Patch Problems May Force Users to SP2By Steven Vaughan-Nichols | Posted 2004-09-10 Email Print
WEBINAR: On-demand webcast
Take Advantage of Cloud Backup to Kick-Start Your Disaster Recovery REGISTER >
If you want to keep your XP systems safe you may have to update to SP2 sooner than later no matter how long Microsoft offically gives you.
Well, it's official. Microsoft isn't going to force you into upgrading your customers' XP systems to SP2 anytime soon. But, like it or lump it, maybe you had better start working on it sooner than later anyway.
Microsoft is giving everyone until April 12, 2005, before they start pushing SP2 to all Windows XP and Windows XP Service Pack 1 customers automatically via Windows Update and Automatic Update. If you do much work with Windows XP clients, you already know the reason why: incompatibilities.
Joe User at home playing Doom 3 may wonder what all the fuss is about, but many, way too many, XP business applications break under SP2. In particular, programs that rely on Internet Explorer pop-ups and ActiveX are having a lot of trouble.
So what's the problem? We've got six months to work these problems out, right?
Do we? SP2 may have stuffed some security holes, but it also opened up a host of others. Some of those holes also hit SP1 systems.
For example, there's an SP2 hole, still unpatched, that utilizes Internet Explorer's drag-and-drop feature and the Windows "shell folders" to invisibly copy a malware program from a malicious Web site to a user's startup folder. Once there, the programa key logger, a spambot, whateverwill execute whenever the user logs on.
Worse still, according to Secunia Research, this "vulnerability is actively being exploited in the wild." Oh boy.
Of course, eventually there will be a patch. But, there's the rub. A patch for what? Just SP2? SP1 and SP2? I don't know and, after more than a day, Microsoft hasn't been able to give me an answer yet either.
You see where this is leading, right? We can be sure that there will eventually be a patch for this problem, and the other problems that are sure to show up, with SP2, but I'm not at all sure we can count on Microsoft delivering any more patches for SP1.
It takes a lot of time and money to test out a patch. Will Microsoft go to that much effort? Since, as a Microsoft spokesperson told me Thursday, "SP2 delivers the latest security updates and innovations from Microsoft, establishes strong default security settings, and adds new proactive protection features that will help better safeguard computers from hackers, viruses and other security risks," I doubt it.
Even if they do patch both versions of XP, that's going to double the boys in Redmond's workload. That, in turn, means security patches will come out even slower. Great, just great.
Microsoft is also encouraging people to "enable Automatic Updates after installing SP2, which helps make security easier by automatically downloading and installing all available security updates." That may be the best idea for Joe User at home, but it's a foolhardy philosophy for a business since patches, as SP2 has shown, can break mission-critical applications.
Hmmm doesn't sound good to me.
So what can we do about it?
Well, for starters, we need to keep our third-party security guard up as high as ever. Firewalls, anti-virus programs, backups, restrictions on network connectivity, the whole nine yards of business security are just as necessary as they've ever been.
Next, if your customers are sticking with XP, you need to get on your software vendors and get SP2-compatible program updates as soon as possible. If, as is often the case, these are homebrewed or out-of-date, not well-supported programs, well you'd better get some programmers cracking on fixing them by say yesterday.
You see, if your customers are sticking with XP SP1, and not moving to SP2, a Linux desktop or the new Macs, you really don't have until April 12th of next year. You only have until a major security breach rips your clients' XP SP1 systems apart.
eWEEK.com Senior Editor Steven J. Vaughan-Nichols has been using and writing about operating systems since the late '80s and thinks he may just have learned something about them along the way.