Windows XP SP2 No Security Silver Bullet

Although Microsoft's pumped considerable resources into the upcoming Windows XP Service Pack 2 (SP2), even that security-conscious update won't block every exploit or prevent future vulnerabilities, a company executive acknowledged.

"There is no silver bullet," said Will Poole, the senior vice president of the Windows Client group. "We think that the work we're doing [with SP2] will be a tremendous advance, and we're going to encourage all of our customers to update their software as quickly as possible. But again, it's a step on the journey."

Poole characterized security as "at the forefront of our efforts" for years, but that for his division, it came to a head in 2004 as attacks mounted on desktops armed with Windows. Poole spoke Thursday at Microsoft's annual analyst meeting.

Security problems are ongoing, Poole said, in part because of a new aggressiveness among hackers, who are using multiple methods to infect systems, ranging from manipulating vulnerabilities to infiltrating Web servers.

"We've been doing everything we can do to update our software, to fix vulnerabilities when we find them, for us to look at them and take care of the highest-priority ones, get them out to our enterprise customers, put them on Windows Update for our consumer and small-business customers," said Poole.But that wasn't working.

"We realized, particularly when MSBlast hit about a year ago, that that just wasn't enough. The continual effort to improve the quality of the software is just not going to keep us ahead of the bad guys that are attacking our customers."

In fact, attackers have been using patches that Microsoft deploys as blueprints to come up with new hacks. Last summer's MSBlast was a good example, as was this year's Sasser; both were created once attackers had a chance to review fixes posted by Microsoft.

"We saw people actually using our fixes as the way to determine what they should do next to attack [those] who had not updated," admitted Poole.

That's why Windows XP SP2 is so important, Poole said: rather than wait for problems to pop up, SP2 puts Windows into a more proactive stance than earlier editions.He outlined SP2's four major areas of security enhancement, including a smarter (and by default, enabled) firewall to protect networks, more control over what file types are automatically quarantined (and an extension of the already-in-place controls in Outlook to Outlook Express, the entry-level client included with Windows), a pop-up blocker and easier blocking of unknown ActiveX controls within IE, and integration with new AMD and Intel processor functions to prevent buffer overflows.

Although the ship date for Windows XP SP2 has slipped several times Poole reiterated his earlier promise that the update would ship in August. "Things are going well," he said.

SP2 will be distributed primarily via online download through the Windows Update site and Windows' own Automatic Update feature, a potential problem for users connecting to the Internet on a dial-up connection; the most recent beta of SP2 was a beefy 264MB. Last week, Poole said that SP2 will also be available as a free CD.

"We feel very good about the work that we're doing [with XP SP2], and we think it'll take users a long way forward," he said.

Whether that's how users see it is another matter. Some analysts have expressed concern that Microsoft designed SP2 so it can't be installed on systems running pirated copies of Windows, leaving a potentially huge pool of machines unprotected by the security enhancements.And a number of VARs and system integrators have said it's likely that SP2 will break a number of custom applications, and cause other, as-yet-unforeseen problems.