Just read another security thread here. Really like this forum btw. Anyways the poster lists all their apps then says XP with SP1. I understand if one never connects to the net. Or a mission critical app in a work enviroment has issues. But 1 of the first things I was taught was to keep an OS updated. My belief is that most of the people who don't run SP2 or even SP1, don't meet either of the exception criteria I mentioned.:wacko:

Not true. XP SP1 can still updated with all the latest security patches. SP2 only adds additional <i>features</i> that may well improve security, but third party apps may also do it just as well.

Think what you will but , I have to go with zap here . Anything that has to do with M$ should be updated to their latest . Not that the latest is worth a damn but , you know what I mean . Just an opinion but , I would certainly use SP2 because it is available and stable . Staying with SP1 seems ridiculous . Unless , it somehow runs better on your system but , again , with M$ , you should update the SP . Again . That is my opinion . Anyone using SP1 is fine . No bother to me . I , like zap , do not understand the thought behind staying on SP1 while SP2 is stable and well functioning . 8)

SP2 actually has a lot of security (as well as stability and performance) fixes (http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;811113), not just features.. many of which were long overdue. This is particularly evidenced by the numerous vulnerabilities that don't affect systems with SP2.

I don't get it.. so many people spent so long being angry at MS for not fixing all these things, then when MS does put out the fix they don't want to use it. I'd bet money that this is especially going to be the case with Windows Vista. I haven't had any problems with SP2, and at this point pretty much all incompatible software has been updated to work. I can understand if there's something that really doesn't work with SP2 that is critical to your work, but I haven't encountered anything like that.

{QUOTE-> SP2 actually has a lot of security (as well as stability and performance) fixes (http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;811113), not just features.. many of which were long overdue. This is particularly evidenced by the numerous vulnerabilities that don't affect systems with SP2.

I don't get it.. so many people spent so long being angry at MS for not fixing all these things, then when MS does put out the fix they don't want to use it. I'd bet money that this is especially going to be the case with Windows Vista. I haven't had any problems with SP2, and at this point pretty much all incompatible software has been updated to work. I can understand if there's something that really doesn't work with SP2 that is critical to your work, but I haven't encountered anything like that. <-QUOTE}

I agree. I've had no problems from SP2. I suspect more and more vendors are going to stop trying to support older stuff.

There are a few business that I know of who will roll out SP2 because some of their proprietary business applications will not run with SP2.

My guess as to why most people are not using sp2 is because they have a hacked copy of WinXp.

{QUOTE-> SP2 actually has a lot of security (as well as stability and performance) fixes (http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;811113), not just features.. many of which were long overdue. This is particularly evidenced by the numerous vulnerabilities that don't affect systems with SP2.

I don't get it.. so many people spent so long being angry at MS for not fixing all these things, then when MS does put out the fix they don't want to use it. I'd bet money that this is especially going to be the case with Windows Vista. I haven't had any problems with SP2, and at this point pretty much all incompatible software has been updated to work. I can understand if there's something that really doesn't work with SP2 that is critical to your work, but I haven't encountered anything like that. <-QUOTE}

Oh sure, there are couple of people running around this forums, that won't
convert because of problems with printers drivers or something.

They also think they don't need SP2, which they think is for fools who don't know how to protect their computers anyway, and they are perfectly safe with Processguard (PG), NOD32 and so on.

I've noticed that these people who don't upgrade also tend to be the ones who have more problems with other software. Because like it or not, particularly in the software world today (particularly security software!), most vendors are working on the assumption that the user is on XP SP2 like all security conscious people. Sad but true.

Take PG 3.2. It went through a whole beta testing stage, and nobody thought to even test it on XP SP1. Melee was enraged when she discovered it didn't work properly on XP SP 1, I can tell you that.

But really, we should wait for Melee to arrive with an answer, she's hates XP SP2 with a venegence.

{QUOTE-> Take PG 3.2. It went through a whole beta testing stage, and nobody thought to even test it on XP SP1. <-QUOTE}I think they did: http://www.wilderssecurity.com/showpost.php?p=664108&postcount=26

Useing sp1 and not updating to sp2 in my opinion is just like not updating to a newer version of an antivirus program to get the extra protection it affords. and sp1 can not be updated to have the same security protection of sp2. if it could they would not have spent the time and money developing sp2.

I have asked my self that question too: "why dont all use SP2"
Sure, there were som issues way back in the beginning when SP2 arrived, some programs and drivers didnt work correctly with SP2. I remember me having problems with NOD32 and Outpost FW, but beeing the customer oriented companies they are they came up with new versions quickly. Surely any serious buisness have updated their programs/drivers to comply with SP2 by now?

Apparently SP2 upgrades installed on <1/4 of XP mach.s.(!)
Market outside of North America seems least compliant.
Reasons given:
Stability and software compatability issues (in some cases, it's been known to break stuff).
Rampant piracy (especially in far east).
250 Mb SP2 download is a lot of fun if you're on dial up.
http://www.pcworld.com/resource/article/0,aid,120288,pg,1,RSS,RSS,00.asp
http://it.slashdot.org/article.pl?sid=05/12/16/233223

Again, SP2 offers security FEATURES that are often just duplications of third-party applications. If you don't run these other applications, it IS better to upgrade. The actual FIXES in SP2 are **not** security-related in any way. If they don't "fix" anything I use, why should I allow the security forum police to intimidate me into going with SP2? Again - ALL SECURITY FIXES and updates have already been patched in SP1, and are continued to be patched with each update. SP2 does not play nice with several things that are important to me. I am surprised that so many here believe that we need a "Security Center" with an *inbound* firewall, and annoying notifications that an AV isn't running is ridiculous. That's not a reason for a power-user to upgrade to SP2. Why do so many jump when MS says "jump?" SP2 is in many ways, the Windows ME answer to Windows 98 and delays in Windows XP. Except this time, it's to coddle those who have patiently awaited the delays in Longhorn (Vista).

Many of you are giving SP2 WAYYY more credit for being something useful than it deserves.

If you think Windows XP SP2 is just adding a security center and inbound firewall, you are sadly mistaken.

{QUOTE-> why should I allow the security forum police to intimidate me into going with SP2?
<-QUOTE}
If your system works fine without SP2 no one is "intimidating" you to do anything.
If some dont want SP2 then they just have to live with some programs not playing well on their system.
Programs and OS´s evolve. One cant demand compability backwards forever. People just need to accept that fact.
I still would like to know more specific what the problem is with SP2 and peoples systems. What programs or maybe hardware do not work with SP2. If there are any, isnt it up to the vendor of that program/hardware to fix it? MS has done some fixing with major program inkompabilities, but they cant keep track of every obscure program and hardware. Imo it is up to the vendor to fix the compability issues, wich any serious (even small companies) vendor has done.
Or is it just an attitude like: "No one is gonna force me to install anything just because the big evil MS suddenly decides to publish useless service packs filled with lies that only are designed to cause trouble for the users...." ?
I live "overseas" and it was no big deal installing and using SP2, there were some glitches but they were fixed pretty fast.

{QUOTE-> Many of you are giving SP2 WAYYY more credit for being something useful than it deserves. <-QUOTE}

It´s useful in that sence that SP2 users doesn´t have to worry about program/driver/hardware inkompabilities like some (remember: not all) people who hasn´t installed SP2 does.

there are lots of "point and click" exploits just like this which can attack people running SP1 in under a minute - about 3 mouse clicks. all you need is the address of the person you want to attack :o

all i've done is edit the name alittle and left out the address

i had to delete what i had written because no matter how i editted it it took me to a howto to exploit SP1 when looked up on google. that's how easy it is to do and shows how many sites show you how to do it :o :o and it's not just people who haven't updated to SP2 it's any software which isn't up-to-date.

i've never tried the exploits, but i've seen videos carrying them out. if you trust me and you are running SP1 give me your address and i'll try it out. the videos i've seen give the attacker full control of the PC in about a minute with a few mouse clicks.

1)No Raw Sockets,no SP2 here.
If Microsoft doesn't want people to know how TCP/IP works,that's their problem,not mine.
Nmap's author Fyodor said about that matter:
"Pick your poison...cripple your OS or remain vulnerable to remote code execution and DoS."
Well,with complete respect to Fyodor,i'll have to disagree:
you're vulnerable no matter what poison you choose!
(For the record...land attack successful against SP2's TCP/IP stack?Wasn't this solved back in...Win98?)

2)Backwards Compatibility,in 2 words:No Way!
In more words:Time is very precious to spend it to find out which software will be broken by SP2.
I've lived that in the past,a loooot of times....oh no,thanks,no more,sir.
I've seen a lot of people's OSes to have been broken after SP2,i 'd say:
1/3 no problem,1/3 some (probably fixable) problems and final third a lot of "not fixable" problems.
In this case,i won't just say:"if it ain't broken,then don't fix it".
I say:"If it's that much broken,there's little point trying to fix it".

3)To my eyes,SP2 is about as secure as SP1.Period.
Most of the exploits found where affecting almost the same both SP1+SP2.
Main difference is that some of them could affect SP1,IF(as Microsoft states):
"the attacker could authenticate/log on locally".
If an attacker can log on locally in your windows machine...
then there's no point of fixes-or windows ;-) at all:
he/she can pretty much do/install/delete whatever he/she wants,
with an effort limited in 2-3 console commands.

Something like a MacOSX,Red-Hat,Mandrake-like solution simple enough for everyday use,
but also enough secure without requiring advanced knowledge from end-users,
is pretty much possible in the nearby future,in 6-7 years maybe...
So,I strongly believe Microsoft has lost the "game",no matter what they'll do...
SP2,SP-whatever,Vista,.Net,DRM,software patents,big deals with hardware/game/video vendors etc...
they pointed all their efforts on the average Joe;and even he/she has already got bored with all this.
It's a really funny thing,because in the end...a fairly common secret,
at least the 70% of their main target group are actually...the ones that they're chasing(!):
people who like to a)do "music file-sharing",b)play games and c)rip/manipulate DVD-video related material.
The last two reasons are also the main reasons that might convince/purge people to upgrade to Vista...

I’m still using SP1 because I decided it’s most practical for me. The sites I visit are low-key. I stay current on hotfixes and use protective applications I learned about here at Wilders with current definitions. It’s as well locked down as it can be. I use Firefox for searches and opening links, with AdBlocker and a Java disabler extension.

8) I don't want to spend time working on the system while I could be enjoying it, paying attention to my husband or cats, or getting to know my first grandchild due April 3. I’ll do a reformat & clean install w/ SP2 if/when I must, but right now, it ain’t broken (at least, nothing that appears relevant to my Service Pack) and I don’t see a benefit to me in doing anything.

:dry: My XPHome is legal but I won’t entrust it to the M$N update site nowadays. I read (quite awhile back) that M$N updates would use their permissions as a Trusted site to install SP2 on machines not yet in compliance, whether wanted or not. When I bought this computer, the software stopped being the property of M$N or of Dell and the idea angered me enough to keep it off my hard drive until it becomes easier for me to have it than not to. Approval is nice, but my own convenience is nicer.

:) mj

Here are Microsoft's reasons to upgrade to SP2:
http://www.microsoft.com/windowsxp/sp2/topten.mspx

They are all about features.

Microsoft has left no *security* fixes unpatched in SP1. Period.

As for the features, I don't need ActiveX warnings, I don't need to be told my firewall is not running, I don't need to be told about the status of my antivirus. In fact, if I use something other than IE, I don't need much of anything SP2 offers. The "fixes" don't affect me at all.

Microsoft has given the masses something to make them THINK they have done something while working (and working) on the long overdue Longhorn (Windows Vista).

Can anybody say Windows ME?

{QUOTE-> They are all about features. <-QUOTE}Probably because the average person doesn't care about fixes, features are the only thing to entice most people. If you order the SP2 CD in the mail, the packaging it comes in looks very much like some of the minimal security software packs that you buy in a store.. make them feel like they're actually getting something, and they're more likely to use it.

{QUOTE-> Microsoft has left no *security* fixes unpatched in SP1. Period. <-QUOTE}Sure, after the fact.

For me (funnily stuck on a win 2k machine in the office), IE enhancements are great. Wireless works MUCH better, I have a Linksys wireless card and a Belkin card and their own wireless configuration utilities suffer issues (one does'nt work in limited user account and the other suffers massive disconnects), SP2's wireless configuration utility works flawlessly for me, this is the main reason for me using SP2.

I'm going to quote what I wrote nearly a year ago (http://www.wilderssecurity.com/showthread.php?p=426441&postcount=47) about this very subject:{QUOTE-> In my opinion there are several points of misinformation in this thread that need clarification: SP2's nagging / badgering. If you are judging SP2 solely on the Security Center functionality than you are misguided. Period. 1) You can turn it off. 2) It is annoying and superficial. And, 3) It's far from the being the most significant of changes affected by SP2.


SP1 must be installed prior to SP2. This is not true. According to Microsoft (http://support.microsoft.com/default.aspx?scid=kb;%5bLN%5d;811113), "Service packs are cumulative. This means that the problems that are fixed in a service pack are also fixed in later service packs. For example, Windows XP SP2 contains all the fixes that are included in Windows XP Service Pack 1 (SP1). You do not have to install an earlier service pack before you install Windows XP SP2."


Slow performance. In the vast majority of cases this is the temporary and transitional result of the upgrade process itself. SP2 includes re-compiled versions of basically every system executable. That is why it is so large. Every system executable is downloaded in a huge msi or cab file and then must then again be unpacked on to the drive. In most cases this results in file fragmentation and less than optimal file placement on the drive. A thorough defragmentation will resolve the bulk of this problem. In addition, Windows XP includes some Boot Loader and Logical Prefetch (http://msdn.microsoft.com/library/en-us/appendix/hh/appendix/enhancements5_0eecebea-e58b-4c95-8520-9b1dc2bc6196.xml.asp?frame=true) optimization techniques that attempt to optimize file I/O based upon past system demands and trends. Therefore, the installation of SP2 basically forces the optimization process to start over... temporarily negatively affecting newly installed SP2 performance in comparison to existing SP1 performance.


Incompatibilities. From my experience, the vast bulk of incompatibilities relate to one the following several causes: 1) SP2's built-in firewall; 2) SP2's new limit on the number of unestablished, or "half-open", TCP sessions; 3) SP2's elimination of certain insecure programming practices and the resultant effect on 3rd party apps; and 4) SP2's DEP featureset and people enabling it for all applications when some 3rd party apps are not yet compliant with its requirements. Each of these problems results largely from a conscious decision Microsoft made to emphasive tighter security over legacy application compatibility. They worked very hard to eliminate all incompatibilities were it was consistent with the tigher security defaults to do so, but they could not eliminate all of them. In my opinion this is in most cases a good thing, people will just have to upgrade those apps that written in an insecure fashion or that rely upon insecure mechanisms.


SP2 was primarily directed at consumers. If the only enhancements in SP2 were the SP2 Security Center and the SP2 Firewall, then this might be true. However, those were not the only enhancements. Many security default were changed. Many bugfixes were implemented. Code was recompiled with buffer-overflow / stack guard protections enabled. Contrary to some people's apparent belief, there are in fact many serious security vulnerabilities that exist in SP1 that do not exist in SP2, for example: Vulnerability in the Indexing Service Could Allow Remote Code Execution (http://www.microsoft.com/technet/security/Bulletin/MS05-003.mspx), Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution (http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx), Multiple vulnerabilities in Internet Explorer (http://www.microsoft.com/technet/security/Bulletin/MS04-040.mspx), Vulnerability in Windows Shell Could Allow Remote Code Execution (http://www.microsoft.com/technet/security/Bulletin/MS04-037.mspx), Vulnerability in Compressed (zipped) Folders Could Allow Remote Code Execution (http://www.microsoft.com/technet/security/Bulletin/MS04-034.mspx), Vulnerability in NetDDE Could Allow Remote Code Execution (http://www.microsoft.com/technet/security/Bulletin/MS04-031.mspx), Vulnerability in WebDAV XML Message Handler Could Lead to a Denial of Service (http://www.microsoft.com/technet/security/Bulletin/MS04-030.mspx), etc.


"I'll just wait for Internet Explorer 7.0." First, according to industry sources (http://www.computerworld.com/softwaretopics/os/windows/story/0,10801,100105,00.html), and apparently the Internet Explorer dev team itself, the updated 7.0 browser will only be made available on XP SP2 and later operating systems (including Windows 2003 SP1 and Windows XP x64 Edition). Second, IE 7.0 will very likely include some browser specific security tightening, for instance anti-phishing techniques and more restrictions / controls on technologies like ActiveX and Javascript; however IE7 will by no means be a replacement for the security additions made in SP2. IE7 will be about increasing functionality as well as some security, not about the elimination of esoteric Win32 API vulnerabilities and poor system service defaults. <-QUOTE}I would add several additional points: Raw Socket Support / Limitation on outbound "half-open" TCP connections. There are some real limitations Microsoft has added to the TCP/IP stack that do affect certain apps, such as network scanning tools and P2P applications. Personally, I agree with those opposed to the changes. All you Steve Gibson supporters can probably thank him for being so clueless on this issue and making a mountain out of a molehill. It just amounts to needless IP stack crippling. In any event, there are workarounds and patches to avoid these limitations as well. There is an "unofficial" patch to correct the "half-open" TCP issue (http://www.lvllord.de/?lang=en&url=tools), and as for raw sockets... developers have discovered they can work around it by going one abstraction layer lower and working straight with raw ethernet frames. So, in summary, I agree with you SP2-avoiders on this one point; but it's not a reason to avoid the whole upgrade, IMHO.


Lack of anything beyond Security Center and firewall. I sort of addressed this in my previous comments, but I thought I should elaborate again for some like ILikeLemonPie. Nearly every executable in Windows has been re-compiled with stack guards and other security compile-time options. Many, many registry and application defaults have been tightened. Many bug fixes (http://support.microsoft.com/default.aspx?kbid=811113) have been introduced. Hardware and software Data Execution Provention (DEP) mechanisms have been added. Many APIs have been altered to emphasize security concerns. Some kernel modifications have been introduced. Wireless networking has improved. In summary, just because you as a user don't immediately notice anything other than Security Center and the firewall, that doesn't mean that nothing else has been done. ::)

I haven't downloaded SP2 yet, simply because "they" must make everything so difficult. http://bestsmileys.com/angry1/14.gif

It says, bla bla...go to your pc's website and download the latest DRIVERS.

Well...then I do exactly what they tell you to....and they present me with a
humangous list of Drivers, or whatever it is....and expect ME to figure out
WHICH one I need. :-\
How would I know ??

"250 Mb SP2 download is a lot of fun if you're on dial up."
I agree. That's why I ordered it. Didn't cost me a cent.
http://www.microsoft.com/windowsxp/downloads/updates/sp2/cdorder/en_us/default.mspx

Those that don't update their version of Windows give up the right to complain about big, evil "M$."

{QUOTE-> I haven't downloaded SP2 yet, simply because "they" must make everything so difficult. http://bestsmileys.com/angry1/14.gif

It says, bla bla...go to your pc's website and download the latest DRIVERS.

Well...then I do exactly what they tell you to....and they present me with a
humangous list of Drivers, or whatever it is....and expect ME to figure out
WHICH one I need. :-\
How would I know ?? <-QUOTE}
I understand and you are right, but women are the worst DRIVERS in the world or is it just a rumour ?

{QUOTE-> "250 Mb SP2 download is a lot of fun if you're on dial up."
I agree. That's why I ordered it. Didn't cost me a cent.
http://www.microsoft.com/windowsxp/downloads/updates/sp2/cdorder/en_us/default.mspx

Those that don't update their version of Windows give up the right to complain about big, evil "M$." <-QUOTE}


Ailric,
I didn't complain that they are "Evil".
Only that they don't make it very easy for people like me, that
gets grey hair if I have to do anything technically that I don't understand.
It's just something Not for me.

{QUOTE-> I understand and you are right, but women are the worst DRIVERS in the world or is it just a rumour ? <-QUOTE}

It's a rumor ! ;D

{QUOTE-> My guess as to why most people are not using sp2 is because they have a hacked copy of WinXp. <-QUOTE}
i still find that a poor excuse

{QUOTE->
Well...then I do exactly what they tell you to....and they present me with a
humangous list of Drivers, or whatever it is....and expect ME to figure out
WHICH one I need.
How would I know ?? <-QUOTE}Do you have a brand-name PC like a Dell? If so, many have automatic updaters for your drivers.. on Dell systems it's called the "Support Center". If nothing else you can go to Windows Update and install the Microsoft drivers from there, only ones that apply to your specific hardware will be listed.

{QUOTE-> I'm going to quote what I wrote nearly a year ago about this very subject: <-QUOTE}Very very well put, Alec, awesome post! :)

There are also some software programs ( shareware ) that will do it for you . Driver Genius , Driver Detective ;just to name a few

Excellent post Alec.:thumb:

we never install any of that junk crap. don't need it. we just surf n check email so really dont need any updates. xp spun right off cd onto fat32 works fine and does everything we need it to. xp detects drivers for all our old hardware scanner, printer, modem, video card, etc so thats cool. we do stuff and install stuff to make it safer everything works so theres no need to download 150mb worth of microsoft-only-knows -what's-in-em updates all we know is what the windows update claims or people in forums like these try to convince us is in it. when i see people brag "i'm fully patched" i think there goes another dunce conned by cops posing as security experts to instal sony symantec zonelabs type rootkit on their computer. makes their job easier. now that wmf hole is exposed and the bad code removed, youll see the cops pushin hard for install new updates containing new backdoors. ask yourselves "why am i updating? i bet most people do so out of fear cause they heard of some virus on tv, or some friend. why do you think microsoft calls all their updates critical? its to scare people into installing them. dont do it.

I didn't install SP2 when it came out because of all the bugs I was hearing about. Then I was just plain procrastinating. I only installed it for the first time last month. =\

I'm still on SP1 [legal], I didnt want SP2 to scupper everything thats running fine presently. So why fix it when it aint broken?
................and I dont like media player 10 ;D

Quotes from Alec 's post regarding SP2,
http://www.wilderssecurity.com/showpost.php?p=666188&postcount=22,
and my point-of-view:

"Contrary to some people's apparent belief,there are in fact many serious security vulnerabilities,
that exist in SP1 that do not exist in SP2..."

1)Vulnerability in the Indexing Service Could Allow Remote Code Execution

Taken from Microsoft's site:
"Even when the Indexing Service is installed,by default it is not accessible from Internet Information Services (IIS).
Manual steps are required to enable (IIS) to become a Web-based interface for the Indexing Service...
Web-based query pages must be created or installed manually,
that will allow IIS to receive queries from anonymous users and pass those queries to the Indexing Service...
Only users with permissions to access the manually created or installed queries pages,
would be able to attempt to exploit this vulnerability through IIS.

...Two extra notes:
a)Why in the world would a simple end-user install IIS in his/her PC?
b)Furthermore,Indexing Service is a well-known "useless" resource hog,
disabled/uninstalled by most of casual end-users.

2)Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution

Ok,that is true,and it's also only a 1.5 Mb fix,with no risk of crippling your OS.

3)Multiple vulnerabilities in Internet Explorer

True,but...
a)Internet Explorer is unsecure BY NATURE.With fixes or not,why should anyone use it?
b)I bet there are hundreds of exploits designed specific only for Internet Explorer on SP2.
In any case,a Cumulative Update for most of Windows platforms will "solve" any problem.
Note also that there are lots of them already released...

4)Vulnerability in Windows Shell Could Allow Remote Code Execution

Again,this is a 4.2 Mb...
and i bet that some of the files included in this fix are gonna get replaced in later fixes.

5)Vulnerability in Compressed (zipped) Folders Could Allow Remote Code Execution

Every once in a while,there's a new advisory regarding a "buffer overflow" in XP 's zip capabilities.
Either don't use it at all,as most people do...(i have never used it myself),
or as many people already found,just disable it from the registry.
Funny thing is,that this is also Microsoft's suggested workaround....

6)Vulnerability in NetDDE Could Allow Remote Code Execution

If there are still people/software depending on NetDDE,please,inform me.
It's a very old protocol,almost never used nowadays,except from...exploits maybe!
Delete the Default (!) NetDDE shares,
(who asked for that?seems like Microsoft really has a problem with "Shares",
NetBIOS-another archaic protocol-,"Simple file-sharing and Permissions" etc.).
And one can also safely disable the two corresponding services:
or should i better say,disable them to be safe?

7)Vulnerability in WebDAV XML Message Handler Could Lead to a Denial of Service"

It's a denial of service against IIS (explained before...),that also must have WebDAV enabled.
Meaning:no concern again for daily users.
Regarding WebDAV only,it's a fairly new protocol,(actually an extension to http),
and who ever makes network-accessed WebDAV folders in Windows,is probably looking for trouble.
Also,this is one more service that can be disabled with no daily annoyances at all.

Quote regarding the disabling/removal of Raw Sockets:
"...Developers have discovered they can work around it,
by going one abstraction layer lower and working straight with raw ethernet frames.
So,in summary,I agree with you SP2-avoiders on this one point;
but it's not a reason to avoid the whole upgrade,IMHO."

In my summary...I am not a developer.I'm just an end-user.
Something breaks software I daily use?
And to be more precize,mainly breaks "security tools"?Like sniffers,scanners etc?
Does it also use some fairly ridiculous "security" excuses about that?
Then,that makes it a perfect reason to avoid the "whole upgrade/crippling".

"Nearly every executable in Windows has been re-compiled,
with stack guards and other security compile-time options."

That re-compilation is something to note,yes:
people will find more incompatibilities and hackers more buffer overflows.
Although i doubt they actually done something serious when re-compiling:
the wmf exploit took advantage of code that was written back in '89-90...

"Many registry and application defaults have been tightened."

I kind of prefer to handle this for myself;we all know Microsoft's "tighten" features usual workflow:
the OS has some broken/risky "features",MS issues some patch/fix,
the fix breaks some other things,then MS posts some "workarounds" for their mistakes etc.

"Many bug fixes have been introduced."

And how many new bugs have been introduced... ;-)

"DEP mechanisms have been added"

And they are known to cause problems,and also to not protect you from 0-day exploits.

Conclusion,what i have already said...:SP2 is about as secure as SP1.Period.
If someone doesn't like the "Period" quote of mine,he/she should note the "about" in this statement.
There are some exploits that work only in SP1 and some that work only in SP2.
And since SP2 is newer and more testing now is taking place in it,
I bet they will find even more...exactly because they made so many changes.
Even,and i repeat that,even if there were found 2,3 or 5 more "holes" in SP1,
why should i really give a damn...people should start comparing Windows' security with Unix,
that 's the only way to have a clear view of what is going on behind (?) the scene:
Microsoft updates,hardware updates,software compatibility updates,
and money makes the world go round...(but not more secure).

So,in a very distant future,i might evaluate Vista,
but ONLY if there will exist special incompatibilities,
with newer versions of software REQUIRED for my job and living.
In the meanwhile,i'm just gradually moving to Unix for daily tasks.

Let's get back on topic in this thread please.

Hmmm 70% of XP users have not upgraded to SP2.

I wonder what percentage of XP users think Microsoft is responsible for more privacy compromises than all other adware and spyware combined?

And who even uses Internet Explorer anymore?

Yes, I use XP-SP1, yes it's legal. Most software that I use comes down to which works best for me. If some software will make my life easier, I don't mind paying for it. I use some freeware, but mostly commercial programs. My choices are based on how much I like the features. SP2 crashed my system twice resulting in days of extra work for me. I just don't feel like rolling the dice again.

Secondly, since you asked why, my personal philosophy for securing my computer is to have as few services and products from Microsoft as possible. I don't use Word, Wordpad, Windows Media Player, Windows Firewall, Task Scheduler, automated updates, timeserver, Windows Explorer, Internet Explorer, Indexing Service, Windows Paint program...and on and on. If I do have a security problem, I will seek a solution from a company that is dedicated to providing security solutions. And that's not Microsoft!

BTW - Some of you might want to try SoftMakers TextMaker2006. If you are as student you can pick it up for $12. It has all the features of Word, except that it opens as fast as WordPad, it doesn't spy on or nag at you, doesn't Require over 50 MB of security fixes...and it works. But, no, better to keep to Word product and updates....?



- HandsOff

How about this. . . . BSOD, immediately after upgrading to SP2 to two different computers, both a little older, the BLUE SCREEN OF DEATH started popping up. Today I removed SP2 from both PC's and everything is fine now. Not only that but ALL the updates except SP2 are still my PC.
Who needs the Windows Firewall? It's a huge false sense of security. It should be called the Windows Waterwall.

Mostly people (such as myself) aren't using sp2 because it is spyware CRAP. That's just my own little opinion so we can all feel however we want.

{QUOTE-> My guess as to why most people are not using sp2 is because they have a hacked copy of WinXp. <-QUOTE}

i'd have to agree with your guess there, although people are also finding ways to even get the hacked SP2 :wacko:

as for my personal opinion on SP2...well i think its fine. the whole security center thing they implemented obvioiusly isn't the main thing they added. it was just one of the main features shown to Windows users since thats all they would really want to hear (the bug fixes, security additions and everything would probably get too technical for them) as said previously. SP2 does provide several fixes, which is why i found it important to add in (as for the security center, well you can easily turn that off).

i don't know why people would rather not download it due to it complication, size, mediocre download time, etc. and would rather download a movie or game that is even bigger than it and requires probably more configuration (well not for movies i guess). when i did the simple upgrade to SP2 a long time ago on two other computers i owned, it was accomplished simply with a few clicks on the mouse.

well anyway theres my 2 cents on the topic.:P

{QUOTE->
:dry: My XPHome is legal but I won’t entrust it to the M$N update site nowadays. I read (quite awhile back) that M$N updates would use their permissions as a Trusted site to install SP2 on machines not yet in compliance, whether wanted or not. When I bought this computer, the software stopped being the property of M$N or of Dell and the idea angered me enough to keep it off my hard drive until it becomes easier for me to have it than not to. Approval is nice, but my own convenience is nicer.

:) mj <-QUOTE}


Can anyone confirm this to be true? Personally, I doubt even Microsoft would be this stupid. Installing software without the user's permission would would make them guilty of installing spyware. I suppose Ad-Aware would have to come up with an update to remove sp-2...Or would they?


-HandsOff!

{QUOTE-> Can anyone confirm this to be true? Personally, I doubt even Microsoft would be this stupid. Installing software without the user's permission would would make them guilty of installing spyware. I suppose Ad-Aware would have to come up with an update to remove sp-2...Or would they?


-HandsOff! <-QUOTE} If I could remember where I read it, I'd post a link...will do so, if I'm able to relocate it. I was apalled, but having been burnt by comcast when they took over attbi, it didn't seem so far-fetched. They installed tgcmd.exe, and set up all sorts of hidden folders with their Transition Wizard and changed their TOS to give themselves the right to install what they wished ON MY COMPUTER at the same time.

After seeing that, I'd have been an idiot to think, "Oh, no...Microsoft would never do that!"

{QUOTE-> Can anyone confirm this to be true? Personally, I doubt even Microsoft would be this stupid. Installing software without the user's permission would would make them guilty of installing spyware. I suppose Ad-Aware would have to come up with an update to remove sp-2...Or would they?


-HandsOff! <-QUOTE}
for a while, microsoft offered a patch you could download to prevent SP2 from being downloaded by automatic. after a specific date however, it disabled itself to reallow download of sp2. i could be wrong tho.

{QUOTE-> for a while, microsoft offered a patch you could download to prevent SP2 from being downloaded by automatic. after a specific date however, it disabled itself to reallow download of sp2. i could be wrong tho. <-QUOTE} Thank you. I'm a little under the weather today and don't have time to search, but it's nice to know that sounds familiar to somebody else, too. :)

Huh ? Everyone is confusing all of this ! It is NOT spyware . And , the bottom line is , you do not have to use it . But , I have yet to see anything fruitful in here that would make me keep it off . The person that got the BSODs obviously has something that is conflicting . I can assure you that SP2 works fine with almost everything windows . Of course , if your updates are on the machine BEFORE installing SP2 , that can cause a problem . I hate M$ as much as the next person but , SP2 only adds features . Not spyware or other crap that you need to be afraid of . The paranoia in here is frightening 8)

I've seen one good reason a few weeks a go,
the person was running windows Xp with a 2GB harddisk !

No, NOT a USB-stick a HARDDISK.

It was not possible to install SP2, because that would need some extra 200MB

;D

Lol . Ok . You got me . ONE reason .

{QUOTE-> for a while, microsoft offered a patch you could download to prevent SP2 from being downloaded by automatic. after a specific date however, it disabled itself to reallow download of sp2. i could be wrong tho. <-QUOTE}I believe this is correct, however SP2 is automatically installed only if you have "Automatic Updates" selected and enabled. It is totally optional. It is not mandatory. And, as I recall, it is made quite obvious to the Administrator when Windows is initially configured and set-up; at which time the Administrator is given the clear choice. This, by no means, qualifies as spyware, IMHO. The patch alluded to was made available at the request of large enterprise customers who had configured Automatic Updates as enabled on their employees' systems, and who wanted the automatic security patches and bug fixes in general, but who nevertheless needed additional time to fully test SP2 because it was such a large update. Technically, no one is forced to use SP2 against their wishes, although certain future updates and applications will likely be made available only for those that have updated their system to the latest service pack (eg, Internet Explorer 7 Beta 2).

As for the extra 200MB required for SP2, I'm not even absolutely sure that is the amount of extra space technically required for SP2. The download itself is approx 200MB as I recall and the actual new executables must be unpacked and likely take about twice that amount of space during the install process itself. However, if you choose to delete all of the saved, old executables and make it so that a pre-SP2 reversion is not possible (or if you were to install SP2 onto a harddrive straight from a slipstreamed Windows XP SP2 CD-ROM), then I doubt SP2 really takes up that much additional space. I am curious, though.

A couple of specific comments:

@jayzzz: In my opinion, it's a little misguided and disingenuous of you to lambast Microsoft and hold them responsible for something that Comcast actually did to you. Yes, I understand your point that it may have "opened your eyes" (so to speak) as to what large companies may do, however unless and until the unrelated company actually commits the wrongdoing... you have no case to be made against them. Scream at Comcast. Scream at Sony for their rootkit DRM music CDs. But scream at Microsoft only for those boneheaded things they have actually done (and, I admit, there are some; however, spyware isn't generally something I personally would accuse them of).

@HandsOff: Your level of paranoia is something to be proud of, I suppose. :blink: If you really are so fearful and anti-Microsoft as to not run Notepad and Paint, I'm not quite sure what you are doing running a Microsoft OS at all. Seriously. Perhaps you would be better suited to Linux or OS X? I can recommend both as quality alternatives (albeit not for everyone, IMHO).

@sowhat: Those vulnerabilities previously listed were only mere examples of security problems discovered post-SP2 that were found to affect SP1 systems and, not SP2 systems. I do not wish to be distracted into a long conversation about each, that was not the point. However, I would say it is not a proper characterization to say that most of these were "fixes" implemented by Microsoft in SP2 and not SP1; but, rather, it was the fact that SP2 included certain defaults, re-compilation optimizations, and other tweaks that made SP2 resistant to the vectors later discovered. Do you understand the difference I am trying to convey? We are not talking about specific one-offs discovered and fixed, rather we are talking about general classes of vulnerabilities made less likely. As to your commentary about re-compilation in general and your pointing out the WMF exploit... you obviously do not understand the difference between a stack overflow vulnerability and a heap overflow vulnerability. Yes, re-compilation did do something; however, I never claimed it was a panacea. [EDIT: Actually, I don't believe that the WMF vulnerability is properly a heap overflow either; but rather reflects a vulnerability in the actual file format and what what the API was originally designed to allow. In any case, still not something addressable through stack guards and re-compilation alone... which was my point.]

"@jayzzz: In my opinion, it's a little misguided and disingenuous of you to lambast Microsoft and hold them responsible for something that Comcast actually did to you. Yes, I understand your point that it may have "opened your eyes" (so to speak) as to what large companies may do, however unless and until the unrelated company actually commits the wrongdoing... you have no case to be made against them. Scream at Comcast. Scream at Sony for their rootkit DRM music CDs. But scream at Microsoft only for those boneheaded things they have actually done (and, I admit, there are some; however, spyware isn't generally something I personally would accuse them of)."

I lambasted nobody...merely expressed a lack of faith in corporate good intentions, generally. And after the wrongdoing has been committed, it's too late to undo it. Screaming at comcast for something they gave themselves the right to do (and I'd agreed to, per them, by using their broadband to go see the new TOS) would be a complete waste of my time and energy. Almost as much so as justifying my decision to keep SP2 off my machine with its legal XPHome for as long as I can.

Alec said:
@HandsOff: Your level of paranoia is something to be proud of, I suppose. If you really are so fearful and anti-Microsoft as to not run Notepad and Paint, I'm not quite sure what you are doing running a Microsoft OS at all. Seriously. Perhaps you would be better suited to Linux or OS X? I can recommend both as quality alternatives (albeit not for everyone, IMHO).


Alec,

I must say I found your amusing comments very entertaining. On the off chance that you really had a hard time understanding my post, and are not just clowning, let me try to clarify a couple points for you.

Let's start with your belief that my level of paranoia is something to be proud of. Firstly, it seems to me that the only reason one would have for being proud of having a great deal of paranoia with respect to an issue would be if their paranoia turned out to be justified. But in that case would it be paranoia, or would it be perceptiveness?

Far from being paranoid, I am a pragmatist. While I am not an expert in computers, I would say that I have skillfully avoided many of the pitfalls I have seen others fall victim to, simply because I am less inclined to parrot every cliche piece of security advice than others seem to be. If something does not seem right to me, and it's not to inconvenient, I will put it to the test. You may have read earlier in this thread that Iceni60 refered to assertions on certain websites that there are one-click exploits which will enable the clicker to take over the computer target which is running SP1. This is news to me. If true I may have to rethink my views. You may also recall he said words to this effect: If you trust me you can give my your address and I will see if it works. So I did. Rather than checking my mailbox to see if it was a success, I am sitting here trying to convince you I am not paranoid. Does that seem paranoid to you?

Okay, I am going to give you enough credit for intelligence that I will drop the subject of correctness of your assertion that I am paranoid. You still may not be clear as to why I for instance do not run WordPad. If you read just a little further in my post, you may have notice that I was recommending a new word processing program made by German software giant, SoftMaker, called Textmaker 2006. I have been using it for months. I beta tested it for months. The reason is fairly simple. I read an article comparing word processing programs and Textmaker 2005 (at that time) was the highest rated product. Here is the significant part to me. It is more powerful that MS Word, is fully compatable with Word, and can even open files that were password protected in Word and...IT OPENS INSTANTLY. Sorry for the capitals, but that to me is very big news. All the power, and more, of Word, all the speed of Wordpad. Not to belabor the point, but Wordpad, even notepad, no longer serve any function.

I did not re-read my post, but hopefully I mentioned that Explorer² does far more than windows explorer...and I have timed file operations and searches that are OVER TEN TIMES FASTER. 18 seconds versus 221 seconds!

Someone mentioned vulnerabilities with the Indexing Service. I guess some people would give me credit because I have never used it. Again, based on what I read about its horrible inefficiency. But my dislike of it goes beyond the fact that it slows and "thrashes the hard drive". I am put off by the way that it cannot seem to respect my settings. Example: I have have unchecked using the the indexing service on each and every one of my fifteen hard drive partitions. I have disabled the service in "Services.msc". I have gone to Set Programs Access and Defaults - Add/Remove Windows Components and specified to remove the indexing service from my XP implementation. Yet if I for instance, resize or reformat any of the partitions, then XP checks the indexing service and impliments this with not so much as word notifying me of this action. One would have to check properties in order to know that the service is back. But how did I catch it, you may ask? Simple. There almost forgotten sound of the hard drive thrashing, even when I wasn't doing anything was so conspicuous that I checked.

Then there is Internet Explore. Enough said.

WinRAR or XP's zip. Enough said.

Perfect Disk or Defrag. Enough said.

Paint. A very annoying program for someone that has a full featured graphics program. Previews? Not if you use an image viewer. Why not just leave it. Well experience has shown that it, or MS Windows and Fax viewer will cause problems with opening multilpe files in a specified, or even default program handling an image file type. In other words, you highlight ten .psd images to open with photoshop. What happens is that only the first will open. This in turn leads to more problems.

The thread that ties this all together should be clear. If you don't like frustration, inefficiency, defiance of users settings, endless exploits and security patches you can take one of two approaches.

1) You can put yourself through hell with each and every aggrivating Microsoft program, or

2) At some point just decide to give yourself a break. If you want a desktop search, or an "indexing" program that works, just do a search and pick one with good reviews. Same thing for firewall. Same thing for encryption (I am happy to say that I never used microsoft compression. It is an unlikely enough thing to do that I can't take much credit for it. If you are using software encryption and compression, then you do not want to use xp's).

Anyway, sorry for the long post. Still, I almost hope that you will make some statement or other about Microsoft not being evil. Maybe even being (ha, ha, ha) ethical. Perhaps that the jury is still out on their software, their business practices, treatment of customers and privacy, and so on. In fact, anything that puts them in a positive light, or suggests that they are believable in any way at all would be such a bold move that I just might find myself at a loss for words.

Not. Please, keep 'em coming!

BTW - If I was compromised by the exploit, I will be glad to post that fact. Experience is the best teacher, and no reason everyone should have discover this by themselves. I tend to think I am safe, but nothing surprises me anymore, so I will not be amazed if it does work.



-HandsOff

Taken from Alec's reply to HandsOff:

"Your level of paranoia is something to be proud of,I suppose.
If you really are so fearful and anti-Microsoft as to not run Notepad and Paint,
I'm not quite sure what you are doing running a Microsoft OS at all.Seriously.
Perhaps you would be better suited to Linux or OS X?
I can recommend both as quality alternatives (albeit not for everyone, IMHO)."

Excuse me...but i don't see any "level of paranoia" in here.
Notepad,Paint and the whole MS product suite is CLOSED-source.
Meaning I don't have ONE single reason to trust them,their apps,or assume they've done proper auditing on them.
Their history has shown exactly the opposite all these years.
Although without serious evidence,they have also been accused numerous times for placing "backdoors",
even from the NSA...and as far as I know,at least Germany and China have decided/stated,
they will replace MS with some custom-made Linux version,
in their goverment offices/organizations,exactly because they don't trust MS.
Are they paranoid also?
And in my poor opinion,I can recommend both Linux or OS X as quality alternatives to anyone...
------------------------------------------------------------
Taken from Alec's reply to...me:

"Those vulnerabilities previously listed were only mere examples of security problems,
discovered post-SP2 that were found to affect SP1 systems and,not SP2 systems.
I do not wish to be distracted into a long conversation about each,that was not the point...
We are not talking about specific one-offs discovered and fixed,
rather we are talking about general classes of vulnerabilities made less likely."

..."made less likely"...well,excuse me,
but does a re-compiled gdi32.dll ring a bell to anyone?
-And if answer is yes...nop,you don't exactly win a prize :P

At first,you describe them as:
"...serious security vulnerabilities that exist in SP1 that do not exist in SP2".
Then:
"Those vulnerabilities previously listed were only mere examples..."
And finally,
"We are not talking about specific one-offs discovered and fixed..."
I'm confused...what exactly are they at last?

I also wouldn't like to be distracted into a long conversation about each exploit/fix discovered,
they are numerous in MS systems after all.
But (in your 1st post at least),they were presented as "proofs" that SP2 is more secure than SP1.
"Proofs" must be accompanied by descriptions that can stand for them:
since you didn't supply these descriptions,
I just searched the MS site for them...with the results that I already posted.
Sorry-if someone wanted to convince me that SP2 is more secure than SP1:
a)he/she should have searched/provided far more better examples than these,
b)he/she should have provided descriptive evidence for them.

" As to your commentary about re-compilation in general and your pointing out the WMF exploit...
you obviously do not understand the difference between a stack overflow vulnerability and a heap overflow vulnerability."

In what way can this be taken seriously?
One person has a "level of paranoia",
the other one "obviously" cannot understand...
with no offence to anyone:are we mentally ill/disrupted somehow?
Allow me to remind that...
there's also a difference between characterizing people and just commenting their opinions.

The point is that those were only a few examples, there's a lot more, many without workarounds. Being that I don't memorize each and every vulnerability found and what systems they do and do not apply to, I can't give you a lot of examples, but if you pay attention to the announcements you'll find many. This was particularly pronounced in the months shortly after SP2 was released as the malware writers dissected all the fixes, knowing that most people won't install it.

Honestly I think this subject is getting far more heated than it ever really should have by any reasonable measure. This is a good thread, but it would be nice if we could return to a more objective discussion. If you choose not to install SP2 that's entirely your perogative, but to say that SP2 doesn't add any actual security is not true, and I haven't seen any solid arguments (here or elsewhere) to the contrary. There are a lot of worms that would not have spread as widely as they did if SP2 had been more commonly installed.. that's a point that I've seen nothing but agreement on by the pros and experts.

Please do keep in mind that you're in a public forum that is frequented by many less knowledgable folks that are simply trying to get some facts to get themselves protected. Making a lot of arguments about SP2 being useless will be seen as a recommendation. I personally don't understand how or why this thread's existance could be such an intimidation to anyone, how it could have really been that offensive.

IMO, installing SP2 is one of the least of things that a user looking to strengthen their security can do. It's a baseline measure that should generally be followed unless there is some particular reason specific to their circumstance that leaves them unable to do so. Hardening is great, but it is never meant as a permanent solution, but rather a temporary workaround until a true patch is released. What happens when you need to use that component? Continuing to use the hardened settings isn't always a bad idea, but the fact remains that such measures are only ever meant to be a temporary workaround, and applying patches is always recommended. Users would also need to be aware of what all they have, which isn't always easy. XP Pro has IIS installed and enabled by default, for example.. so the answer to the question about who would have it installed is: Everyone that uses XP Pro, and that's just one example.

Notok,these were the best comments someone could do;i really don't think i could agree more on them.

Security is a matter of knowledge plus configuration,for whatever OS.
Security is not a matter of a Service Pack number 2.
And it's also not a matter of "open-sourcing" the whole earth's code.

...in my small country,Greece,I've seen people aged at 33,that have been using PCs since Commodore,Amstrad etc.,
and using MS Windows for the last decade and more,telling me:
"I have SP2 and my router,why do I need ZoneAlarm?To waste my memory?"
(Nop,I do not work for/advertize ZoneAlarm):
This man was repairing people 's faulty hardware configurations in the previous years,generally speaking,
he was really good in what he was doing and respectable,and nowadays,he has managed to own his own PC tech-store.
You might say,so what,we live in USA,UK,whatever.
Point is,I don't give a damn how much of an "expert" someone is considered:
It would be really "easy" to just suggest to "simple users","get a router and SP2":
in about 9 out of 10 times,this will save most users' b*tt.
But it's that 1 out of 10 possibility that makes the difference,
the one that points in people's own freedom of choice,searching for knowledge and development of criteria.

I strongly believe that someone can't clearly judge something,if he/she is under strong influence of it's use and culture...
For example,judging computing on SP1/SP2 or Vista etc,without firstly having a basic knowledge/view of unix's security.
In this particular example,if people don't have this kind of knowledge,then they'll always rely on:
a)Microsoft's products,
b)Microsoft's comments on their products,
c)sporadic experiences/opinions by other Microsoft's products' users,either "knowledgable/experts" or not.
When i see 17 posts before my reply,more or less stating that SP2 is "superior" and "better" than SP1,
to me,that's not only a false sense of security,but of criteria also.
Are people afraid of openly accusing SP2 and not believing in it's "features"?
Can't they find the words/convincing reasons to express it?
Or does it go by the "general rule" of consuming,"the newer the better"...
buy it now and we will find excuses for that later?
And I blame Microsoft's "culture" for this:
People,even "simple users",with no technical background at all,
should develop a more "harsh/strict" way of judging software products,
Microsoft doesn't help people on this for various reasons,
that's what makes me pretty harsh/strict in my judgements towards them,and more "unix" passionate at moments...

As a synopsis,my main argument would be,
that without good/"heated' threads like this one,
where some people stood up to speak against SP2 with their own criteria,
-either they were right or wrong-,
every SP or OS should be seen useless as a recommendation...

Except that the facts are against you, not for you. I've yet to see a single fact to indicate that SP2 doesn't add security.. to the contrary, I see security researchers, experts, and professionals giving plenty of examples of vulnerabilities that did not affect SP2.. and honestly, all I've really seen to the contrary is speculation on intent and stability. Some may have had problems with install, but most of that comes down to installing SP2 on an infected machine, and there's always risks with installing anything at all.

{QUOTE->
Security is a matter of knowledge plus configuration,for whatever OS.
Security is not a matter of a Service Pack number 2.
And it's also not a matter of "open-sourcing" the whole earth's code. <-QUOTE}And nobody is disagreeing wth that, only your apparent interpretation. That statement is saying that security goes beyond any single measure.. if you look around, you'll see that's what this entire forum is all about. Nobody is saying that SP2 is all you need, I haven't seen a single person on this board even imply that.. rather it's a baseline measure that should be done before considering 3rd party options. As far as that goes, security goes well beyond any third party application.

{QUOTE-> As a synopsis,my main argument would be,
that without good/"heated' threads like this one,
where some people stood up to speak against SP2 with their own criteria,
-either they were right or wrong-,
every SP or OS should be seen useless as a recommendation... <-QUOTE}Right, except that patching actually shows results.. and has repeatedly, both for me, other members, other techs, and other security pros and experts. As for needing "heated" threads, riling up people's emotions, putting them on the defensive, is only counter-productive. Rational discussion, however, with well thought out points, is how you get others to consider your opinion and facts. Turn it into an argument and the best you're going to get is people pretending to agree with you just to end the argument.

Quote:
"Except that the facts are against you,not for you.
I've yet to see a single fact to indicate that SP2 doesn't add security."

Since I 've NEVER submitted a SINGLE "fact" to indicate that SP2 doesn't add more security "against" SP1,
how can I be blamed for this?
Other people submitted "facts",and I pretty much think I proved that(until 'now):
a)These 'facts' weren't the best examples a SP2 supporter could supply.
b)That if someone examines carefully fixes/features towards bugs/instability,
depending on the situation,he/she might have every good reason not to install SP2.

So,for the 3rd time in this thread...i repeat:
SP2 is about as secure as SP1.Period.
If someone doesn't like the "Period" quote of mine,he/she should note the "about" in this statement.
Where does someone,expert or not,see in that statement,
along with everything else I have described,that SP2 is LESS secure than SP1?
Only in the obscure case of someone who doesn't read AT ALL the rest of the comments,
he/she might have a chance of accidentally assume their equally secure...

Quote:
"And nobody is disagreeing with that,(" Security is a matter of knowledge plus configuration,for whatever OS".),
only your apparent interpretation...
Nobody is saying that SP2 is all you need,I haven't seen a single person on this board even imply that...
rather it's a baseline measure that should be done before considering 3rd party options...."

Apparently it's difficult,either for me or for people,to "intepret" my point of view...
either because of my limited knowledge of English vocabulary:-\ ,
and furthermore 'cause it's "less" practical at first look:
for me,as already explained,the first security "baseline measure",
is people's criteria towards operating systems policies and philosophy.
For example,I don't think we would ever ask a dedicated GNU/Linux or OpenBSD user to comment SP2 security...
and expect him/her to reply seriously.

Quote:
"Right,except that patching actually shows results...and has repeatedly,both for me,other members,
other techs,and other security pros and experts.
As for needing "heated" threads,riling up people's emotions,putting them on the defensive,is only counter-productive."

Education of people pretty much develops more advanced/strict criteria:as a logical consequence,
pressure towards big companies and software monopolies tends to grow that way,
and this has historically showed much greater results than just "patching".
Critical thinking is usually a fairly enough "heated" feeling,
it's not just a bunch of statements/"proofs" to be served in a "cold" audience,
that has learned to clap on whoever gives the "easy solution".
By only having a general interest in security,sooner or later,someone has to face much more difficult questions,
and has to be both mature,clear-minded and "heated" at the very same moment,to make the right decisions...

"Turn it into an argument and the best you're going to get is people pretending to agree with you just to end the argument."

I am not into people's minds.And I wouldn't want to be.
But I surely didn't saw anyone to agree with someone just because he/she couldn't avoid it.
If that was the case,I wouldn't be replying right now:no actual freedom of speech,no talk from me.
In fact,the only argument I would ever do,would be about that matter:
if someone wants to argue,either he/she should go take some clean air,
or just do it somewhere away from me and the people that I'm talking to.
By saying "heated",I meant the way of thinking,not...fighting or arguing.
If anyone-once again;),got 'misguided" by these words of mine,
he/she should remember that this is a public forum after all,not a...box ring.

Hi everyone-

So What raises a lot of interesting points. I too, noticed an avalanch of SP2 is superior statements at the beginning of this post. So What says seventeen, and I have not gone back and counted them, but clearly it was an entirely one sided response, moreover the response seemed to carry with it accusations that most of the people were running stolen software.

When the thread caught my eye, I thought to myself, 'this will be interesting. I know I had all kinds of problems when I tried to install SP2. Maybe when I read what difficulties others were having, I'll get some idea as to where I went wrong.' Since SP2 crashed my system twice, I have largly lost interest in whether it is more secure or not. I don't want to waste any more time on it until I start getting some idea of what went wrong last time.

Judging from the responses I have seen people are reading the title of this thread as:

Why people are not using SP2? rather than what it does say,
Why are people not using SP2?

In the second wording, it would seem that a question is being put out there for users of SP1 as to why they are not using SP2.

In the first, and not the actual wording, the tone is consistant with a thread where the reasons why people are still using SP1 are all already known to them, and they, and like minded people, are going to make these reasons known to the rest of us.

If such a thread were to exist, it would only have any interest if the author of the thread was a proponent or user of sp1. If such were not the case, the statement would indicate that the sp2 using author of the thread believes he knows all the reasons, and none could possibly be valid, save the possibility of software incompatability in a small percentage of cases.

The problem with a scenario where only people who think sp2 is superior are providing the reasons for people are still using sp1 is that by and large they are fabricating the reasons. That is obvious isn't it.

Alec uses the term disengenuous and applies it to a reason put forward by someone who actually is using sp1 and is providing a reason they are. Good reason or bad reason they are answering in a way that I, for one, do not doubt as being genuine. A dictionary definition might help to clarify.

Adjective: disingenuous
Not straightforward or candid; giving a false appearance of frankness.

A topical example of correct usage might be. The disingenous author of this thread, appeared to be posing a question, not stating an opinion.

Anyway, I guess we had better agree on what the topic of the thread is, at the very least, before we offer any more responses.


-HandsOff

Blame it all on me, I started this. Joking. I said this:
{QUOTE-> January 22nd, 2006, 02:05 PM zapjb
Just read another security thread here. Really like this forum btw. Anyways the poster lists all their apps then says XP with SP1. I understand if one never connects to the net. Or a mission critical app in a work enviroment has issues. But 1 of the first things I was taught was to keep an OS updated. My belief is that most of the people who don't run SP2 or even SP1, don't meet either of the exception criteria I mentioned.:wacko: <-QUOTE}

zabjb-

I wasn't trying to zap you! One thing I hope I made clear, though, is if you want to know why someone is using sp1, then it makes sense to listen to the people that are using, since, presumably, they know the reason why they are doing so.

Also, I am enjoying this thread too, and I realize much of what has been said has been in a sort of bantering tone, and not, I think to roast people.

However, a couple of things do bear mentioning.

I have read the suggestion, not just in this thread, either, that myself, and others may be putting others in harms way by espousing our points of view, or when it comes right down to it, for defending ourselves from personal attacks.

Wrong, wrong, wrong! By examining all of the issues I believe we are better able to make informed decisions. Microsoft has a long shameful history when it comes to being secure, or ethical. The price they pay is that they do not have much credability. Since no one is arguing that they have been solid performers in this area, I think we are all in agreement on this point. That leaves only the technical merrits of SP2 to mitigate this.

The problems here is that since the code is not open, and Microsoft has no credibility, what do we really know? All we Know is what we are told.

While the technical stuff is way over my head, I have read some stuff, and I wish I understood it better. It has been suggested that the casualties of SP2 will include all programs that use Just in Time programming. I read on Microsofts very own website that, in fact, one reason this is a good thing is that it promotes "best practices" in programming. So apparently, sp1 allows the kind of programming that should not be occuring in the first place. But then two things come to light.

1- the .NET framework will not be able to run in sp2. The irony here, is that this is something Microsoft has been pushing very hard as cutting edge programming

2- .NET will run after all, because Microsoft has written sp2 in such a way as to ignore its non-compliance with "best practices".

This opens the door to other questions, like, won't Sun Microsystems be dealt a serious blow by these standards? Are they going to exempted from the rule too? If not can the supposed new protection be disguised as JVM or .NET?

Actually, these are just the beginning, but, as I said before, it's all academic to me since SP2 does even run well on my computer. If it did I'd be asking a lot more questions.


-HandsOff

Ah HandsOff you brought up an interesting point. Although I am a happy user of SP2. In fact I kept my SP1 running well. When I installed SP2 it took like 45 min or so to install, reboots included. But immediately after the SP2 install my computer was noticeably faster.

To my point. Although I trust & see the benefit of SP2. I avoid .NET Framework all versions like the plague. I think .NET is malicious. Every time I'm reviewing new software & preparing to try it out. Then I see it requires .NET. I swear a little & pass on the software. I was frustrated because I wanted to try nLite because it at 1 time it required .NET. But the demand was such that the maker of nLite made separate runtimes. So .NET wasn't required. Great program btw.

I got sp2 with dial up.. :-* I cant recall how long it took though.

http://www.stillsecure.com/docs/StillSecure_DenverPost_Honeypot.pdf (PDF)

45 mins was the install time. Downloading SP2 took me like 12-15 hrs afair.:gack:

Hi Notok,


I do appreciate you are presenting concrete examples and focusing on this issues here. I have heard of tests like that, but what are we bragging about here? that a computer that is not even browsing or using emails or downloading or instant messaging is able last a few hours without being wiped out? I would just expect any o/s that was designed for use on the interenet would be absolutely invulnerable...for months and years!

Anyways, until they perform such a test with a computer with a security setup close to mine, I can't honestly see any relevency to me. It's sort of like telling me that a passenger in a car that crashes into a brick wall at just 5 miles per hour is at a high risk of being fatally injured ---if the rider was strapped to the front bumper! And then offerng that as proof that 5 mile per hour crashes are very likely to be fatal to all passengers. Needless to say my passengers do not ride strapped to the front bumper. Give me a break!

--------------

Does anyone know anything more about this: I thought I read that SP2's DEP will impose a 4 GB limit on memory usage. I kind of wonder why that is. is there a lot of overhead involved in this registered memory scheme? I thought not. 4 GB is a lot of memory, but I was sort of hoping prices would go down and machines could soon be configured with the entire O/S, system cache, and most used programs all loaded into memory. Imagine the speed if you had a system like that. I can dream, can't I!


-HandsOff

http://www.avantgarde.com/ttln113004.pdf

Here's another nice OS testing,
although 3 months older than StillSecure tests,
done by the well-known Kevin Mitnick ;-)

In short,Mitnick's honeypot-style tests on 6 OSes resulted in:
"These two machines (standard Linspire installation,
or a XP SP1 installation together with ZoneAlarm),
were the most effective at reducing the visibility of the computer from hackers while online,
and preventing Internet attacks from successfully loading arbitrary malicious code without permission."
The other OSes were:
Microsoft Windows XP Service Pack 2,
Microsoft Windows Small Business Server 2003,
Microsoft Windows XP Service Pack 1(without ZoneAlarm),
Macintosh OS X 10.3.5.

More or less,what both papers conclude,
is that the standard SP1 installation,without at least the MSBlast patch,
gets your machine hacked in only a matter of minutes.
So far,nothing new or unexpected actually.
But what I would really be interested to see,
would the same type of tests to take place now or,even more,in about a year or so:
would the standard SP2 installation,without at least the WMF-Exploit patch,
pretty much get the same results?
Time will tell...

P.S.1:Once again,for not getting myself misunderstood,
i feel I should mention i'm not in any connection/advertizing ZoneAlarm.
P.S.2:Honeypots' main use is:
a)for tracking down hackers'adresses,
b)for extracting statistics for the frequency/types of attacks.
So,whatever honeypot test towards...OSes,with only 4,5 or 6 machines taking place,
should be considered as nothing more than just a "laboratory experiment",
with interesting but surely questionable results.

Some commentary since this thread seems to be running off course to some extent: The "burden of proof" in terms of reasons to not install SP2 should be on those making specifically that case, since they are the ones arguing against the generally accepted practice associated with all operating systems and software applications of staying up-to-date with vendor/developer supplied patches. I had thought this was nearly self-evident since almost every computer expert will advise staying current with patches, no matter what the operating system.


Contrary to what I believe "sowhat" was attempting to argue, I don't think that anyone in this thread advocated SP2 as a complete security panacea. By all means, keeping one's self educated in general about threats and vulnerabilities is the most important security step one can take, closely followed by surveying a multitude of security tools and utilities to see which work in your environment and fit well with your own tastes and philosophies. Do not rely on patching alone.


If interested in .NET, I would advise the creation of a new thread. As far as I am aware, there is no newly imposed elimination of or restriction placed upon .NET with the advent of SP2. By "Just In Time Programming", I am assuming you mean "Just In Time" compilation or JIT compilation. Discussion of this seems way beyond the scope of this specific thread, but let me just say that I am not aware of anything inconsistent between best programming practices, JIT compilation, SP2, and/or security. Please be more specific and, perhaps, provide references so that I might more clearly understand your concern.


With respect to 'expectations', you need to be careful with these when it comes to software. You might "expect any o/s that was designed for the internet would be absolutely invulnerable.... for months and years", but I would argue that this would presently be a false expectation with respect to most operating systems. In fact, I would argue that it is largely a myth. I could install nearly any distribution of Linux, Unix, Solaris, or virtually any other alternative operating system; and within a few weeks most would have outstanding vulnerabilities that would require patching. Patching is required on virtually every system designed by the human mind. That is why it seems ludicruous to many of us that some seem so adamantly opposed to patching Windows with SP2. Even OpenBSD, one of the most security audited of "common" operating systems, issues security and reliability patches on a fairly routine basis.


Data Execution Prevention (DEP). I am unaware of any 4GB limit on memory usage associated with DEP. You may be confusing this with the 4GB limit on memory usage imposed by 32-bit processors. A 32-bit processor has a memory address bus width of only 32-bits and utilizes memory pointers that are only 32-bits in width. 2^32 == 4,294,967,296 addressable bytes or 4GB of information. Now, there exist various schemes such as Physical Address Extension (PAE) and Address Windowing Extensions (AWE) that are meant to allow 32-bit CPUs to address large memory amounts, but largely these can be seen sort of as hacks. The real solution to higher memory requirements is a shift to 64-bit processors. Theoretically, a 64-bit processor allows up to 17,179,869,184 GB (or 16 exabytes) of RAM; although, if I recall correctly, most 64-bit operating systems divy up the address space in ways that don't really allow that theoretical limit for any one process. Hardware DEP requires processor support, and hardware DEP simply associates a hardware enforced no execute bit flag with memory pages. Memory pages that are supposed to contain data only are marked with this bit flag, and the processor will ensure that no code is ever executed from such memory pages.


My use of the word disingenuous. While perhaps not the exact word I was looking for, I still feel it to be somewhat misleading for someone angry about Comcast spyware to be alluding to similar problems or suspicions of problems with Microsoft spyware. To each his own. It's off-topic in any event.

Okay, since responses you don't agree with are off topic, you will be glad about what I am going to post.

I went over to a graphics forum and posted this poll question. Obviously, it is not scientific in any way, I don't think I even have the ability to see the identities of the voters, but I will be honest to say that the result was other than what I expected. Since I would have posted the expected result, I feel honor bound to post this....this....abomination!

Still, it remains a moot point for me, due to my compatability issues, and no pressing need to install this. However, it would seem that I am not only to suffer the slings and arrows of outrageous criticism, I am going to have to suffer all by my self :(


-HandsOff

Quote:

"I could install nearly any distribution of Linux,Unix,Solaris or virtually any other alternative operating system;
and within a few weeks most would have outstanding vulnerabilities that would require patching."

Yeap,I agree on that,just 1 single well-written exploit,
can tear down the whole security strengths/"myths" of about every OS out there.

Quote:
"Even OpenBSD,one of the most security audited of "common" operating systems,
issues security and reliability patches on a fairly routine basis."

OpenBSD,on the exact opposite of Microsoft,does exactly that;
they MAINLY issue patches towards recently discovered vulnerabilities,
instead of developing their...2010-expected OS(!) or releasing Longhorn betas(not even Vista),
while they haven't even manage to audit their...2004-dated SP2 code.

Something quite interesting to be taken under consideration,especially take notice of the last phrase:
“Of Netcraft's list of the top 50 web sites,47 run BSD,
and the number 1 place is held by a FreeBSD system which has been up for 1726 days”:
http://www.computerworld.com.au/index.php/id;1357495171;fp;16;fpid;0

Then,check Netcraft 's actual recent list with the,
"Sites with longest running systems by average uptime in the last 7 days":
http://uptime.netcraft.com/up/today/top.avg.html

Of cource,the "fingerprints" of both the OSes and the servers they 're running,
could be 'spoofed" by the admins,just to make the job harder to possible attackers.
In some cases it's pretty obvious also,for example,
BSD/OS was discontinued from sales at the end of 2003,
it's support was terminated in the end of 2004,
and allow me to doubt if a BSD/OS is running...Microsoft-IIS/5.0.

Point is that these OSes have been up and not hacked,not for...minutes,but years,
meaning,either they have been updated with fixes or not,
they almost certainly did not have their WHOLE kernel recompiled:
a)this would require a re-boot(or even more than one),
b)especially in the case of the BSD/OS workstations,that's pretty much simply impossible,
'cause as already mentioned,it's a discontinued product.

So,who can accuse these OSes for not following the:
"generally accepted practice of staying up-to-date with vendor/developer supplied patches"?
If they were to follow this practice,
some of them should at least format and switch to a different and not...discontinued OS!

Ok,let's get this straight,'cause one might say that...
these are fairly special cases/exceptions to the "rule","simple users" must not be..."misguided" etc...
And I agree with that in more than one way:
"contrary to what some people might believe that I...argue",
I never claimed that anyone in here "advocated SP2 as a complete security panacea"...
(Panacea...nice word,it's greek too :D )
I certainly suggest to everyone,just to be on the "safe side",
to have his/her OS patched,either he/she..."trusts" his/her vendor or not.
In reality,where the actual problem lies,and it's pretty much clearly seen in here,
is that Microsoft 's own development rhythm itself,
does not follow/"interpret" in the right way the "generally accepted practice"...

With all due respects, I believe you may be relying on an outdated argument.

{QUOTE-> ...What happened then was that we decided we were going to get much more focused on security since it was such a huge issue for customers. ... it started with a security push where we took the teams offline relatively late in the product cycle, taught the teams what it meant to write secure code, had them do threat models and code reviews, etc.

What is interesting is how much of this had to do with educating our engineers on what it means to write secure code and changing the culture...

...

...there is a great process for security quality called the Security Development Lifecycle (SDL) that is designed to make sure that we act consistently as a company. This means having a well documented, repeatable process, great education that teaches people how to follow the process and the accountability to make sure that process is being followed consistently. A part of this accountability is something called the final security review (FSR) that my team executes on behalf the company to make sure that the process is actually being followed. At the end of the day, the product group that ships the product is accountable to make sure that the process is followed... <-QUOTE}http://interviews.slashdot.org/article.pl?sid=06/01/26/131246



{QUOTE-> Litchfield, ironically, thinks Oracle is the exception in an industry where Microsoft, IBM and other big-name vendors have totally accepted the work of hackers to do independent code audits.

"The process is quite mature. It's not perfect, but it works," Litchfield said. "Occasionally things go wrong, but I won't say it's a broken loop."

"Look at Microsoft. Every year they release between 50 and 60 security bulletins. They don't cause a blip because they have a process that works very well. Of course, you have the occasional case when someone will post a zero-day but that's not because Microsoft is not responding. Microsoft has a perfect process to handle the back-and-forth with researchers reporting a vulnerability," Litchfield added. <-QUOTE}http://www.smartcompany.com/article/Security+Disclosure+Debate+Erupts+at+Black+Hat/170124_2.aspx

Criticism is good as long as it's constructive, but when the people/company being criticized actually take it and do something with it, it's important to recognize that, otherwise there's just no point.

SP2 has been considered by the security community as a large step in the right direction, and this momentum is being continued, especially with the 64 bit platform which they are taking as an opportunity to start from scratch and enforce secure coding by all developers coding for the Windows platform - which is what it's going to take to attain any real measure of true security, especially in light of the fact that attackers are targetting apps more and more. It's going to take effort on everyone's part, not just Microsoft's, and that includes the end-user taking some precautions, including things like keeping up with patches.

If progress can't be recognized, then what's left? What's the point?

People are funny...It seems like people were hesitant to say that they were using sp1, but as people began to voice specific issues, a number of people then voiced there agreement and put their chalk mark under the SP1 banner. I understand perfectly that people would just as soon avoid criticsm, yet this was just a poll question, with the option of making comments.

I had to laugh when someone mentioned the psychological impact of calling an update a "criticle Update". I have no problem with the term, btw, and yet it does appear that many people on some level, are very uncomfortable with taking a course of action after they have been told dozens of times (hundreds?, thousands?) that they are not doing something that is 'standard accepted practice', or is counter to anything that has been repeated over and over. I believe that it is a common defect of the mind to confuse more repeated with being more true. My opinion, and having read Notok's informative webpages, I think he might agree, about what is criticle is this: Backing up your system on a regular basis and being very familiar with the processes of getting back up and running. If one can't do this, then I could see why malware holds terror for them.

OKay, here is my "outsider looking in" SP2 issue of the day. ADS (Alternate Data Streams). My logic works this way. If there is an operating system feature which is being exploited, a developer should start considering if its benefits outweigh its liabilities. On the benefits side, in this case, there is very little. We know that the ADS have a negative impact on drive defragmenting and other file operations. And then there is the issue of "best computing practices"... in my opinion, of course. I for one do not like features of the o/s that are for lack of a better word, taking place behind my back. We all know the kind of things that fall under this heading. Index.dat files, "super-hidden" files, ADS, ect...So, SP2 comes along, and one might think, well, why not get rid of some of this confusing dangerous stuff? Anyway, am I the only one wondering why we need a new mechanism that will badger the user with a question to proceed everytime he does what for most people is a routine task? He will be asked over and over, until he either disables the feature, or clicks continues with the consistency of one of Pavlov's dogs. For this we leave another security liability in place.



- HandsOff

I scanned all of the pages of this thread and could not find one reference to the following really very good reason to be running SP2 over SP1 despite all of the complaints about the upgrade.

Windows XP SP2 contains the following security feature:
The NX bit is set which disables execution of code in the stack space.

This feature, which is also in Windows Server 2003 SP1, goes a long way towards blocking buffer overflows, both intentional and accidental.

This is also a good reason why Apple's OSX will be more secure on Intel chips.

-- Tom