In response to my recommendation to cancel all non-AMD system buys, many people have been asking what changed recently that caused me to reach this conclusion.
As the release of SP2 drew closer, and I interviewed several Microsoft officials about the update, the interviewees spoke of a buffer-overflow countermeasure in SP2 as though it were one of SP2's most important security features.
When I started to explore the countermeasure in detail earlier this month, one of the first of Microsoft's Web pages describing SP2 that I happened to find said, "Microsoft is working with microprocessor companies to help Windows support hardware-enforced data execution prevention (DEP) on microprocessors that contain the feature. Data execution prevention uses the CPU to mark all memory locations in an application as non-executable, unless the location explicitly contains executable code. This way, when an attacking worm or virus inserts program code into a portion of memory marked for data only, an application or Windows component will not run it."
The page lacked the additional information that Windows XP users needed to determine whether or not their systems supported DEP. Noting the omission, I assumed that both Intel and AMD were already supporting the feature and that, to finish off my coverage of SP2, I only needed to figure out what the manufacturing cut-off dates were in terms of systems that didn't support DEP versus those that did. But a search of the Web turned up a recent story in The Register that alerted me to the fact that support for DEP wasn't yet available in Intel's Nocona Xeon processors. Within a few hours, I learned that AMD has been shipping processors with DEP support for over a year, while Intel -- except for Itanium -- wouldn't be shipping its DEP-supporting "XD" processors until Q4 2004. "XD" is Intel parlance for DEP and stands for "execute disable".
None of this, however, is really last week's news. Had I learned of the disparity earlier, or spotted a story by News.com's John Spooner in February 2004 about SP2's support for hardware-enforced buffer-overflow protection, I would most certainly have issued my recommendation back then. In other words, AMD's competitive advantage on the security front didn't start last week. Technically, it started when buyers first had the opportunity to buy DEP-capable systems in 2003. But it wasn't until February that users of XP should have learned of the significance of the feature (SP2's forthcoming support of it).
Bottom line? If you purchased a computer since February that doesn't support DEP (for example, any non-Itanium Intel-based PC), you've purchased a computer that is unable to take advantage of this important security feature. From a security perspective, it could be argued that you purchased an obsolete system.
So, who is to blame? Certainly not Intel. Yes, Intel has been caught with its pants down for the second time this year. (The first time was its acknowledgement of AMD's 32/64 hybrid plan in the form of a copycat product known as Nocona). But, since February, many of us have been happily buying Intel-based PCs not knowing that we'd be in for a surprise come August when SP2 finally shipped. We could have purchased Athlon 64, Sempron, or Opteron-based systems (collectively known as AMD64-based systems) with their Enhanced Virus Protection (EVP) technology (AMD's pet name for the same thing Microsoft calls "DEP" and that Intel calls "XD"). But according to Mercury Research, only 15 percent of system purchases contain AMD processors. Of those who did purchase AMD systems, I doubt any based their decision on the presence of EVP.