Windows XP SP2 more secure? Not so fast

21/08/2004 - 12:09 por Jose V. | Informe spam
(ZDNet)

It's late. It's large. But Microsoft's much heralded Windows XP
Service Pack 2 has finally arrived. Right now, manufacturers and
large-systems operators are getting their first look at the final version of
SP2. By the end of August, automatic desktop downloads will be available via
Windows Update, then on free CDs.

At first glance, the release suggests that Microsoft has finally become
serious about upgrading Windows' security. But before you get too excited,
let me take a moment to slice through some of the hype coming out of
Redmond, Washington. When it comes to eliminating Internet threats, there's
still a lot of work yet to be done -- both by Microsoft and by you and me.

Windows XP -- the second edition

Windows XP SP2's biggest news is the new Windows Security Center -- and it's
about time. Now, from one location within Windows, complete with system-tray
alert notifications, you can monitor whether your antivirus and firewall
protection are enabled and whether Windows is up-to-date with the latest
patches. Windows XP SP2 also improves its built-in firewall (now called
Windows Firewall) and turns it on by default, blocks pop-ups and malicious
code within Internet Explorer, and turns off HTML images (such as spam
pornography) within Outlook Express.

Some XP SP2 changes are harder to see. Microsoft used this release to harden
its operating system; in other words, Microsoft recompiled all its Windows
system binaries to include a new flag, GS, which will mitigate buffer
overflows, a common method used by criminal hackers (crackers) to overwrite
legitimate code with malicious code on your PC. A buffer overflow is the
method the Sasser worm used to infect PCs. Windows XP SP2 also makes
important changes to core Windows components, such as DCOM and RPC (flaws
within the DCOM RPC led to the damaging MSBlast attack last year). And SP2
will also bring every Windows XP system up-to-date, whether or not you've
ever performed a Windows update post-install. Once you've installed SP2,
you'll have SP1's updates plus all the security patches released up through
MS04-025.

No more buffer overruns? Read the fine print

Are we all clear now, then? No need to worry about malicious attacks that
take advantage of Windows weaknesses? Not so fast. To fully block the
aforementioned buffer overflow and the Internet worms that feed on them
you'll need to follow fine print: turns out the necessary No Execute (NX)
setting isn't present in the current hardware architecture of most 64-bit
and 32-bit processors on the market today. This Data Execution Prevention,
or DEP, is currently available only on newer AMD and a handful of Intel's
Itanium server chips. In other words, the new Windows DEP changes won't help
you unless you're running XP SP2 on a machine with AMD or Intel Itanium
processors. My colleague, David Berlind, has suggested that large companies
looking to upgrade their hardware fleet should wait until after the first of
the year, after Intel has released its chips.

For you and me, it's going to take even longer before this final layer of
Microsoft data protection trickles down. Not everyone will upgrade their PCs
based on the fact that these new chips won't execute malicious code, and
unless you're particularly anxious about buffer overrun, the new security
probably isn't a compelling enough reason to hold off purchasing a new
desktop PC. In fact, you and I are likely to see good prices on the old
chipsets as soon as the new DEP/NX chips hit the market early next year.

And, of course, pre-XP Windows operating systems still have a sizable share
of the PC market and have numerous vulnerabilities that SP2 won't fix -- all
targets for virus writers and script kiddies. It's going to take years for
all the new hardware and software changes introduced to Windows XP to
trickle down to the masses worldwide. In the meantime, I expect to see about
the same level of virus-writing activity, if not more, as virus writers
attempt to snag XP customers before they upgrade.

No more Internet worms? Read the fine print

And remember what I said above about the XP firewall? That it's new and
improved? Well, I need to qualify that statement. Despite the firewall's
improvements, it's not invincible. A month ago, I asked Fred Felmen, vice
president of marketing for Zone Labs, what impact Windows XP SP2 might have
on third-party firewalls such as Zone Labs' ZoneAlarm. He said the Microsoft
firewall protects only against inbound threats, not outbound threats, such
as keystroke-logging Trojans that report your passwords and credit card info
to others. Also, the lack of outbound protection means your infected PC
could still participate in distributed denial-of-service attacks. In short,
I recommend keeping your third-party firewall enabled alongside Microsoft's.
Two firewalls are better than one.

Finally, since we're talking about Microsoft software here, it's entirely
possible that virus writers will soon write code that turns off the Windows
Security Center, or at least leads it to falsify its status reports (saying,
for instance, that a security measure is enabled when it's really not). So
don't just rely on the Security Center's status messages. Periodically check
your antivirus and firewall programs independently.

Some known issues with SP2

I'm not just paranoid. Numerous sources are now reporting that the Windows
Security Center is misrepresenting Norton AntiVirus's status -- even after
the antivirus program is enabled and freshly updated. Symantec is aware of
the problem and says it will release a LiveUpdate shortly that should enable
the program to better communicate with the Windows Security Center. Other
than that, the SANS Institute has set up this forum to report real-world
problems with Windows XP SP2. Luckily, so far, the issues involve slower
boot times and sluggish Internet Explorer performance.

Microsoft has made significant progress towards remedying its past problems,
but the company still falls far short of putting itself on the leading edge
in PC security. Install Windows XP SP2 when you get the opportunity, but
don't expect this one update to solve all your Internet security issues. To
be safe, keep and maintain third-party antivirus and firewall programs.
 

Leer las respuestas

#1 Diego Calleja
21/08/2004 - 14:05 | Informe spam
El Sat, 21 Aug 2004 12:09:48 +0200 "Jose V." escribió:


No more buffer overruns? Read the fine print



Joder, como se pasa la gente. Microsoft *NUNCA* ha dicho "el service
pack 2 elimina absolutamente la capacidad de aprovechar buffer overflows
en cualquier hardware".

Es mas, es que la cosa es un problema de *hardware*, no de software. Los
micros de amd podran evitar la capacidad de explotar los buffers overflow
porque son los PRIMEROS en la historia de los PCs que lo hacen. Si lo hubieran
hecho antes, antes se harbia hecho, aqui la "letra pequeña" que se tiene que
leer y a quien hay que criticar es a intel y amd, no a las empresas
de software, leñe...


No more Internet worms? Read the fine print

And remember what I said above about the XP firewall? That it's new and
improved? Well, I need to qualify that statement. Despite the firewall's
improvements, it's not invincible. A month ago, I asked Fred Felmen, vice
president of marketing for Zone Labs, what impact Windows XP SP2 might have
on third-party firewalls such as Zone Labs' ZoneAlarm. He said the Microsoft
firewall protects only against inbound threats, not outbound threats, such
as keystroke-logging Trojans that report your passwords and credit card info
to others. Also, the lack of outbound protection means your infected PC
could still participate in distributed denial-of-service attacks. In short,
I recommend keeping your third-party firewall enabled alongside Microsoft's.
Two firewalls are better than one.




Falso. Cuando un programa abre un puerto a la escucha el firewall del SP2
te muestra por defecto una ventana avisandote y pidiendote consentimiento.
Entiendo que los fabricantes de firewalls les fastidiara el negocio bastante
el hecho de que el sp2 traiga un firewall bastante bueno por defecto,
pero inventarse cosas...

Preguntas similares