Firms cautious on Windows XP fix

Firms cautious on Windows XP fix

Though warmly received by computer security experts, the sheer size and complexity of Microsoft's latest SP2 service pack for its Windows XP operating system may slow its widespread adoption, especially by corporate users.

The Redmond, Washington-based software giant had earlier predicted that 100 million users will download and install SP2 in the first two months after its August 6 release.

Just a few days later, Microsoft conceded that the technical challenges of installing such a complex upgrade might prove too overwhelming for some users. Microsoft now says that instead of installing the upgrade by default via the automatic update mechanism active in most XP desktops, users can now choose not to install SP2, but the automatic update function will still download and install other non-SP2-related patches and fixes to the system.

``[Some] customers have asked for the ability to temporarily block the delivery of SP2 in order to provide additional time for validation and testing of the update,'' said Penny Cheung, Microsoft Hong Kong marketing manager.


``The mechanism to temporarily disable delivery of Windows XP SP2 will be available for a period of 120 days from August 16. At the end of this period, on December 14, 2004, Windows XP SP2 will be delivered to all Windows XP and Windows XP Service Pack 1 systems regardless of the presence of this mechanism,'' said Cheung, who added that Microsoft did not have to revise down its 100 million target because of this decision.

Microsoft's latest move came after IBM told all its employees not to install SP2 until internal testing was completed. For corporate IT decision makers, this caution is based on fears that the security-minded SP2 will disrupt the operation of mission-critical corporate IT applications.

``For enterprises, mass deployment of SP2 isn't a practical reality, and companies should treat SP2 as an operating system upgrade, not just a service pack update,'' said Forrester Research analysts Simon Yates and David Friedlander. Corporate users typically take much longer to install operating system upgrade than a simple service pack update.


The SP2 is a product of months of effort by Microsoft engineers to tackle the security loopholes inherent in the Windows XP operating system that left it an easy target for malicious software (malware) such as worms and viruses. ``When Microsoft was designing Windows XP, we had not envisioned the kind of hostile environment it would be operating in today,'' said Steve Riley, head of security product management at Microsoft.


``The new service pack will update the foundations of Windows XP to make it more resilient to attacks,'' said Riley. ``Up until a few years ago, our customers were telling us they wanted PCs to have lots of functionality without too much restrictions on their use. The outcome was computers that are easy to use, but exceptionally insecure,'' he said. Riley called SP2 the most important piece of software in the history of Microsoft, even though it is available free from the company website or via a CD-ROM disc. There are reports that Microsoft has diverted resources from the development of their next-generation operating system, codenamed Longhorn, in order to focus on the SP2 rollout.


SP2 is a collection of architecture changes designed to strengthen computer security at the expense of compatibility with programs and applications. It will switch on the computer firewall program within Windows XP by default, and will alert users to any internet programs and applications that require access to computer data and resources. All such interactions with external and network agents will become strictly permission-based. Even if hackers manage to gain access, the changes will make it harder for them to control machines remotely.


Apart from IBM's well-publicised doubts, Microsoft's own products also fell prey to the strictures of the ultra-cautious SP2. Even before SP2's release, Microsoft asked users of their CRM 1.2 (customer relationship management) product to install updates to the software so it would operate properly in SP2. It is also understood that the delay in launching SP2 was due to problems encountered in compatibility testing. Before its official release Microsoft distributed test versions of SP2 to software developers and IT professionals for evaluation to iron out potential problems.


Enterprise application vendor Peoplesoft said the SP2 challenge facing IT departments in organisations will depend on the technology used in the applications. ``The greater the application interactions with the operating system, the greater the considerations that need to be taken,'' said Peoplesoft regional director of industry and product marketing Ray Kloss. He stressed that the impact on Peoplesoft customers will be low.


Kloss said the SP2 impact for organisations running enterprise applications was likely to be restricted to the user desktops, as applications are administered and run from servers, which are outside the scope of the SP2 changes. Many of the latest applications are Web-based, making them susceptible to the SP2 changes governing the Internet browser. Kloss said much will depend on the architecture and design of the application.


``Peoplesoft's products only send HTML to Web browsers on user desktops. However, other vendors products may send applets and plug-ins to user desktops, where it gets executed, and that is where it gets more complex,'' Kloss said.


Hong Kong-based Internet solutions provider Outblaze said large organisations already have levels of protections on their computer systems, and their security needs are not as pressing as individual PC users.


``For individual end-users who are likely to be susceptible to spyware and worms, SP2 should be mandatory. Corporate users tend to be better protected, so it boils down to what the IT department thinks is best,'' said Outblaze chief executive officer Yat Siu. ``For an enterprise corporation there is usually a trade-off involved in these decisions, however this is a choice best left to the technical departments of companies that are considering upgrading to SP2,'' said Outblaze managing architect Yusuf Goolamabbas. He said companies should not rely exclusively on SP2 to address all their computer security issues. ``SP2 is one layer of a security system that users should use. It needs to be combined with a decent firewall, ideally hardware-based, and updated anti-virus software.''


With corporate users generally adopting a wait-and-see policy on SP2, Microsoft has noticeably changed tack on its advice to customers in recent days. Instead of a one size fits all approach, Microsoft is tailoring advice for different groups of users.Home and small business users should install SP2 immediately, but IT professionals and ``decision makers''are advised to ``begin testing and planning for deployment''.


After the painstaking effort involved in acquiring its new security consciousness, Microsoft is unlikely to stop here. Microsoft's Riley said Longhorn will build on the security features offered in SP2. It will also move into the anti-virus solutions market.

``Microsoft plans to offer complete anti-virus solutions in the future, including engines and signatures. Our plan is to make our AV solution be part of pay-for products and services.''

THE MUL