Preliminary testing has revealed some problems with Windows XP Service Pack 2

This edition of The Locksmith provides details on some issues and incompatibilities that have arisen in preliminary testing of Windows XP Service Pack 2.

Windows XP Service Pack 2 (SP2) is a complex update with many ramifications for IT pros. TechRepublic's Windows XP Service Pack 2 Quick Guide drills down on critical SP2 need-to-know areas, with sections on fundamentals, changes that occur after installation, deployment procedures, problem areas, and removal.

It's time to take an early look at some of the issues that IT departments are facing in deployments of Windows XP Service Pack 2. You may think I'm spending a lot of time in this column in dealing with XP SP2, but since this is such a major software initiative, I believe the coverage is justified. This isn't just a cumulative roll-up of patches, but a serious security upgrade.

The network installation package of XP SP2 was released on Aug. 9, 2004, and many organizations are now testing it or simply considering whether to deploy it or not. Based on the RC1 and RC2 versions of XP SP2 that Microsoft released publicly leading up to the full release of XP SP2, there have been a number of issues discovered in which deploying the service pack can cause problems to Windows and other applications.

Keep in mind that once a program or service pack reaches the RC2 stage, it is very close to the final code. However, it's always possible that some of the issues that are listed in this article could have been resolved in the final release of XP SP2.

Earlier coverage of XP SP2


Microsoft pushed back the release date of SP2 several times. Apparently this was done in order to tweak the way Internet Explorer blocked poorly-designed Web site applets, pop-ups, and Browser Helper Objects (BHOs). Other reports say that the delay came because Microsoft wanted to give some major corporate Web sites extra time to properly sign their ActiveX and other applets so that functionality would not simply be cut off with the deployment of XP SP2.

Look for the biggest problems caused by SP2 to lie in Web functionality. It looks as if the changes to Internet Explorer could lead to a number of Web sites not working properly. If you're managing a Web site with a bunch of features that include Active X and other applets, then I recommend that you download XP SP2 immediately and load it on testing machines to see what problems users may be facing in accessing your Web site once they are running XP SP2.

Along the same lines, the next version of IE will include a special Add-On Manager that makes it a lot easier to deal with ActiveX, BHOs, and extensions. Also, when XP SP2 is deployed, Outlook Express may be a bit safer to use with the addition of the new Attachment Manager intended to block or at least warn about malicious attachments.

Microsoft has stated that the size of XP SP2 is so big because a lot of code has been recompiled with a more security-conscious compiler.

Issues with XP SP2

The big news is the incompatibilities and problems that have already been discovered in testing XP SP2 RC2. There is an ongoing discussion at the Computer Hardware Forum that looks at Tablet PC issues with SP2.

Computer Reseller News tested XP SP2 RC2 on five machines. Three displayed the dreaded blue screen of death (BSOD) after failing to locate the winserv file. Even worse, apparently if you try to uninstall SP2, you can also lose SP1. They had to turn to Microsoft for help resetting the BSOD systems. This turned out to be a major undertaking that ended up with every device driver disabled or removed. One of the video cards simply disappeared until a new driver was downloaded. The rest were restored from existing files on the systems.

This isn't unique to CRN because I've heard other reports of this occurring on a variety of platforms (Intel and others), but I haven't been able to find enough details on the system configurations to give any advice at this point.

Some things I picked up from an MSDN blog include:

  • SP2 RC2 doesn't appear to render XBMP images such as hit counters. The information should still be collected and available; it just doesn't display on the page.
  • One individual complained about the pop-up ad blocker. The person had finished a lengthy online test only to be prompted to allow a pop-up. Doing so caused the entire page to reload and reset. The person lost all the work he'd done on that page. This was on a Microsoft site. Apparently this is done on purpose because capturing and replaying pop-ups instead doesn't work unless the pop-up scripts are well written, which is another new SP2 problem that is actually the result of poorly-written legacy code.
  • Darren Stewart, who is apparently a network administrator in the UK, wrote a lengthy, highly negative, and very thoughtful analysis of just what is wrong with the way Microsoft manages IE. He isn't a flamer or Microsoft basher by any means, and what he has to say is worth reading.

On the TechWatch forums, there is a description of a clean XP SP2 RC2 install that resulted in the loss of the "Startbar."

I've seen various reports from around the world about strange happenings with eBay after installing XP SP2 RC2, but I couldn't duplicate any problems, and I both bid and own an eBay store, so I use all the features.

Other complaints have surfaced on the Web about an inability to have multiple applications access Borland's Database Engine after installing XP SP2.

If you're a user of Microsoft Baseline Security Analyzer (MBSA), you'll need to download version 1.2.1 in order to get full XP SP2 compatibility.

Final word

I think the bottom line is that most of the problems that SP2 is likely to cause are due to software developers of Web sites and third-party applications ignoring best practices. Despite the short-term pain that a lot of us are likely to experience, this may turn out to be a watershed development in Microsoft security.

Although there are a lot of security-related changes in XP SP2, the vast majority of them are aimed at clueless users rather than IT shops that have already plugged many of the holes. Thus, administrators' major concern is with how SP2 breaks existing apps or reduces Web site availability—the security enhancements will only have an indirect effect on many corporate desktop systems. The biggest issue for desktops will probably be the fact that the Windows Firewall (formerly Internet Connection Firewall) is now turned on by default. That will mean that administrators may need to open some ports on it in order to ensure connectivity to current applications and functions.

There is now a Firewall Control Panel intended to help you turn off the Windows Firewall, if you choose. My suggestion is that if you already have a real firewall in place and are happy with it, then you should simply shut off the Windows Firewall.

For many mobile users, having a firewall is probably something new. In this case, leave it enabled and select Don't Allow Exceptions to really lock it down in hotels and coffee shop hot spots. For mobile and any dial-up connections, I use Symantec's Personal Firewall and won't switch to SP2's version unless forced to do so (which might happen because it seems to turn itself back on at the drop of a hat). On the other hand, if your road warriors didn't have firewalls before, the one in SP2 is pretty decent, and you probably don't need to bother replacing it with an additional software firewall.

The thing that has scared me most about XP SP2 was the report from experts at the CRN test lab, who were unable to remove RC2 without Microsoft's help, and even then found they were stuck with barebones machines that had to be completely rebuilt by reinstalling or reactivating every single device driver. In contacting Microsoft, they had better luck than I did; by this column's deadline, I had been waiting three days for Microsoft's experts to get back to me with comments on or explanations for the BSOD problem and the fact that removing SP2 RC2 apparently also removes SP1. In the discussion to this article, I'll put the Microsoft response, if and when it comes in.

Also watch for …

  • The XML messaging protocol SOAP has an integer overflow vulnerability in Netscape browser versions 7.0 and 7.1 as well as in Mozilla 1.6. Mozilla 1.7.1 is not vulnerable to this input validation error that has been given the Mitre designation CAN-2004-0722.
  • Remember the German teen, Sven Jaschan, who was arrested and confessed to creating the Sasser and Netsky worms? He was busted just a few days after his 18th birthday, which prevented him from crafting or spreading new worms as an adult, effectively immunizing him from most legal consequences, but possibly not from civil suits. (The German criminal legal system views almost anything done by a pre-adult as more deserving of counseling and a minor slap on the wrist than as a real criminal act worthy of prison.) Sophos has reported that the number of new viruses is up 21 percent over the previous year for the first half of 2004 but, according to the Sophos analysis, nearly 70 percent of the major virus activity was due to Sven Jaschan.
  • The same Sophos report takes an in-depth look at the year's malware attacks and the hackers behind them. Kim Vanvaeck (a.k.a. Gigabyte), the first female hacker charged with distributing malware, was arrested by Belgian police and faces fines and up to three years' prison time.
  • VPN-1-Firewall-1 versions have a buffer overrun vulnerability in the ASN.1 decoding library. There is a patch provided by Check Point.

Editor's Picks

Free Newsletters, In your Inbox