Wayne Rash: Where Windows XP SP2 Falls Short

By now you've been hearing a steady stream of advice telling you to upgrade your copy of Windows XP to Service Pack 2. You've read about the risks and benefits.

The big reason for moving to SP2 is to avoid the security pitfalls lurking in naked XP or even XP patched with Service Pack 1. But not all security improvements are equally important. Here's a rundown of five important things you should care about in the security offerings for SP2—and where even the best of them fall short:

1. The Security Center really works, but it doesn't do as much as it should.

The first thing you see when you install SP2 is the Windows Security Center. This product tells you whether you have a firewall installed, anti-virus software running, and whether you have automatic updating enabled. Security Center, will tell you more about what each of these features does, and why you should want it running.Unfortunately, Security Center doesn't help you turn anything on or off. Fortunately, it does monitor the status of these items and alerts you when something changes, such as when your anti-virus or personal firewall is turned off. Because some worms are getting the ability to defeat anti-virus software and personal firewalls, this could be a useful feature.

The Security Center works with Microsoft's own, built-in Windows firewall and third-party products. I've found it recognizes ZoneAlarm from Zone Labs and Norton AntiVirus, although you may need to upgrade those products before the Security Center will recognize them. If you have an anti-virus product that you like but that the Security Center doesn't fully support, you can tell Security Center that you'll monitor the product on your own.

2. SP2 includes its own built-in firewall for Windows. It's better than nothing.

On installation, SP2 checks to see if you have a third- party personal firewall installed. If you do, the Windows firewall is not installed by default. Instead Windows lets the third party firewall do the work.

If you haven't installed SP2 yet and don't have a personal firewall, you're crazy. These products are your top defense against worms and Trojans, and they're mostly free.Install a personal firewall before you do anything else. In my opinion, Zone Alarm is the best of the bunch, and it's free for individuals to download.

If you choose to install SP2 and you're not already running a personal firewall, SP2 will install the Windows Firewall. This software works well enough to close off potentially risky access to your computer, and is effective at keeping the barbarians on the Internet at bay.

But it does nothing about infections already on your computer, or that manage to get through and install themselves despite your best efforts. For example, if you get a worm as an attachment to an e-mail and your anti-virus doesn't pick it up, you could find your computer becoming a base for flooding the Internet, and your local network, with worm traffic. Third-party firewalls that I've used also block outgoing traffic that you don't approve, including outgoing traffic in which a worm takes over another application to send mail or otherwise access the Internet.

Blocking outgoing traffic doesn't do anything to cure your infection, but at least you won't infect everyone else. Other firewalls have that capability, but the built-in SP2 firewall lacks it.

In an enterprise environment, the Windows Firewall makes your computer a good network citizen. The firewall works with group policies. You can control this behavior through the management console that appears in the Control Panel. You can also customize other aspects of the firewall's operation, such as exceptions for technologies like instant messaging.3. IE really is safer than it used to be, but you should still use Mozilla where you can.

Microsoft has made some much needed changes to Internet Explorer. For example, it's now harder, perhaps impossible, to mask dialog boxes and the address bar, which will make phishing scams harder to pull off. In addition, the Active X controls are changed so that it's now impossible to force the downloading of code

There's also an attachment manager, so you can see what's been downloaded using the browser. Other security features: an authentication dialog that can't be masked over, a configurable pop-up blocker that's turned on by default and an add-on manager so you can see what plug-ins have been installed. These features are controlled through the "Tools" menu in IE.

Unfortunately, new exploits for IE continue to appear, so despite all of the improvements, not everything is perfect. While there are a few sites on the Internet that require IE to work properly, you're going to be better off if you also download and install an alternate browser such as Mozilla, Firefox or Opera. Mozilla and Firefox are both free. Mozilla is the open source version of Netscape, so it's probably something you're familiar with already. You can try Opera out for free, but it costs $39.00 to buy it. [Opera is adware, too, isn't it?]

4. Outlook Express is less vulnerable than it was.Microsoft has added a new set of APIs for Outlook Express that block the automatic execution of attachments. This means that if someone sends you an e-mail with an executable attachment you have to explicitly run it. While this prevents worms from running when they get themselves into your e-mail by one means or another, it still doesn't replace training. Users need to know that they should never run any attachment unless they expected to receive it.

Unfortunately SP2 does not prevent a vulnerability related to image files, such as JPEGs. This vulnerability mainly effects Microsoft Office and a number of third party applications, but you get the program to detect it through Windows Update. To fix this vulnerability you'll need to install further updates to Windows and to Microsoft Office. You'll still need to do multiple rounds of updates, and you may need your Office CD to install the updates, so you might was well dig it out of the file cabinet before you start.

5. The "No Execute" bit will solve some problems, if only you could actually use it.

One of these days Intel and AMD are supposed to start including support for this feature which prevents execution of an executable file except under specific circumstances. Basically, before it executes code the processor is supposed to check to make sure it's authorized. If the code has been overwritten by malicious software, the processor won't run it.

Unfortunately, this feature exists only in Windows. The chip makers haven't implemented it, and no one at Microsoft could say when it would be implemented. Look for it when you buy your next computer.There are, of course, many other security improvements in SP2, but most of the rest are where you can't see them.

And some of the improvements, such as the default pop-up blocker, may block applications you use. If you're planning on installing SP2 on a number of computers, you should test it first.

Fortunately, some of the changes can be managed. You can adjust the operation of the pop-up blocker, for example, or even turn it off. Others can't be handled so easily, and that may require you to update or even change the applications you use. Then, you need to decide whether the added security is worth the inconvenience.

Wayne Rash is a writer based near Washington, DC. He was one of the first to create secure networks for the military and for other government organizations, and he has written about security for over twenty years. You can reach him at [email protected]. Contact the editor of Security Pipeline at [email protected].