keep our third-party security guard up as high as ever. Firewalls, anti-virus programs, backups, restrictions on network connectivity, the whole nine yards of business security are just as necessary as they’ve ever been.
Next, if your customers are sticking with XP, you need to get on your software vendors and get SP2-compatible program updates as soon as possible. If, as is often the case, these are homebrewed or out-of-date, not well-supported programs, well you’d better get some programmers cracking on fixing them by say … yesterday.
You see, if your customers are sticking with XP SP1, and not moving to SP2, a Linux desktop or the new Macs, you really don’t have until April 12th of next year. You only have until a major security breach rips your clients’ XP SP1 systems apart.
eWEEK.com Senior Editor Steven J. Vaughan-Nichols has been using and writing about operating systems since the late ’80s and thinks he may just have learned something about them along the way.
Check out eWEEK.com’s Windows Center at http://windows.eweek.com for Microsoft and Windows news, views and analysis.
Be sure to add our eWEEK.com Windows news feed to your RSS newsreader or My Yahoo page