Consultants Caution Against 'Gotchas' in XP SP2By Jacqueline Emigh | Posted 2004-07-14 Email Print
While consultants and resellers look forward to key fixes in the service pack, some say customers should hold off on full-scale deployment due to anticipated compatibility problems.With Windows XP SP2 (Service Pack 2) finally just around the corner, many security and Windows consultants firmly believe that Microsoft is about to plug some of the largest known holes in Windows XP.
At the same time, though, the specialists worry that the forthcoming upgrade might break some existing Microsoft applications, clash with third-party security tools or bog down desktops. Some warn customers to hold off on full-scale SP2 deployment, or even to stick with older versions of Windows.
"There's been a lot of discussion from Microsoft that SP2 will fix some of the critical issues in XP. Yet I think that many customers will find no immediate need to implement SP2 on all their systems," said Eric Lutz, CISSP (Certified Information Systems Security Professional) and director of professional services at Anitian Enterprise Security, a network architecture and security consulting firm in Beaverton, Ore.
"But on the other hand, I've also heard that SP2 has some 'gotchas'that if you install it, your applications might break," he added.
Now set for release in August, the software update will integrate patches and bug fixes issued since the earlier SP1, plus some new features in the areas of networking, memory protection, and e-mail and browsing security.
Just this week, for example, Microsoft issued seven more security bulletins, two of them dubbed "critical," for Windows and related MS products. One of the critical bulletins, MS04-023, addresses vulnerabilities in Windows HTML Help that reportedly allow for remote code execution. Patches are now available from Microsoft for Windows XP, as well as for Windows NT4, Windows 2000 and Windows 2003.
Meanwhile, Microsoft has been cautioning that XP's forthcoming SP2 might indeed break existing applications, due to all of the software modifications made. Technology pros are being urged by the vendor to test the service pack.
During a series of interviews this week, one security consultant argued that, given XP's existing vulnerabilities, customers really have little choice but to install Microsoft's patches and the other new security features, regardless of any risks involved.
"Microsoft certainly needs to do something about its IE browser. IE is too willing to run any code it comes across, and it's been a major source of problems with spyware and viruses. IE is not very secure in any way," said the Minneapolis-based CISSP, who asked not to be identified. The specialist was willing to say, though, that he works within the security practice of a large consulting firm.
"Sometimes, Microsoft's patches will have unexpected consequences. They can turn things sluggish, for instance," he said. "But you have to counterbalance this with security concerns. There can be a lot of different software involved on XP desktops. Unless you have time to learn about all the intricacies, you have to 'trust your doctor'and the 'doctor' here is Microsoft."
Possible reasons to wait before patching.
Other consultants, though, maintained that companies should wait on full-scale implementations of SP2.
"I actually have a lot of compassion for Microsoft. Everybody gets on Microsoft's case. But what Microsoft is trying to do [with XP and SP2] is exceedingly complex," said Charles Cresson Wood, CISA (Certified Information Systems Auditor), CISSP, an independent security consultant and widely published author in Sausalito, Calif.
"Yet customers will need to test SP2 [in their own environments]. Microsoft, of course, has been testing SP2 as well. But there's a virtually infinite number of combinations of applications, and there's no way Microsoft will be able to test everything," Wood said.
"In general, one of the best things you can do with your investment dollars is to stay on top of software upgrades. Even famous firms, with great reputations, can do a bad job of patch management. On the other hand, you don't want to [deploy software] that's going to break things, either," according to Wood, who's done security work for more than 125 organizations, including Fortune 500 corporations, banks and high-tech startups.
But as Anitian's Lutz sees it, decisions over whether to test SP2 should revolve around the needs of individual organizations. "If I were a medium-sized to large enterprise with an XP installation, I'd probably start out by running SP2 on one machine. If I were a small shop, though, I'd probably hold off from testing for a while, and listen instead to what others are saying about how [SP2] is going."
Wilson, a self-employed consultant, is enthusiastic enough over the possible improvements that he plans to implement SP2 despite any potential drawbacks. "One computer, which is used by my kids, has been the most vulnerable. It hasn't gotten any viruses, really, but it's picked up a lot of spyware," he said.
Beyond the prospect that SP2 might break applications or slow down system performance, channel members also expressed concerns over other possible adverse impacts.
For instance, SP2 will purportedly enable XP to offer more information to users when an outside application is attempting to interact with PC software. "But I just hope Microsoft doesn't make XP too intrusive, either," Wilson said. Wilson previously used ZoneLabs' ZoneAlarm personal firewall on his XP systems, but then uninstalled it when he found that the product got in his way.
Wilson now attaches his PCs to a router, which he said "protects us pretty well from outside systems." He also switches back and forth in ad hoc fashion between Microsoft's IE browser and Netscape's Mozilla.
"XP actually comes with its own IPS [intrusion prevention system]," Lutz observed. The security consultant also noted that, with SP2, XP's built-in personal firewall will now be turned on by default.
"But as Microsoft continues to expand the functionality of Windows, we are concerned about integration with customers' existing third-party security products, such as personal firewalls and antivirus software. There now are some third-party IPS that work better with XP than others. Windows used to be all about software integration, but it really isn't anymore."
Gary Cannon, president of Advanced Internet Security Inc., said he is finding that his customers are "looking beyond Windows for their security. All this news about SP2, IE and patches is having an effect on our business, but they're not so much interested in specific Windows patches as they're interested in better perimeter defenses. What we're seeing now is interest in protecting their business from the outside."Specifically, Cannon said he's seen that "sales and proposals for intrusion detection and gateway filtering have been increasing dramatically over the past six months. Customers are feeling that they can't rely on Microsoft to solve all their security problems in a timely fashion, so they're looking to protect themselves."
On the whole, the consultants think XP still gets much stronger competition from older editions of Windows than from non-MS operating systems such as Linux.
"About 70 percent of our customers use Windows XP to some extent. That isn't the same thing as saying, though, that 70 percent of our customers' desktops are running XP. We even have some customers who are still operating Windows NT 4 [on the desktop], because they've been able to make NT stable and efficient," Lutz said.
"System availability is a very important issue to our customers. If Microsoft can provide XP with better stability and performance, this will be a much more compelling reason to upgrade from Windows 2000 or NT than integration with Office 2003, wonderful skins, rounded corners or any other theoretical whizzbangs."