Windows XP Service Pack 2 (SP2) is a complex update with many ramifications for IT pros. TechRepublic’s Windows XP Service Pack 2 Quick Guide drills down on critical SP2 need-to-know areas, with sections on fundamentals, changes that occur after installation, deployment procedures, problem areas, and removal.

It’s time to take an early look at some of the issues that
IT departments are facing in deployments of Windows XP Service Pack 2. You may
think I’m spending a lot of time in this column in dealing with XP SP2, but since
this is such a major software initiative, I believe the coverage is justified.
This isn’t just a cumulative roll-up of patches, but a serious security upgrade.

The network installation
package of XP SP2
was released on Aug. 9, 2004, and many organizations are
now testing it or simply considering whether to deploy it or not. Based on the
RC1 and RC2 versions of XP SP2 that Microsoft released publicly leading up to
the full release of XP SP2, there have been a number of issues discovered in
which deploying the service pack can cause problems to Windows and other
applications.

Keep in mind that once a program or service pack reaches the
RC2 stage, it is very close to the final code. However, it’s always possible
that some of the issues that are listed in this article could have been
resolved in the final release of XP SP2.


Earlier coverage of XP SP2


Details

Microsoft pushed back the release date of SP2 several times.
Apparently this was done in order to tweak the way Internet Explorer blocked
poorly-designed Web site applets, pop-ups, and Browser Helper Objects (BHOs).
Other reports say that the delay came because Microsoft wanted to give some
major corporate Web sites extra time to properly sign their ActiveX and
other applets so that functionality would not simply be cut off with the
deployment of XP SP2.

Look for the biggest problems caused by SP2 to lie in Web
functionality. It looks as if the changes to Internet Explorer could lead to a
number of Web sites not working properly. If you’re managing a Web site with a
bunch of features that include Active X and other applets, then I recommend
that you download XP SP2 immediately and load it on testing machines to see what
problems users may be facing in accessing your Web site once they are running
XP SP2.

Along the same lines, the next version of IE will include a
special Add-On Manager that makes it a lot easier to deal with ActiveX, BHOs,
and extensions. Also, when XP SP2 is deployed, Outlook Express may be a bit
safer to use with the addition of the new Attachment Manager intended to block
or at least warn about malicious attachments.

Microsoft has stated that the size of XP SP2 is so big
because a lot of code has been recompiled with a more security-conscious
compiler.

Issues with XP SP2

The big news is the incompatibilities and problems that have
already been discovered in testing XP SP2 RC2. There is an ongoing discussion at the Computer Hardware Forum that
looks at Tablet PC issues with SP2.

Computer
Reseller News
tested XP SP2 RC2 on five machines. Three displayed the
dreaded blue screen of death (BSOD) after failing to locate the winserv file.
Even worse, apparently if you try to uninstall SP2, you can also lose SP1. They
had to turn to Microsoft for help resetting the BSOD systems. This turned out
to be a major undertaking that ended up with every device driver disabled or
removed. One of the video cards simply disappeared until a new driver was
downloaded. The rest were restored from existing files on the systems.

This isn’t unique to CRN because I’ve heard other reports of
this occurring on a variety of platforms (Intel and others), but I haven’t been
able to find enough details on the system configurations to give any advice at
this point.

Some things I picked up from an MSDN blog
include:

  • SP2
    RC2 doesn’t appear to render XBMP images such as hit counters. The
    information should still be collected and available; it just doesn’t
    display on the page.
  • One
    individual complained about the pop-up ad blocker. The person had finished
    a lengthy online test only to be prompted to allow a pop-up. Doing so
    caused the entire page to reload and reset. The person lost all the work
    he’d done on that page. This was on a Microsoft site. Apparently this is
    done on purpose because capturing and replaying pop-ups instead doesn’t
    work unless the pop-up scripts are well written, which is another new SP2
    problem that is actually the result of poorly-written legacy code.
  • Darren
    Stewart, who is apparently a network administrator in the UK, wrote a
    lengthy, highly negative, and very thoughtful analysis of just what is
    wrong with the way Microsoft manages IE. He isn’t a flamer or Microsoft
    basher by any means, and what he has to say is worth reading.

On the TechWatch
forums
, there is a description of a clean XP SP2 RC2 install that resulted
in the loss of the “Startbar.”

I’ve seen various reports from around the world about
strange happenings with eBay after installing XP SP2 RC2, but I couldn’t
duplicate any problems, and I both bid and own an eBay store, so I use all the
features.

Other complaints have surfaced on the Web about an inability
to have multiple applications access Borland’s Database Engine after installing
XP SP2.

If you’re a user of Microsoft Baseline Security Analyzer
(MBSA), you’ll need to download version 1.2.1
in order to get full XP SP2 compatibility.

Final word

I think the bottom line is that most of the problems that SP2
is likely to cause are due to software developers of Web sites and third-party
applications ignoring best practices. Despite the short-term pain that a lot of
us are likely to experience, this may turn out to be a watershed development in
Microsoft security.

Although there are a lot of security-related changes in XP
SP2, the vast majority of them are aimed at clueless users rather than IT shops
that have already plugged many of the holes. Thus, administrators’ major
concern is with how SP2 breaks existing apps or reduces Web site availability—the
security enhancements will only have an indirect effect on many corporate desktop
systems. The biggest issue for desktops will probably be the fact that the
Windows Firewall (formerly Internet Connection Firewall) is now turned on by
default. That will mean that administrators may need to open some ports on it
in order to ensure connectivity to current applications and functions.

There is now a Firewall Control Panel intended to help you
turn off the Windows Firewall, if you choose. My suggestion is that if you already
have a real firewall in place and are happy with it, then you should simply
shut off the Windows Firewall.

For many mobile users, having a firewall is probably
something new. In this case, leave it enabled and select Don’t Allow Exceptions
to really lock it down in hotels and coffee shop hot spots. For mobile and any
dial-up connections, I use Symantec’s Personal Firewall and won’t switch to
SP2’s version unless forced to do so (which might happen because it seems to
turn itself back on at the drop of a hat). On the other hand, if your road
warriors didn’t have firewalls before, the one in SP2 is pretty decent, and you
probably don’t need to bother replacing it with an additional software firewall.

The thing that has scared me most about XP SP2 was the
report from experts at the CRN test lab, who were unable to remove RC2 without
Microsoft’s help, and even then found they were stuck with barebones machines
that had to be completely rebuilt by reinstalling or reactivating every single
device driver. In contacting Microsoft, they had better luck than I did; by
this column’s deadline, I had been waiting three days for Microsoft’s experts
to get back to me with comments on or explanations for the BSOD problem and the
fact that removing SP2 RC2 apparently also removes SP1. In the discussion to
this article, I’ll put the Microsoft response, if and when it comes in.


Also watch for …

  • The
    XML messaging protocol SOAP has an integer overflow vulnerability in
    Netscape browser versions 7.0 and 7.1 as well as in Mozilla 1.6. Mozilla
    1.7.1 is not vulnerable to this input validation error that has been given
    the Mitre designation CAN-2004-0722.
  • Remember
    the German teen, Sven Jaschan, who was arrested and confessed to creating
    the Sasser and Netsky worms? He was busted just a few days after his 18th
    birthday, which prevented him from crafting or spreading new worms as an
    adult, effectively immunizing him from most legal consequences, but
    possibly not from civil suits. (The German criminal legal system views
    almost anything done by a pre-adult as more deserving of counseling and a
    minor slap on the wrist than as a real criminal act worthy of prison.) Sophos
    has reported
    that the number of new viruses is up 21 percent over the
    previous year for the first half of 2004 but, according to the Sophos
    analysis, nearly 70 percent of the major virus activity was due to Sven
    Jaschan.
  • The
    same Sophos
    report
    takes an in-depth look at the year’s malware attacks and the
    hackers behind them. Kim Vanvaeck (a.k.a. Gigabyte), the first female
    hacker charged with distributing malware, was arrested by Belgian police
    and faces fines and up to three years’ prison time.
  • VPN-1-Firewall-1
    versions have a buffer overrun vulnerability in the ASN.1 decoding
    library. There is a patch
    provided by Check Point.