Re: XP SP2 - Statement of the NTBugtraq list

From: Brian Bergin (ntbugtraq.nospam.1_at_TERABYTE.NET)
Date: 08/10/04

  • Next message: David Luxford: "Symantec XPSP2 Support"
    Date:         Tue, 10 Aug 2004 17:47:25 -0400
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    First Russ, very well said. It's refreshing to see someone who actually
    wants to wait to pass judgement on something from Microsoft these days.

    That having been said, I'm not sure MS has put enough pressure on ISVs to
    produce SP2 compliant software. MS has spent more than 18 months working
    on SP2 and yet major vendors continue to have no clue about supporting
    it. Symantec is a great example. Their various and sometimes conflicting
    documents talk about updates being ready today (10 Aug 04) for retail
    products and depending on the rep you get Corp Ed products can either be
    patched now with a patch that is a pain to deploy (9.0.0.1400) if you're
    running v9 or wait up to 6 weeks for patches if you're running any build
    prior to 9. Furthermore, if you find the right rep at Symantec 9.0.1.1000
    is available for download (though they had a corrupt version of the file
    out there for a while). Symantec has made no statements about Norton AV
    Retail prior to 2004 and I can assure you there are millions of people
    running their 2003 and 2002 versions who don't feel they should have to
    upgrade (whether they should or not is not in the argument here).

    BTW, be prepared for a 90 minute call if you call Symantec. 80 on hold and
    10 with the rep.

    Other companies like AutoDesk have no documents that I can find containing
    XP and SP2 on their support site. How can they not at least have a
    document that says 'we're fully compatible'? We have 2 firms that use
    AutoDesk's products and so far we've seen no word from them. In fact
    AutoCAD LT 2005 doesn't even list SP1 as an option. I spoke with Brian
    Baker at AutoDesk and he was very helpful and is going to find out for me,
    but he didn't have any info at present instead first directing me to local
    resellers for info. If the resellers have it shouldn't customers be able
    to find it on the software company's web site?

    Another problem is the poorly, IMHO, designed Windows Firewall. As a ßeta
    tester I voiced my concerns and recommended if they wanted it secure they'd
    have to do at least 2 things:

    1) STOP creating admin accounts for every user at installation for
    workgroup/standalone systems;
    2) Bind the WF to the IP stack like ISA is. If the firewall is stopped
    improperly then all IP traffic stops. They could even use some random text
    generator like Whois lookups have gone to to prevent the malicious or
    accidental turning off of the WF.

    As it stands now with the file
    http://www.terabyte.net/temp/disable_xpsp2_firewall.reg any admin can
    disable the firewall and its related notifications. How long do you think
    it will be before some hacker creates a virus with this
    capability? Programmers I know say it's a simple thing to do and you and I
    both know no amount of warnings will keep some idiots from clicking Yes or
    Ok on a download. The file above can be installed with 2 clicks (the Run
    and the Yes button) and the WF is OFF and few general users would know
    enough to go looking to see.

    Is SP2 a great upgrade? Absolutely. Is its new security solid enough to
    avoid being hacked? IMHO, no. Is it going to be smooth upgrade? Yet to
    be seen. Could it have been smoother? If MS had pushed harder or even
    perhaps put more of the known problem software titles like all unpatched
    Symantec products in a popup that says "You have the following products
    that are not compatible with SP2. Please contact the vendor for an
    update." Then listed the corp phone number for each vendor. To stay off
    that list vendors need to show MS BEFORE the final build they will be able
    to support the final build on the day MS releases it to the public. If
    they miss the cut off for the final build they get embarrassed and perhaps
    they won't sit around on their hands next time around.

    Note to ISVs: When MS releases a new SP or new OS, be ready. Customers
    don't like to wait. Big corporations may wait to deploy patches, but
    consumers don't like to wait and companies who sit around without a clue
    lose business.

    Note to MS: Use some of that muscle the US claims you use too often against
    PC makers and make those ISVs tow the line or embarrass them into it.

    Brian Bergin
    Terabyte Computers, Inc.
    Boone, NC USA

    At 02:36 10 08 04 Tuesday, you wrote:
    >Ok, so I feel like I need to do this, hopefully its understandable.
    >
    >1. XP SP2 is the most significant security effort Microsoft has ever
    >produced. Granted, it may not be a "silver bullet", or solve all problems,
    >but it is significant in so many ways that we as a security community
    >cannot fail to acknowledge it. I admire "discoverers" as much as the next,
    >but before XP SP2 can be written off it will take many, many,
    >vulnerability announcements.
    >
    >a) IMO, this is the first time that Microsoft has put security over
    >existing, and frequently used, features.
    >
    >b) IMO, this is the first time that Microsoft has accepted the fact that
    >their choice is going to lead to "some" incompatibilities.
    >
    >c) IMO, this is the first time that Microsoft has taken a stand against
    >ISV who are definitely making money out of some features they (MS) made
    >available to them.
    >
    >2. I, at least, as NTBugtraq Editor, believe we, as the NTBugtraq
    >community, need to stand behind Microsoft's efforts. That means we need to
    >continue to endorse XP SP2 despite what problems have arisen or may arise
    >(within obvious reason.) The media is only going to state the problems.
    >They cannot appreciate, nor do they believe their customers are willing to
    >pay for, stories about XP SP2 successes.
    >
    >So, I want to hear from you, every one of you, regarding XP SP2 success or
    >failure. Obviously, I want those stories in as much detail as you can provide.
    >
    >There are, no doubt, some (many?) applications which will not be
    >compatible with XP SP2. I say they represent Vendors who are not prepared
    >to accept the responsibilities we've always felt they should have as
    >reasonably security-minded Vendors. They've had lots of time to figure out
    >how to make their apps compatible, and have *chosen* not to.
    >
    >I offer any Vendor who feels Microsoft left them "in the lurch", regarding
    >their problems with XP SP2. a forum to express their problems.
    >
    >Equally, I offer all NTBugtraq subscribers a place to state the problems
    >they are encountering with an ISV application.
    >
    >It is extremely important for corporate environments to get XP SP2
    >deployed to all home systems running XP. Let's make sure the media has the
    >right information.
    >
    >Cheers,
    >Russ - NTBugtraq Editor
    >
    >
    >
    >-----Original Message-----
    >From: Windows NTBugtraq Mailing List
    >[mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of Russ
    >Sent: Monday, August 09, 2004 6:07 PM
    >To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    >Subject: XPSP2 for Corp/Dev released today
    >
    >The full download of XP SP2 final was made available today via;
    >
    >http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.
    >mspx
    >
    >This is the full 272MB download. Windows Update version will be "coming
    >soon".
    >
    >Enjoy.
    >
    >Cheers,
    >Russ - NTBugtraq Editor
    >
    >-----
    >NTBugtraq Editor's Note:
    >
    >Want to reply to the person who sent this message? This list is configured
    >such that just hitting reply is going to result in the message coming to
    >the list, not to the individual who sent the message. This was done to
    >help reduce the number of Out of Office messages posters received. So if
    >you want to send a reply just to the poster, you'll have to copy their
    >email address out of the message and place it in your TO: field.
    >-----
    >
    >-----
    >NTBugtraq Editor's Note:
    >
    >Want to reply to the person who sent this message? This list is configured
    >such that just hitting reply is going to result in the message coming to
    >the list, not to the individual who sent the message. This was done to
    >help reduce the number of Out of Office messages posters received. So if
    >you want to send a reply just to the poster, you'll have to copy their
    >email address out of the message and place it in your TO: field.
    >-----

    -----
    NTBugtraq Editor's Note:

    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
    -----


  • Next message: David Luxford: "Symantec XPSP2 Support"