Windows XP SP2 contains some legitimate security improvements

Windows XP Service Pack 2 introduces significant changes to the Internet Connection Firewall and to handling buffer overruns. See how these changes could improve the default XP security configuration, and get the latest on other new security issues.

With the Windows XP Service Pack 2 Beta being released to thousands of testers, it’s time for administrators to take a look at the forthcoming changes. With the exception of any unintended consequences that always crop up and some compatibility issues, it looks like XP SP2 will offer some nice changes, especially in the security realm.

Microsoft's new patch release schedule
Microsoft recently changed its update and patch release schedule from each week (if there were issues to address), to once a month, in part recognizing that few administrators have time to apply patches every weekend. Although Microsoft says it will continue to release emergency updates at any time, some serious vulnerabilities were widely known for several weeks in December before the company responded at all, and this raises serious security concerns.

It almost seems as if the new patch policy was, or should have been, implemented after XP SP2 was released instead of now, because the second major upgrade to XP will include a number of changes intended to indirectly simplify security patch management by providing improved default security.

Some applications will have to be changed to remain compatible with SP2 and there are bound to be unforeseen problems introduced by the major changes to XP, but overall this should significantly improve the basic security of XP systems, even without applying every patch as soon as an exploit is discovered and publicized.

Buffer overrun protection
Memory buffers are always at or near the top of the list of security threats that are actually exploited by hackers. This is a serious problem, but not one that is easy to address, and Microsoft is introducing a number of changes to address the threat.

SP2 will include recompiled XP components using the latest compiler, which includes new anti-buffer overrun tools. XP SP2 will also include support for the no execute (NX) feature found in some CPUs. This will permit hardware-enforced safe memory areas that can be used only for data storage, meaning that no buffer overrun into those protected areas can be used to execute code and attack the system. It doesn’t stop buffer overruns, but it does block most of their potential for causing damage.

ICF changes
The rather weak Microsoft Internet Connection Firewall, which has always shipped with XP, will now be turned on by default, improving the native security of the OS out of the box. However, SP2 will also add some other features designed to make it easier and more flexible to run XP with ICF turned on.

The new ICF changes will also allow some additional one-time management adjustments to some applications. Currently some applications will only run in a local administrator mode when ICF is running because they need ports opened and closed for the application to work. By adding an application to a “white” list only accessible to an administrator, P2P or other applications will have port opening and closing controlled automatically and users will not require elevated privileges to use the programs.

Administrators will now be able to fine-tune RPC services so a particular port can be reserved for RPC even when the application itself isn’t placed on the white list. There will also be changes to Outlook Express that will greatly improve the ability to block attachments. In addition, ActiveX controls will be improved, and other changes will help prevent malicious ActiveX exploits and the planting of spyware.

Microsoft estimates that these network-oriented changes in XP SP2 “will reduce the number of patches that customers need to deploy in order to protect their systems and networks, perhaps by as much as 70 to 80 percent.”

Final word
XP SP2 is just going into beta and is scheduled to be deployed in mid-2004, so developers urgently need to begin planning for it. Administrators also need to be aware that big changes are coming, some of which may require a bit of additional work. However, if the changes work as intended, they'll make XP security considerably better in the long run and greatly reduce the vulnerability of systems between the time new exploits are published and patches are deployed.

Much of the information about SP2 in this column is necessarily pretty general; that’s intentional. Although the general outline of changes to XP is known, SP2 is still in beta so many of the low-level details are likely to be changed.

Administrators need to know what's coming, both to prepare for the changes it will force on them and also, perhaps, to alter plans for future software purchases or implementations that would duplicate these changes and security enhancements to XP.

It might also be a good idea to include the new specs in any applications now under development or even delay some purchases to make certain the new software recognizes and takes advantage of the forthcoming changes in XP SP2.

Also watch out for …
  • There is a new federal antispam law, Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM), going into effect on January 1, 2004. Many security specialists consider Can-Spam more of a pro-spam law because, more than anything else, it really provides guidelines for legal spamming instead of doing anything significant to outlaw resource-wasting junk e-mail. The Direct Marketing Association had a big hand in shaping this law, which may have been rushed through Congress in large part because a much more strict law was about to go into effect in California, one that required an “opt-in” policy rather than the “opt-out” requirement included in the federal statute. What is most likely to happen is that the new regulations will eventually cause a reduction in the sex, drugs, and porno e-mail, but will override 34 state laws, thereby opening up mail boxes to an unwanted junk e-mail flood from “legitimate” businesses. This law may reduce the threat to children but probably won’t do anything to reduce the cost of removing unwanted e-mail from corporate mail servers. According to a report, even the Federal Trade commission, which is tasked with combating business and advertising fraud, objected to some provisions in this bill because they say it will weaken the FTC’s current antispam efforts. Further, just as antispam suits by companies and individuals are beginning to have some impact on the junk e-mail business, Can-Spam will actually make it illegal for anyone to sue spammers in civil court. Can-Spam even removes the requirement in some states that forced the addition of “ADV” to all advertising message lines. Only sexually-explicit ads will now have to be labeled in a way that spam filters can easily remove them.
  • Keep in mind that Windows 98 support will end in January. This means no further security patches will be made available.
  • On the good news front, the U.S. is becoming more aggressive in pursuing crackers, which should send a message to the professional malefactors, if not the script kiddies. An accused Ukrainian identity thief and software piracy millionaire has been extradited from Thailand to face charges in California. The more cynical among you may suspect that if he had stuck with identity theft and left Autodesk and Microsoft programs alone, he might not have been pursued quite so diligently.

Editor's Picks