Re: XP SP2 - Statement of the NTBugtraq list
From: David Luxford (dluxford_at_SYMANTEC.COM)
Date: Tue, 10 Aug 2004 18:42:50 -0700 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Here's my responses to your message. To clarify, I'm not acting as an
official agent of Symantec, but I do work here so I can give you some
perspective from inside the company.
> That having been said, I'm not sure MS has put enough pressure on ISVs
> to produce SP2 compliant software. MS has spent more than 18 months
> working on SP2 and yet major vendors continue to have no clue about
> supporting it. Symantec is a great example. Their various and
> sometimes conflicting documents talk about updates being ready today (10
> Aug 04) for retail products and depending on the rep you get Corp Ed
> products can either be patched now with a patch that is a pain to deploy
> (126.96.36.1990) if you're running v9 or wait up to 6 weeks for patches if
> you're running any build prior to 9.
We've been in a major hurry to support XPSP2. You would be surprised how
hard it is for even us to get information and builds from Microsoft,
however. I wrote the XPSP2 support that is in Symantec Client Security
2.0 and is now being backported.
> Furthermore, if you find the right rep at Symantec 188.8.131.520 is
> available for download (though they had a corrupt version of the file
> out there for a while). Symantec has made no statements about Norton AV
Sorry, this can happen. Yes, this is, let's see, the first MR to SavCorp
9.0 STM (build 338a).
> Retail prior to 2004 and I can assure you there are millions of people
> running their 2003 and 2002 versions who don't feel they should have to
> upgrade (whether they should or not is not in the argument here).
We are not forcing users to upgrade for XPSP2 support. On the contrary,
we are going to backport this support all the way back to NavCorp 7.6, an
extremely old product (which, yes, I've worked on - I've worked on
practically everything corporate).
> BTW, be prepared for a 90 minute call if you call Symantec. 80 on hold
> and 10 with the rep.
Not if you have a Platinum Support Contract.
For end users, yes. The industry has changed. Providing telephone
technical is very expensive, as most users do not read the documentation.
Also, we learned many years ago that most of our users are quite happy
with electronic support. And yes, I'm not just spouting off, I did all
> Other companies like AutoDesk have no documents that I can find
> containing XP and SP2 on their support site. How can they not at least
> have a document that says 'we're fully compatible'? We have 2 firms
We had a hard time getting builds and information out of Microsoft and are
considered a very close friend. There you go.
> Another problem is the poorly, IMHO, designed Windows Firewall. As a
> Beta tester I voiced my concerns and recommended if they wanted it
I agree with you. It helps to put this in perspective, though. Microsoft
is walking a fine line. On the one hand, security is a major push now,
because they have about 10,000 eggs on their face. On the other hand,
they have to be *very* careful about adding new functionality to Windows,
because everyone and their grandmother is out to sue them. Easy as pie:
we've been selling this for years and all of the sudden Microsoft start's
giving it away for free? Textbook dumping. So Microsoft has to make sure
their stuff is not too good. This dates back 15 years (e.g., see DOS 5.0
and compare with NU).
> Is SP2 a great upgrade? Absolutely. Is its new security solid enough
> to avoid being hacked? IMHO, no. Is it going to be smooth upgrade?
It simply raises the bar. Ultimately, that is really all any security
product can do. Anyone determined enough can break through. Never, ever,
start to believe the falacy that *any* security product, including ours,
provides absolute protection.
David Luxford, CISSP
Senior Software Engineer
6  5421