Microsoft has hit the news once again by invoking its next major update to Windows XP — called Service Pack 2 (SP2) — in response to the significant security risks that have emerged over the past couple weeks. This time, the company has gone beyond its vague time-frame for releasing SP2 “later this summer.” Microsoft product manager Tony Goodhew told attendees of the TechEd 2004 conference in Amsterdam that SP2 will ship within the next two months — guaranteed.
Microsoft also is conveying the idea that SP2, as well as a series of security updates to its increasingly vulnerable Internet Explorer browser, will help protect users and prevent the exploitation of vulnerabilities that security experts have described as easy for attackers.
“Later this summer, Microsoft will release Windows XP Service Pack 2, which includes the most up to date network, Web browsing and e-mail features designed to help protect against malicious attacks, and reduce unwanted content and downloads,” Microsoft said in an e-mail response to TechNewsWorld.
“A comprehensive update for all supported versions of Internet Explorer will be released once it has been thoroughly tested and found to be effective across a wide variety of supported versions and configurations of Internet Explorer.”
Making Them Wait
Considered by many to be as close to an operating system upgrade as an “update” can come, SP2 is highly anticipated by security-savvy users. The Windows XP upgrade is actually the basis for many new features that will take advantage of the latest developments in processors, other hardware and applications.
“[SP2] is important for the industry,” Meta Group vice president Steve Kleynhans told TechNewsWorld. “A lot of people are looking for the capabilities in SP2, particularly the security enhancements.”
Microsoft signaled it was getting closer to a final release of SP2 earlier this month with a second beta version of the update software. However, testing for compatibility to avoid breaking other applications or utilities is described by analysts as a fairly monumental task both for Microsoft and its customers.
Showing Some SP2
In response to recent attacks involving Microsoft Web servers and Internet Explorer, Microsoft previewed some of the security enhancements that will be a part of SP2.
The company said an overall improvement to the security infrastructure of Windows XP consists of architectural changes in Explorer to reduce vulnerability to browser-based attacks. The Local Machine Zone, for example, has been the frequent target of attacks and now has a high default level of security placed on it, Microsoft said.
The company also said new Internet Explorer security settings in SP2 will be group-policy-enabled to give system administrators complete control. In addition, there will be a new add-on manager that will help users view and control difficult-to-detect IE add-ons, such as spyware or adware.
Microsoft referred additionally to a new pop-up blocker and download-monitoring technology designed to help reduce unwanted or potentially malicious content and downloads.
More Protection for the Masses
Kleynhans said that because it tightens up the operating system so much, SP2 is bound to impact other applications, but he added that not all machines will be taking advantage of SP2 security measures, such as the no-execute hardware feature that takes advantage of virus-fighting technology at the processor level.
Still, Kleynhans said that the Internet at large might be in a safer position with SP2.
“It’s probably not a significant impact immediately, especially for corporate users, but it certainly should spread a higher level of security through the consumer and small business markets,” Kleynhans said.
“I think this will help in the mass environment as opposed to the corporate environment. It’ll slow the rate at which any future attack might be able to hit the market as a whole.”
Enough Talk
Kleynhans also said that the wait for SP2 — and the related hype — has forced Microsoft to focus on the security update and has delayed work on other efforts, including the Server 2003 service pack, the next-generation Windows operating system. Kleynhans said that the release of SP2 will help Microsoft get to its other products and deploy them.
Gartner research vice president Richard Stiennon, who criticized Microsoft earlier in the week for talking about SP2 since last winter without announcing a specific release date, agreed that while corporate users might not be secured more by SP2, consumers need it.
“On the consumer side, it would help to block more things by default,” Stiennon told TechNewsWorld, referring to firewall and update enablement in SP2.