Why are people not using SP2?

Taken from Alec's reply to HandsOff:

"Your level of paranoia is something to be proud of,I suppose.
If you really are so fearful and anti-Microsoft as to not run Notepad and Paint,
I'm not quite sure what you are doing running a Microsoft OS at all.Seriously.
Perhaps you would be better suited to Linux or OS X?
I can recommend both as quality alternatives (albeit not for everyone, IMHO)."

Excuse me...but i don't see any "level of paranoia" in here.
Notepad,Paint and the whole MS product suite is CLOSED-source.
Meaning I don't have ONE single reason to trust them,their apps,or assume they've done proper auditing on them.
Their history has shown exactly the opposite all these years.
Although without serious evidence,they have also been accused numerous times for placing "backdoors",
even from the NSA...and as far as I know,at least Germany and China have decided/stated,
they will replace MS with some custom-made Linux version,
in their goverment offices/organizations,exactly because they don't trust MS.
Are they paranoid also?
And in my poor opinion,I can recommend both Linux or OS X as quality alternatives to anyone...
------------------------------------------------------------
Taken from Alec's reply to...me:

"Those vulnerabilities previously listed were only mere examples of security problems,
discovered post-SP2 that were found to affect SP1 systems and,not SP2 systems.
I do not wish to be distracted into a long conversation about each,that was not the point...
We are not talking about specific one-offs discovered and fixed,
rather we are talking about general classes of vulnerabilities made less likely."

..."made less likely"...well,excuse me,
but does a re-compiled gdi32.dll ring a bell to anyone?
-And if answer is yes...nop,you don't exactly win a prize

At first,you describe them as:
"...serious security vulnerabilities that exist in SP1 that do not exist in SP2".
Then:
"Those vulnerabilities previously listed were only mere examples..."
And finally,
"We are not talking about specific one-offs discovered and fixed..."
I'm confused...what exactly are they at last?

I also wouldn't like to be distracted into a long conversation about each exploit/fix discovered,
they are numerous in MS systems after all.
But (in your 1st post at least),they were presented as "proofs" that SP2 is more secure than SP1.
"Proofs" must be accompanied by descriptions that can stand for them:
since you didn't supply these descriptions,
I just searched the MS site for them...with the results that I already posted.
Sorry-if someone wanted to convince me that SP2 is more secure than SP1:
a)he/she should have searched/provided far more better examples than these,
b)he/she should have provided descriptive evidence for them.

" As to your commentary about re-compilation in general and your pointing out the WMF exploit...
you obviously do not understand the difference between a stack overflow vulnerability and a heap overflow vulnerability."

In what way can this be taken seriously?
One person has a "level of paranoia",
the other one "obviously" cannot understand...
with no offence to anyone:are we mentally ill/disrupted somehow?
Allow me to remind that...
there's also a difference between characterizing people and just commenting their opinions.

 

The point is that those were only a few examples, there's a lot more, many without workarounds. Being that I don't memorize each and every vulnerability found and what systems they do and do not apply to, I can't give you a lot of examples, but if you pay attention to the announcements you'll find many. This was particularly pronounced in the months shortly after SP2 was released as the malware writers dissected all the fixes, knowing that most people won't install it.

Honestly I think this subject is getting far more heated than it ever really should have by any reasonable measure. This is a good thread, but it would be nice if we could return to a more objective discussion. If you choose not to install SP2 that's entirely your perogative, but to say that SP2 doesn't add any actual security is not true, and I haven't seen any solid arguments (here or elsewhere) to the contrary. There are a lot of worms that would not have spread as widely as they did if SP2 had been more commonly installed.. that's a point that I've seen nothing but agreement on by the pros and experts.

Please do keep in mind that you're in a public forum that is frequented by many less knowledgable folks that are simply trying to get some facts to get themselves protected. Making a lot of arguments about SP2 being useless will be seen as a recommendation. I personally don't understand how or why this thread's existance could be such an intimidation to anyone, how it could have really been that offensive.

IMO, installing SP2 is one of the least of things that a user looking to strengthen their security can do. It's a baseline measure that should generally be followed unless there is some particular reason specific to their circumstance that leaves them unable to do so. Hardening is great, but it is never meant as a permanent solution, but rather a temporary workaround until a true patch is released. What happens when you need to use that component? Continuing to use the hardened settings isn't always a bad idea, but the fact remains that such measures are only ever meant to be a temporary workaround, and applying patches is always recommended. Users would also need to be aware of what all they have, which isn't always easy. XP Pro has IIS installed and enabled by default, for example.. so the answer to the question about who would have it installed is: Everyone that uses XP Pro, and that's just one example.

 

Notok,these were the best comments someone could do;i really don't think i could agree more on them.

Security is a matter of knowledge plus configuration,for whatever OS.
Security is not a matter of a Service Pack number 2.
And it's also not a matter of "open-sourcing" the whole earth's code.

...in my small country,Greece,I've seen people aged at 33,that have been using PCs since Commodore,Amstrad etc.,
and using MS Windows for the last decade and more,telling me:
"I have SP2 and my router,why do I need ZoneAlarm?To waste my memory?"
(Nop,I do not work for/advertize ZoneAlarm):
This man was repairing people 's faulty hardware configurations in the previous years,generally speaking,
he was really good in what he was doing and respectable,and nowadays,he has managed to own his own PC tech-store.
You might say,so what,we live in USA,UK,whatever.
Point is,I don't give a damn how much of an "expert" someone is considered:
It would be really "easy" to just suggest to "simple users","get a router and SP2":
in about 9 out of 10 times,this will save most users' b*tt.
But it's that 1 out of 10 possibility that makes the difference,
the one that points in people's own freedom of choice,searching for knowledge and development of criteria.

I strongly believe that someone can't clearly judge something,if he/she is under strong influence of it's use and culture...
For example,judging computing on SP1/SP2 or Vista etc,without firstly having a basic knowledge/view of unix's security.
In this particular example,if people don't have this kind of knowledge,then they'll always rely on:
a)Microsoft's products,
b)Microsoft's comments on their products,
c)sporadic experiences/opinions by other Microsoft's products' users,either "knowledgable/experts" or not.
When i see 17 posts before my reply,more or less stating that SP2 is "superior" and "better" than SP1,
to me,that's not only a false sense of security,but of criteria also.
Are people afraid of openly accusing SP2 and not believing in it's "features"?
Can't they find the words/convincing reasons to express it?
Or does it go by the "general rule" of consuming,"the newer the better"...
buy it now and we will find excuses for that later?
And I blame Microsoft's "culture" for this:
People,even "simple users",with no technical background at all,
should develop a more "harsh/strict" way of judging software products,
Microsoft doesn't help people on this for various reasons,
that's what makes me pretty harsh/strict in my judgements towards them,and more "unix" passionate at moments...

As a synopsis,my main argument would be,
that without good/"heated' threads like this one,
where some people stood up to speak against SP2 with their own criteria,
-either they were right or wrong-,
every SP or OS should be seen useless as a recommendation...

 

Except that the facts are against you, not for you. I've yet to see a single fact to indicate that SP2 doesn't add security.. to the contrary, I see security researchers, experts, and professionals giving plenty of examples of vulnerabilities that did not affect SP2.. and honestly, all I've really seen to the contrary is speculation on intent and stability. Some may have had problems with install, but most of that comes down to installing SP2 on an infected machine, and there's always risks with installing anything at all.

And nobody is disagreeing wth that, only your apparent interpretation. That statement is saying that security goes beyond any single measure.. if you look around, you'll see that's what this entire forum is all about. Nobody is saying that SP2 is all you need, I haven't seen a single person on this board even imply that.. rather it's a baseline measure that should be done before considering 3rd party options. As far as that goes, security goes well beyond any third party application.

Right, except that patching actually shows results.. and has repeatedly, both for me, other members, other techs, and other security pros and experts. As for needing "heated" threads, riling up people's emotions, putting them on the defensive, is only counter-productive. Rational discussion, however, with well thought out points, is how you get others to consider your opinion and facts. Turn it into an argument and the best you're going to get is people pretending to agree with you just to end the argument.

 

Quote:
"Except that the facts are against you,not for you.
I've yet to see a single fact to indicate that SP2 doesn't add security."

Since I 've NEVER submitted a SINGLE "fact" to indicate that SP2 doesn't add more security "against" SP1,
how can I be blamed for this?
Other people submitted "facts",and I pretty much think I proved that(until 'now):
a)These 'facts' weren't the best examples a SP2 supporter could supply.
b)That if someone examines carefully fixes/features towards bugs/instability,
depending on the situation,he/she might have every good reason not to install SP2.

So,for the 3rd time in this thread...i repeat:
SP2 is about as secure as SP1.Period.
If someone doesn't like the "Period" quote of mine,he/she should note the "about" in this statement.
Where does someone,expert or not,see in that statement,
along with everything else I have described,that SP2 is LESS secure than SP1?
Only in the obscure case of someone who doesn't read AT ALL the rest of the comments,
he/she might have a chance of accidentally assume their equally secure...

Quote:
"And nobody is disagreeing with that,(" Security is a matter of knowledge plus configuration,for whatever OS".),
only your apparent interpretation...
Nobody is saying that SP2 is all you need,I haven't seen a single person on this board even imply that...
rather it's a baseline measure that should be done before considering 3rd party options...."

Apparently it's difficult,either for me or for people,to "intepret" my point of view...
either because of my limited knowledge of English vocabulary ,
and furthermore 'cause it's "less" practical at first look:
for me,as already explained,the first security "baseline measure",
is people's criteria towards operating systems policies and philosophy.
For example,I don't think we would ever ask a dedicated GNU/Linux or OpenBSD user to comment SP2 security...
and expect him/her to reply seriously.

Quote:
"Right,except that patching actually shows results...and has repeatedly,both for me,other members,
other techs,and other security pros and experts.
As for needing "heated" threads,riling up people's emotions,putting them on the defensive,is only counter-productive."

Education of people pretty much develops more advanced/strict criteria:as a logical consequence,
pressure towards big companies and software monopolies tends to grow that way,
and this has historically showed much greater results than just "patching".
Critical thinking is usually a fairly enough "heated" feeling,
it's not just a bunch of statements/"proofs" to be served in a "cold" audience,
that has learned to clap on whoever gives the "easy solution".
By only having a general interest in security,sooner or later,someone has to face much more difficult questions,
and has to be both mature,clear-minded and "heated" at the very same moment,to make the right decisions...

"Turn it into an argument and the best you're going to get is people pretending to agree with you just to end the argument."

I am not into people's minds.And I wouldn't want to be.
But I surely didn't saw anyone to agree with someone just because he/she couldn't avoid it.
If that was the case,I wouldn't be replying right now:no actual freedom of speech,no talk from me.
In fact,the only argument I would ever do,would be about that matter:
if someone wants to argue,either he/she should go take some clean air,
or just do it somewhere away from me and the people that I'm talking to.
By saying "heated",I meant the way of thinking,not...fighting or arguing.
If anyone-once again,got 'misguided" by these words of mine,
he/she should remember that this is a public forum after all,not a...box ring.

 

Hi everyone-

So What raises a lot of interesting points. I too, noticed an avalanch of SP2 is superior statements at the beginning of this post. So What says seventeen, and I have not gone back and counted them, but clearly it was an entirely one sided response, moreover the response seemed to carry with it accusations that most of the people were running stolen software.

When the thread caught my eye, I thought to myself, 'this will be interesting. I know I had all kinds of problems when I tried to install SP2. Maybe when I read what difficulties others were having, I'll get some idea as to where I went wrong.' Since SP2 crashed my system twice, I have largly lost interest in whether it is more secure or not. I don't want to waste any more time on it until I start getting some idea of what went wrong last time.

Judging from the responses I have seen people are reading the title of this thread as:

Why people are not using SP2? rather than what it does say,
Why are people not using SP2?

In the second wording, it would seem that a question is being put out there for users of SP1 as to why they are not using SP2.

In the first, and not the actual wording, the tone is consistant with a thread where the reasons why people are still using SP1 are all already known to them, and they, and like minded people, are going to make these reasons known to the rest of us.

If such a thread were to exist, it would only have any interest if the author of the thread was a proponent or user of sp1. If such were not the case, the statement would indicate that the sp2 using author of the thread believes he knows all the reasons, and none could possibly be valid, save the possibility of software incompatability in a small percentage of cases.

The problem with a scenario where only people who think sp2 is superior are providing the reasons for people are still using sp1 is that by and large they are fabricating the reasons. That is obvious isn't it.

Alec uses the term disengenuous and applies it to a reason put forward by someone who actually is using sp1 and is providing a reason they are. Good reason or bad reason they are answering in a way that I, for one, do not doubt as being genuine. A dictionary definition might help to clarify.

Adjective: disingenuous
Not straightforward or candid; giving a false appearance of frankness.

A topical example of correct usage might be. The disingenous author of this thread, appeared to be posing a question, not stating an opinion.

Anyway, I guess we had better agree on what the topic of the thread is, at the very least, before we offer any more responses.


-HandsOff

 

Blame it all on me, I started this. Joking. I said this:

 

zabjb-

I wasn't trying to zap you! One thing I hope I made clear, though, is if you want to know why someone is using sp1, then it makes sense to listen to the people that are using, since, presumably, they know the reason why they are doing so.

Also, I am enjoying this thread too, and I realize much of what has been said has been in a sort of bantering tone, and not, I think to roast people.

However, a couple of things do bear mentioning.

I have read the suggestion, not just in this thread, either, that myself, and others may be putting others in harms way by espousing our points of view, or when it comes right down to it, for defending ourselves from personal attacks.

Wrong, wrong, wrong! By examining all of the issues I believe we are better able to make informed decisions. Microsoft has a long shameful history when it comes to being secure, or ethical. The price they pay is that they do not have much credability. Since no one is arguing that they have been solid performers in this area, I think we are all in agreement on this point. That leaves only the technical merrits of SP2 to mitigate this.

The problems here is that since the code is not open, and Microsoft has no credibility, what do we really know? All we Know is what we are told.

While the technical stuff is way over my head, I have read some stuff, and I wish I understood it better. It has been suggested that the casualties of SP2 will include all programs that use Just in Time programming. I read on Microsofts very own website that, in fact, one reason this is a good thing is that it promotes "best practices" in programming. So apparently, sp1 allows the kind of programming that should not be occuring in the first place. But then two things come to light.

1- the .NET framework will not be able to run in sp2. The irony here, is that this is something Microsoft has been pushing very hard as cutting edge programming

2- .NET will run after all, because Microsoft has written sp2 in such a way as to ignore its non-compliance with "best practices".

This opens the door to other questions, like, won't Sun Microsystems be dealt a serious blow by these standards? Are they going to exempted from the rule too? If not can the supposed new protection be disguised as JVM or .NET?

Actually, these are just the beginning, but, as I said before, it's all academic to me since SP2 does even run well on my computer. If it did I'd be asking a lot more questions.


-HandsOff

 

Ah HandsOff you brought up an interesting point. Although I am a happy user of SP2. In fact I kept my SP1 running well. When I installed SP2 it took like 45 min or so to install, reboots included. But immediately after the SP2 install my computer was noticeably faster.

To my point. Although I trust & see the benefit of SP2. I avoid .NET Framework all versions like the plague. I think .NET is malicious. Every time I'm reviewing new software & preparing to try it out. Then I see it requires .NET. I swear a little & pass on the software. I was frustrated because I wanted to try nLite because it at 1 time it required .NET. But the demand was such that the maker of nLite made separate runtimes. So .NET wasn't required. Great program btw.

 

I got sp2 with dial up.. I cant recall how long it took though.

 

http://www.stillsecure.com/docs/StillSecure_DenverPost_Honeypot.pdf (PDF)

 

45 mins was the install time. Downloading SP2 took me like 12-15 hrs afair.

 

Hi Notok,


I do appreciate you are presenting concrete examples and focusing on this issues here. I have heard of tests like that, but what are we bragging about here? that a computer that is not even browsing or using emails or downloading or instant messaging is able last a few hours without being wiped out? I would just expect any o/s that was designed for use on the interenet would be absolutely invulnerable...for months and years!

Anyways, until they perform such a test with a computer with a security setup close to mine, I can't honestly see any relevency to me. It's sort of like telling me that a passenger in a car that crashes into a brick wall at just 5 miles per hour is at a high risk of being fatally injured ---if the rider was strapped to the front bumper! And then offerng that as proof that 5 mile per hour crashes are very likely to be fatal to all passengers. Needless to say my passengers do not ride strapped to the front bumper. Give me a break!

--------------

Does anyone know anything more about this: I thought I read that SP2's DEP will impose a 4 GB limit on memory usage. I kind of wonder why that is. is there a lot of overhead involved in this registered memory scheme? I thought not. 4 GB is a lot of memory, but I was sort of hoping prices would go down and machines could soon be configured with the entire O/S, system cache, and most used programs all loaded into memory. Imagine the speed if you had a system like that. I can dream, can't I!


-HandsOff

 

http://www.avantgarde.com/ttln113004.pdf

Here's another nice OS testing,
although 3 months older than StillSecure tests,
done by the well-known Kevin Mitnick ;-)

In short,Mitnick's honeypot-style tests on 6 OSes resulted in:
"These two machines (standard Linspire installation,
or a XP SP1 installation together with ZoneAlarm),
were the most effective at reducing the visibility of the computer from hackers while online,
and preventing Internet attacks from successfully loading arbitrary malicious code without permission."
The other OSes were:
Microsoft Windows XP Service Pack 2,
Microsoft Windows Small Business Server 2003,
Microsoft Windows XP Service Pack 1(without ZoneAlarm),
Macintosh OS X 10.3.5.

More or less,what both papers conclude,
is that the standard SP1 installation,without at least the MSBlast patch,
gets your machine hacked in only a matter of minutes.
So far,nothing new or unexpected actually.
But what I would really be interested to see,
would the same type of tests to take place now or,even more,in about a year or so:
would the standard SP2 installation,without at least the WMF-Exploit patch,
pretty much get the same results?
Time will tell...

P.S.1:Once again,for not getting myself misunderstood,
i feel I should mention i'm not in any connection/advertizing ZoneAlarm.
P.S.2:Honeypots' main use is:
a)for tracking down hackers'adresses,
b)for extracting statistics for the frequency/types of attacks.
So,whatever honeypot test towards...OSes,with only 4,5 or 6 machines taking place,
should be considered as nothing more than just a "laboratory experiment",
with interesting but surely questionable results.

 

Some commentary since this thread seems to be running off course to some extent:

• The "burden of proof" in terms of reasons to not install SP2 should be on those making specifically that case, since they are the ones arguing against the generally accepted practice associated with all operating systems and software applications of staying up-to-date with vendor/developer supplied patches. I had thought this was nearly self-evident since almost every computer expert will advise staying current with patches, no matter what the operating system.
  
  
• Contrary to what I believe "sowhat" was attempting to argue, I don't think that anyone in this thread advocated SP2 as a complete security panacea. By all means, keeping one's self educated in general about threats and vulnerabilities is the most important security step one can take, closely followed by surveying a multitude of security tools and utilities to see which work in your environment and fit well with your own tastes and philosophies. Do not rely on patching alone.
  
  
• If interested in .NET, I would advise the creation of a new thread. As far as I am aware, there is no newly imposed elimination of or restriction placed upon .NET with the advent of SP2. By "Just In Time Programming", I am assuming you mean "Just In Time" compilation or JIT compilation. Discussion of this seems way beyond the scope of this specific thread, but let me just say that I am not aware of anything inconsistent between best programming practices, JIT compilation, SP2, and/or security. Please be more specific and, perhaps, provide references so that I might more clearly understand your concern.
  
  
• With respect to 'expectations', you need to be careful with these when it comes to software. You might "expect any o/s that was designed for the internet would be absolutely invulnerable.... for months and years", but I would argue that this would presently be a false expectation with respect to most operating systems. In fact, I would argue that it is largely a myth. I could install nearly any distribution of Linux, Unix, Solaris, or virtually any other alternative operating system; and within a few weeks most would have outstanding vulnerabilities that would require patching. Patching is required on virtually every system designed by the human mind. That is why it seems ludicruous to many of us that some seem so adamantly opposed to patching Windows with SP2. Even OpenBSD, one of the most security audited of "common" operating systems, issues security and reliability patches on a fairly routine basis.
  
  
• Data Execution Prevention (DEP). I am unaware of any 4GB limit on memory usage associated with DEP. You may be confusing this with the 4GB limit on memory usage imposed by 32-bit processors. A 32-bit processor has a memory address bus width of only 32-bits and utilizes memory pointers that are only 32-bits in width. 2^32 == 4,294,967,296 addressable bytes or 4GB of information. Now, there exist various schemes such as Physical Address Extension (PAE) and Address Windowing Extensions (AWE) that are meant to allow 32-bit CPUs to address large memory amounts, but largely these can be seen sort of as hacks. The real solution to higher memory requirements is a shift to 64-bit processors. Theoretically, a 64-bit processor allows up to 17,179,869,184 GB (or 16 exabytes) of RAM; although, if I recall correctly, most 64-bit operating systems divy up the address space in ways that don't really allow that theoretical limit for any one process. Hardware DEP requires processor support, and hardware DEP simply associates a hardware enforced no execute bit flag with memory pages. Memory pages that are supposed to contain data only are marked with this bit flag, and the processor will ensure that no code is ever executed from such memory pages.
  
  
• My use of the word disingenuous. While perhaps not the exact word I was looking for, I still feel it to be somewhat misleading for someone angry about Comcast spyware to be alluding to similar problems or suspicions of problems with Microsoft spyware. To each his own. It's off-topic in any event.

 

Okay, since responses you don't agree with are off topic, you will be glad about what I am going to post.

I went over to a graphics forum and posted this poll question. Obviously, it is not scientific in any way, I don't think I even have the ability to see the identities of the voters, but I will be honest to say that the result was other than what I expected. Since I would have posted the expected result, I feel honor bound to post this....this....abomination!

Still, it remains a moot point for me, due to my compatability issues, and no pressing need to install this. However, it would seem that I am not only to suffer the slings and arrows of outrageous criticism, I am going to have to suffer all by my self


-HandsOff

 

Quote:

"I could install nearly any distribution of Linux,Unix,Solaris or virtually any other alternative operating system;
and within a few weeks most would have outstanding vulnerabilities that would require patching."

Yeap,I agree on that,just 1 single well-written exploit,
can tear down the whole security strengths/"myths" of about every OS out there.

Quote:
"Even OpenBSD,one of the most security audited of "common" operating systems,
issues security and reliability patches on a fairly routine basis."

OpenBSD,on the exact opposite of Microsoft,does exactly that;
they MAINLY issue patches towards recently discovered vulnerabilities,
instead of developing their...2010-expected OS(!) or releasing Longhorn betas(not even Vista),
while they haven't even manage to audit their...2004-dated SP2 code.

Something quite interesting to be taken under consideration,especially take notice of the last phrase:
“Of Netcraft's list of the top 50 web sites,47 run BSD,
and the number 1 place is held by a FreeBSD system which has been up for 1726 days”:
http://www.computerworld.com.au/index.php/id;1357495171;fp;16;fpid;0

Then,check Netcraft 's actual recent list with the,
"Sites with longest running systems by average uptime in the last 7 days":
http://uptime.netcraft.com/up/today/top.avg.html

Of cource,the "fingerprints" of both the OSes and the servers they 're running,
could be 'spoofed" by the admins,just to make the job harder to possible attackers.
In some cases it's pretty obvious also,for example,
BSD/OS was discontinued from sales at the end of 2003,
it's support was terminated in the end of 2004,
and allow me to doubt if a BSD/OS is running...Microsoft-IIS/5.0.

Point is that these OSes have been up and not hacked,not for...minutes,but years,
meaning,either they have been updated with fixes or not,
they almost certainly did not have their WHOLE kernel recompiled:
a)this would require a re-boot(or even more than one),
b)especially in the case of the BSD/OS workstations,that's pretty much simply impossible,
'cause as already mentioned,it's a discontinued product.

So,who can accuse these OSes for not following the:
"generally accepted practice of staying up-to-date with vendor/developer supplied patches"?
If they were to follow this practice,
some of them should at least format and switch to a different and not...discontinued OS!

Ok,let's get this straight,'cause one might say that...
these are fairly special cases/exceptions to the "rule","simple users" must not be..."misguided" etc...
And I agree with that in more than one way:
"contrary to what some people might believe that I...argue",
I never claimed that anyone in here "advocated SP2 as a complete security panacea"...
(Panacea...nice word,it's greek too )
I certainly suggest to everyone,just to be on the "safe side",
to have his/her OS patched,either he/she..."trusts" his/her vendor or not.
In reality,where the actual problem lies,and it's pretty much clearly seen in here,
is that Microsoft 's own development rhythm itself,
does not follow/"interpret" in the right way the "generally accepted practice"...

 

With all due respects, I believe you may be relying on an outdated argument.

http://interviews.slashdot.org/article.pl?sid=06/01/26/131246

http://www.smartcompany.com/article/Security Disclosure Debate Erupts at Black Hat/170124_2.aspx

Criticism is good as long as it's constructive, but when the people/company being criticized actually take it and do something with it, it's important to recognize that, otherwise there's just no point.

SP2 has been considered by the security community as a large step in the right direction, and this momentum is being continued, especially with the 64 bit platform which they are taking as an opportunity to start from scratch and enforce secure coding by all developers coding for the Windows platform - which is what it's going to take to attain any real measure of true security, especially in light of the fact that attackers are targetting apps more and more. It's going to take effort on everyone's part, not just Microsoft's, and that includes the end-user taking some precautions, including things like keeping up with patches.

If progress can't be recognized, then what's left? What's the point?

 

People are funny...It seems like people were hesitant to say that they were using sp1, but as people began to voice specific issues, a number of people then voiced there agreement and put their chalk mark under the SP1 banner. I understand perfectly that people would just as soon avoid criticsm, yet this was just a poll question, with the option of making comments.

I had to laugh when someone mentioned the psychological impact of calling an update a "criticle Update". I have no problem with the term, btw, and yet it does appear that many people on some level, are very uncomfortable with taking a course of action after they have been told dozens of times (hundreds?, thousands?) that they are not doing something that is 'standard accepted practice', or is counter to anything that has been repeated over and over. I believe that it is a common defect of the mind to confuse more repeated with being more true. My opinion, and having read Notok's informative webpages, I think he might agree, about what is criticle is this: Backing up your system on a regular basis and being very familiar with the processes of getting back up and running. If one can't do this, then I could see why malware holds terror for them.

OKay, here is my "outsider looking in" SP2 issue of the day. ADS (Alternate Data Streams). My logic works this way. If there is an operating system feature which is being exploited, a developer should start considering if its benefits outweigh its liabilities. On the benefits side, in this case, there is very little. We know that the ADS have a negative impact on drive defragmenting and other file operations. And then there is the issue of "best computing practices"... in my opinion, of course. I for one do not like features of the o/s that are for lack of a better word, taking place behind my back. We all know the kind of things that fall under this heading. Index.dat files, "super-hidden" files, ADS, ect...So, SP2 comes along, and one might think, well, why not get rid of some of this confusing dangerous stuff? Anyway, am I the only one wondering why we need a new mechanism that will badger the user with a question to proceed everytime he does what for most people is a routine task? He will be asked over and over, until he either disables the feature, or clicks continues with the consistency of one of Pavlov's dogs. For this we leave another security liability in place.



- HandsOff

 

I scanned all of the pages of this thread and could not find one reference to the following really very good reason to be running SP2 over SP1 despite all of the complaints about the upgrade.

Windows XP SP2 contains the following security feature:
The NX bit is set which disables execution of code in the stack space.

This feature, which is also in Windows Server 2003 SP1, goes a long way towards blocking buffer overflows, both intentional and accidental.

This is also a good reason why Apple's OSX will be more secure on Intel chips.

-- Tom