Windows XP SP2 more secure? Not so fast

While XP SP2 is a huge step forward for Microsoft, there are important caveats. For example, don't expect the new Windows Firewall to prevent keystroke-logging Trojans from stealing your credit card info.

Robert Vamosi
While XP SP2 is a huge step forward for Microsoft, there are important caveats. For example, don't expect the new Windows Firewall to prevent keystroke-logging Trojans from stealing your credit card info.

It's late. It's large. But Microsoft's much heralded Windows XP Service Pack 2 has finally arrived. Right now, manufacturers and large-systems operators are getting their first look at the final version of SP2. By the end of the month, automatic desktop downloads will be available via Windows Update, then on free CDs. At first glance, the release suggests that Microsoft has finally gotten serious about upgrading Windows' security. But before you get too excited, please take a moment with me to slice through some of the hype and hoopla coming out of Redmond, Washington. Toward eliminating Internet threats, there's still a lot of work yet to be done -- both by Microsoft and by you and me.

Windows XP SP2's biggest news is the new Windows Security Center -- and it's about time. Now, from one location within Windows, complete with system-tray alert notifications, you can monitor whether your antivirus and firewall protection are enabled and whether Windows is up-to-date with the latest patches. Windows XP SP2 also improves its built-in firewall (now called Windows Firewall) and turns it on by default, blocks pop-ups and malicious code within Internet Explorer, and turns off HTML images (such as spam pornography) within Outlook Express.

Some XP SP2 changes are harder to see. Microsoft used this release to harden its operating system; in other words, Microsoft recompiled all its Windows system binaries to include a new flag, GS, which will mitigate buffer overflows, a common method used by criminal hackers (crackers) to overwrite legitimate code with malicious code on your PC. A buffer overflow is the method the Sasser worm used to infect PCs. Windows XP SP2 also makes important changes to core Windows components, such as DCOM and RPC. (Flaws within the DCOM RPC led to the damaging MSBlast attack last year.) And SP2 will also bring every Windows XP system up-to-date, whether or not you've ever performed a Windows update postinstall. Once you've installed SP2, you'll have SP1's updates plus all the security patches released up through MS04-025.

Are we all clear now, then? No need to worry about malicious attacks that take advantage of Windows weaknesses? Not so fast. To fully block the aforementioned buffer overflow and the Internet worms that feed on them you'll need to follow fine print: turns out the necessary No Execute setting isn't present in the current hardware architecture of most 64-bit and 32-bit processors on the market today. This data execution protection, or DEP, is currently available only on newer AMD and a handful of Intel's Itanium server chips. In other words, the new Windows DEP changes won't help you unless you're running XP SP2 on a machine with AMD or Intel Itanium processors. My colleague, David Berlind, has suggested that large companies looking to upgrade their hardware fleet should wait until after the first of the year, after Intel has released its chips.

For you and me, it's going to take even longer before this final layer of Microsoft data protection trickles down. Not everyone will upgrade their PCs based on the fact that these new chips won't execute malicious code, and unless you're particularly anxious about buffer overrun, the new security probably isn't a compelling enough reason to hold off purchasing a new desktop PC. In fact, you and I are likely to see good prices on the old chipsets as soon as the new Data Execution Prevention chips hit the market early next year.

And, of course, pre-XP Windows operating systems still have a sizable share of the PC market and have numerous vulnerabilities that SP2 won't fix -- all targets for virus writers and script kiddies. It's going to take years for all the new hardware and software changes introduced to Windows XP to trickle down to the masses worldwide. In the meantime, I expect to see about the same level of virus-writing activity, if not more, as virus writers attempt to snag XP customers before they upgrade.

And remember what I said above about the XP firewall? That it's new and improved? Well, I need to qualify that statement. Despite the firewall's improvements, it's not invincible. A month ago, I asked Fred Felmen, vice president of marketing for Zone Labs, what impact Windows XP SP2 might have on third-party firewalls such as his Zone Labs ZoneAlarm. He said the Microsoft firewall protects only against inbound threats, not outbound threats, such as keystroke-logging Trojans that report your passwords and credit card info to others. Also, the lack of outbound protection means your infected PC could still participate in distributed denial-of-service attacks. In short, I recommend keeping your third-party firewall enabled alongside Microsoft's. Two firewalls are better than one.

Finally, since we're talking about Microsoft software here, it's entirely possible that virus writers will soon write code that turns off the Windows Security Center or at least leads it to falsify its status reports (saying, for instance, that a security measure is enabled when it's really not). So don't just rely on the Security Center's status messages. Periodically check your antivirus and firewall apps independently of the center.

I'm not just paranoid. Numerous sources are now reporting that the Windows Security Center is misrepresenting Norton AntiVirus's status -- even after the antivirus app is enabled and freshly updated. Symantec is aware of the problem and says it will release a LiveUpdate shortly that should enable the app to better communicate with the Windows Security Center. Other than that, the SANS Institute has set up this forum to report real-world problems with Windows XP SP2. Luckily, so far, the issues involve slower boot times and sluggish Internet Explorer performance.

Bottom line: Microsoft made significant progress toward remedying its past problems, but it still falls far short of putting Microsoft on the leading edge in PC security. Install Windows XP SP2 when you get the opportunity but don't expect this one update to solve all your Internet security issues. To be safe, keep and maintain third-party antivirus and firewall apps.

Do you plan to install Windows XP SP2 right away, or are you going to wait until the dust settles? TalkBack to me below!