Why SP2 deserved every shred of the scrutiny

Since its arrival, SP2 has been under the equivalent of an electron microscope. It doesn't seem to matter whether a post-SP2 installation problem (notice that I didn't say "SP2-caused?") is a showstopper or a pixel out of place. Every problem, no matter how big or small, is apparently worthy of its own headline. Forums such as the comments on ZDNet's blogs and the TalkBacks on ZDNet's news stories have attracted armchair SP2 critics, many with their own SP2 horror stories, as well as Microsoft supporters who've not only had success with SP2, but who've risen to the company's defense and characterized the negative attention as unfair, overblown, sour-grapes, and even vendettas.

In a posting that castigated me, ZDNet, and users who have voiced dissatisfaction with SP2, one ZDNet reader identifying himself as Peter wrote, "OK, David Berlind and friends, just let it go. Your anti-MS crusade is really getting tired now. You and your type must hate being into computers, as you seem to hate Microsoft so much that you can't go one day without spouting some anti-Microsoft drivel. Your last few anti-MS SP2 FUD articles brought this clearly to the front." Within the various forums however, Peter has some opposition. Self-proclaimed PC neophyte Steve Jamison wrote an opinion piece that blames Windows' insecurities for the costs he has incurred and, to some extent, describes an idiot-proof appliance-like turnkey specification for all PCs to aspire to.

But other, equally sharp-tongued readers got behind Jamison's premise. "This guy represents more users than many of you out there might think, noted George Mitchell in his post. "Most users could care less about the technical side of computing. They mostly use their computer for simple (but essential) stuff and they want their computer to 'just work.' They have great difficulty understanding why their computer is designed to do all kinds of things (and in fact does all kinds of things) that they could care less about and yet, is seemingly incapable of delivering the services they expect it to."

Echoing Mitchell's sentiments, another ZDNet reader asks Microsoft's supporters to "Try to come down off the elitist viewpoint for just a second and look at things from the point of the everyday, non-power user. There are security issues with Windows. SP2 is not going to make that all go away. My clients are starting to ask me about OS X and Linux platforms because, uninitiated as they are, they get the idea that running a Microsoft platform means more work, more vigilance, and bottom line, more risk."

Predictably, none of these "religious debates" is lacking in the economically wordsmithed advice department. "I have three words of advice," is a common quip. "Get a Mac." Proponents of Linux invariably chime in with nearly identical guidance. Instead of "Mac," it's often colored Red Hat, SuSE, Mandrake, or the like. Indeed, these alternatives -- which typically come with more functionality (applications) out of the box than does Windows -- don't get nearly the attention that something as simple as a patch (SP2) seems to be getting. And that's not just from the press, forum participants, and bloggers. The same goes for virus and worm writers. Occasionally, we read about a vulnerability in one of these *ix-based offerings (Apple's OS X has Unix under its hood), but rarely a transgression. At MacWorld earlier this year, I asked representatives in the Sophos exhibit why we needed a Mac-based anti-virus solution. The answer? To keep the Mac from getting involved in the spread of Windows viruses.

While Linux has spent the better part of its existence proving that it's for real, the Mac has had to prove nothing of the sort -- not to consumers, not to IT personnel, and certainly not to Mac enthusiasts. So, why haven't more buyers heeded the three-word advice?

Apple has left its go-for-the-jugular-marketing of its very slick and perceived-to-be impenetrable (and obviously less-targeted-by- hackers) Macintosh to the system's most fanatical and vocal enthusiasts rather than officially mounting a smear campaign aimed at Microsoft's biggest blind spot --security. The company's advertising doesn't fail to mention security; it simply doesn't make a federal issue out of it the way Mac fanatics do. It's no wonder that, in the name of security, more consumers and corporations haven't expressed more interest in the Mac. In the last five years --a stretch during which Windows users have borne the brunt of the costliest exploits in the history of computing -- Apple has barely said boo on the issue.

Desktop Linux is a different story . Though Linux is clearly in the game, especially on the server side, it has a way to go before it's a Mac-like workstation alternative for neophytes like Jamison. Nor might it yet be for those who consider themselves proficient at exercises in networking, printer sharing, and systems administration by virtue of their exposure to the way Windows does these things. I run a pair of Red Hat 9 systems and, although they've proven to be ideal at hosting Web and database servers, using either of these boxes to share a printer or hard drive for my Windows and Mac boxes has not been so simple. After spending countless hours with how-to's and in Linux forums studying the usage of technologies, commands, and options such as SAMBA, CHMOD, CUPS, Linux's built-in firewall, and Hewlett-Packard's open source printer driver for the HP DeskJet 5550 (that I selected on the basis of its perfect compatibility with Linux), my "Windows users" (wife, kids) still can't press the print button with predictable results. In the name of predictability and fewer "help desk calls," I've gone to Plan B and have connected the printer to a Windows machine.

By now, Linux lovers will be decrying me as a shameful Windows bigot, but I'm not. Though I buckled after countless hours of trying to get it to work, the fact that I had to move so many levers, change security settings, use RPM to update my software, and restart the SMB daemon from the command prompt after each change to its configuration file, demonstrates how wonderful Linux is for those who need or want such fined-grained control. For my Web, database, and e-mail servers, you can take my Linux systems away from me after you've pried them from my dead fingers. But when my neighbor tells me that he's having problems with his home network, I'm not going to hand him the three Red Hat CDs and say, "Here, try this."

Linux has indeed proven itself to be a worthy desktop if all you need to do is browse the Net and run productivity applications like StarOffice. But the minute Linux has to get involved with other systems on a network (now the norm) --particularly non-Linux systems - running the open source OS can get dicey for people with better things to do than spend the afternoon reading up on SAMBA and IPTables (the firewall in Linux). Google "SAMBA firewall problem" and you'll see what I mean. Meanwhile, when Windows file sharing is enabled (with a check box) on the Mac, the Mac's personal firewall is automatically reconfigured to support that choice. In the dialog box where Windows File Sharing is enabled, OS X even provides instructions on what text to enter into Windows' Explorer in order to start sharing the Mac's hard drive. Linux (all distributions) will catch up. But right now, it's still mostly for power users.

But don't take my word for it that Linux is primarily for power users. Just go to the TalkBacks on Jamison's article and you'll find a thread that draws attention to the issue that's central to Linux's security and Windows lack thereof: In the case of Windows, running the system as the administrator or as a user with administrative privileges, which in Linux parlance, equates to running the system as root or as a user with super user privileges. The thread begins with a question that asks Jamison "What the heck are you doing? Running as Administrator? Probably." But then another reader fires back: "Many apps written for Microsoft Windows (any version you like) will not run or will run with a severe handicap in any account but administrator." This is a fair observation. When, in the name of security, I locked down two of my family's systems so that they ran exclusively in a non-administrative mode (unless I was sitting at the keyboard), I spent more time as the family help desk technician than I did as a husband and a father. What gave me my time back? I gave everyone administrative privileges. I haven't heard a peep about system problems since.

The same reader who previously fired back gets into the nitty gritty when he writes, "Ask an average everyday Windows user what runas is [editor's note: as in, 'RUN this program AS' the administrator] or how to run an application using runas. Ask a Linux user the same question but change runas to su [editor's note: 'su' as in the command 'su root' for switching to a session with root privileges while not losing the original context of the lesser privileged session]."

Try explaining any of this to Jamison the neophyte who just wants things to work. Or try explaining it to Mac users for whom things routinely "just work." Half of them will laugh because they've never heard of anything so arcane; the other half will laugh because they know what the first half don't: the Mac is doing the arcane stuff, only in an incredibly user friendly fashion. If you're logged into a Mac without administrative privileges and attempt to do something that requires administrative privileges, the Mac in many cases simply asks you for the administrative user ID and password. In fact, just to be sure, even if you're already logged in with administrative rights, OS X still asks for the administrative credentials for some tasks. How easy is that?. Notwithstanding the way the OS X does it, perhaps BJ Brock hits the nail on the head: "Why should anyone have to limit their rights just to protect their PC? 'Run As' alternatives are just another time-consuming work around for an inadequate OS."

So, with Apple more interested in selling iPods than selling Macs, and with desktop Linux still needing some time for someone to do to it what Apple has done to BSD Unix (in coming up with Mac OS X), a huge range of Windows users from consumers to enterprises are pretty much left with Windows. While Windows has made many of us extremely productive, that productivity has not come without significant sacrifices. In September 2003, CERT Coordination Center director Richard Pethia cited research in his Congressional testimony that pegged the cost of Blaster at $525 million and Sobig.F at between $500 million and $1 billion. Under the guise of a program that Bill Gates named the Trustworthy Computing Initiative (henceforth, the "TCI"), Microsoft on January 16, 2002 (shortly after Code Red and Nimda had their field days ) began its quest to minimize that sacrifice if not put an end to it altogether. Ten months later, Microsoft was in Silicon Valley talking about how the TCI was making headway. Slammer, Blaster, and Sobig.F still lay ahead.

Now, more than two and a half years after Gates began the quest, and after almost one year of anticipation, the company has delivered SP2 -- a cumulative patch that, considering its plethora of security-related enhancements for Windows XP, is without question the TCI's biggest stake in the ground to date. In fact, in as much as Windows has played a starring role in some of the costliest transgressions in computing history, and given its applicability to more than 210 million desktops around the world, SP2 is the most important piece of security software ever to be delivered.

This relative importance has apparently escaped those who have a problem with the microscope through which SP2 is being viewed. Those who believe that Microsoft has been unfairly singled out for condemnation appear to have a problem not with the attention that SP2 is getting but with the standard to which SP2 is being held. What they and -- to a large extent -- the media fail to grasp is that SP2 isn't what's on trial here. It's the TCI and Microsoft itself. SP2 is simply the most visible yardstick we have for gauging the TCI's progress. Should we take it on Microsoft's word (and SP2's spec sheet) that SP2 represents millions of dollars and countless man-hours in security improvements and congratulate Microsoft for setting the standard for success and then meeting it? Or, because Windows XP has been out longer than the TCI has been in place, should end users be in the position of deciding what success is and what the design goals should have been?

In the blogs, ZDNet reader Stefan Fiala hints at what may be the double standard that got us here when he says, "Microsoft has demonstrated, yet again, that for whatever reasons (greed, stupidity), their version of security is disparate from what users expect." But, rather than hold Microsoft to an arbitrary benchmark, why not turn to what Microsoft has set as benchmarks for itself?

According to Microsoft's home page for Trustworthy Computing Initiative, the company may actually have the benchmarks right. Under two separate headings (security and privacy), the Web page talks about how "users expect their systems to remain resilient, and for system and data confidentiality, integrity, and availability to be maintained" and that "[Users] expect and demand control over access to and use of their personal information." Under the reliability heading, the document notes that "Users look for a consistently trouble-free computing experience."

Looking at these value statements for the TCI, I would argue that Microsoft actually knows what end users expect and has set the appropriate benchmarks for itself. But I would also argue that sometime between Microsoft's recognition of these expectations almost three years ago, and the production of SP2, the company got its priorities confused.

In its own right, SP2 is a terrific step forward and users should, by all means, give it try. (Given the stories we've heard, however, backing up any critical data before installing it might be a good idea.) Looking at the TCI's goals, SP2 scored some direct hits. In the area of resilience, Microsoft has recompiled many of Windows XP's components to make them more resistant to buffer-overflow attacks. SP2 significantly raises the bar towards the inadvertent launching of e-mail attachments (one of the top malware transmission methods) and even keeps track of those files should they somehow get saved as detachments on your hard drive. The pop-up blocker helps to return control of the computing experience to end users, instead of leaving it to Web site operators. In the area of protecting the privacy of Outlook Express users, SP2 also introduces a technology that intercedes when the act of viewing an HTML-based spam message results in an attempt to let its originators know that they've found an active inbox.

While this is not a complete list of what makes SP2 worthwhile, SP2 is worthwhile for the majority of Windows XP users. That said, SP2's worthwhileness is sadly overshadowed by enough failures that I have to wonder: If Microsoft can't get certain fundamentals right and meet its own TCI expectations after two and half years, will it ever be able to? If you read between the lines of what the company is saying about Longhorn (the codename for the next version of Windows), Microsoft seems to be answering "Yes, but you may have to wait until 2006 to get it.

One horse that I've beaten nearly to death in my columns and blogs, (and promise to put out of its misery here) is the new Windows Firewall in SP2. With no outbound blocking and some back doors that a hacker could drive a Mack truck through, this "improvement" fails the value statements of the TCI on virtually every level. In fact, I now regret calling it better than no firewall at all. To the extent that the firewall and the Security Center (a central dashboard that's supposed to give us an accurate reflection of our systems' defenses) can be so easily tampered with and users can so easily be misled into a false sense of security, Windows Firewall is worse than nothing.

In its tests that verified the problem, PC Magazine characterized the Security Center tampering vulnerability as not merely "a security hole, but a crater." According to a report by TechWeb's Gregg Keizer, Microsoft denied that Windows Security Center has a vulnerability, saying that an "exploit of the console was the least of a user's worries." If this is indeed the way Microsoft feels about one of the more highly touted features of its poster child for the TCI, what does that say for the TCI and Microsoft? Keizer correctly interpreted Microsoft's response as meaning "hackers have better things to do." They probably had better things to do when they wrote MSBlaster, Sobig.F, Slammer and NetSky. But did they do them?

Microsoft's response went on to say that "In order for an attacker to spoof the Windows Security Center, he or she would have to have local administrator rights on the computer." Hackers inherit such rights when the users of the machines they're attacking are logged in with administrative rights. On this point, we've already established two types of users: First, there's a class of Windows users that log in with administrative rights because they don't know any better; second, there's a class of Windows users whose applications break unless they're logged in with administrative rights. According to my sources, Microsoft's own tests revealed that limited user accounts (LUAs) were incompatible with more than 50 percent of the applications tested.

If the "administrative rights" issue keeps surfacing in Microsoft's communications as well as on every thread in every Internet forum that address Windows security, then why, after nearly three years, didn't SP2 turn this into a federal issue? For example, if the Security Center were tamper-proof, a "You are logged in with Administrative Rights" panel (replete with a blinking red light) should be displayed (along with explanatory text and links to more information) with the same prominence that the Security Center currently assigns to the status of the antivirus, firewall, and Windows Update subsystems. (See a video of this.)

More to the point that Mac users keep making: How is it that the Mac, which so often intuitively knows that a user-requested operation requires administrative rights and then just asks for them (automatic versions of Linux's "su" and Windows' "runas" commands), has been handling LUAs so gracefully for so long and Microsoft hasn't taken the cue as it so often has from Apple? If the administrative rights issue isn't a priority for the TCI , then I don't know what is.

Left largely unaddressed, the oft-logged-in-with-administrative-rights Windows users pave the way for other exploits that allow the surreptitious saving and automatic execution of software on their systems. Knowing that this insidious behavior is one of the transgressions driving Windows users insane, I can't help but wonder if there's some way Microsoft can keep a lid on this behavior.

An SP2-permitted drag-n-drop exploit in Internet Explorer prompted some interesting feedback. In one comment section in ZDNet's blogs, a reader ("James") notes that "The point of SP2 is supposed to be to make 'secure' the default where 'insecure' was the default before. Having drag-and-drop file manipulation turned on, with no warning, is 'insecure.' At the bare minimum, SP2 should disable drag-and-drop to local file system by default, and if you try to, you should get an 'Are you sure?' prompt with the option of Yes/Always/No/Never. It's not hard, and they do it other places. There's no excuse for leaving it out." James doesn't know it, but he's describing how the Macintosh handles potentially sensitive operations -- with the exception that, if you really want to do it, the Mac asks for an administrator's credentials. More importantly, James' comments are a fantastic statement of the obvious that raises interesting questions about what the TCI's To-Do list looks like and why something so reasonable gets overlooked.

One answer to questions about TCI To-Do lists and priorities might be that the feature list in SP2 had to be cut off somewhere if Microsoft was ever to get the update out the door. But that doesn't deal with a prioritization problem. For example, hardware-enforced buffer-overflow protection -- the sort of protection that was involved in another minor SP2 incompatibility -- made the SP2 to cut. Microsoft calls this "Data Execution Prevention" (DEP). It's very forward-looking of Microsoft to include this wonderful feature in SP2. Buffer overflows are a favorite tactic of hackers, and hardware-enforced DEP will significantly raise the barrier to such exploits. Microsoft deserves kudos for putting it on the TCI To-Do list.

But, if the inclusion of hardware-enforced DEP in SP2 came at the expense (as we can easily argue it did) of a better firewall, a tamper-proof Security Center, more gracefully handled LUAs, and a bunch of other features that would have impacted 100 percent of Windows XP users, then it's another indicator of a TCI gone awry. As much as I love the idea of DEP, Microsoft could have pushed it back. Hardware-enforced DEP is a feature available only to users of AMD64-based PCs (it will be available on the newest and most expensive Intel systems by 2005 Q1). Of the more than 210 million systems running Windows XP, those users only account for about one or two percent. I'm not sure what the TCI priority whiteboard or spreadsheet looks like, but one column should identify the percentage of Windows users that each proposed feature could impact.

Finally, there's Microsoft's position on anti-virus, anti-spyware, full-featured personal firewalls and the like. It is not Microsoft's fault that people are doing things to our systems that we don't want them to do. Worms, viruses, adware, spyware, pop-ups, and so forth are the fault of the people that manufacture and execute them. For roughly $100, Microsoft has provided us with a product that delivers a tremendous amount of utility but at the same time has become an attraction to a rather nefarious group of people. The question often asked is this: How far Microsoft must go to protect us from ourselves and from others?

In announcing the TCI, Microsoft was basically saying, "we're going to make security our problem, not yours." So, in addition to questions about the TCI's progress and whether products like SP2 meet the Initiative's expectations, there is also the question of how far the TCI must go now that Microsoft has made security its priority. Windows security, or lack of it, has given birth to several cottage industries. Antivirus is one, firewalls is another, anti-spyware is a third. Some argue that if Microsoft were to take matters into its own hands by rolling any of these and other functionalities into Windows, the company would once again be playing the role of predatory monopolist. Hogwash! There's a difference between creating or maintaining a monopoly and doing whatever it takes to protect our systems. Microsoft already has wiped out all the pop-up blocking products with one decision, and you don't see anyone complaining. I've been one of the squeakiest wheels on the antitrust front when it comes to Microsoft. But if Microsoft wants to include in a $100 product all the goodies we need to keep our systems secure from evil-doers, I say more power to it. In fact, it shouldn't waste any time doing it.

This is what SP2 is about and why the scrutiny that's been applied to it has been so well deserved. SP2 is about the TCI and whether, after two and a half years, Microsoft could have made more progress in the right places than it has. Although you should install it, SP2 fails in too many ways to dismiss the criticisms of it and, more importantly, of the TCI. If that's not a reason to take a serious look at Microsoft as your strategic supplier of desktop operating systems, I don't know what is. Unfortunately, right now, there aren't a lot of reasonable alternatives.

You can write to me at david.berlind@cnet.com. If you're looking for my commentaries on other IT topics, check my blog Between the Lines or my archives.