Re: XP SP2 - Statement of the NTBugtraq list

• Previous message: Russ: "Administrivia #30313 - Where'd my post go??"
• In reply to: David Luxford: "Re: XP SP2 - Statement of the NTBugtraq list"
• Next in thread: Dan Houtz: "Re: XP SP2 - Statement of the NTBugtraq list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Thu, 12 Aug 2004 16:57:28 -0400
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

David Luxford wrote:

>
> Here's my responses to your message. To clarify, I'm not acting as an
> official agent of Symantec, but I do work here so I can give you some
> perspective from inside the company.
>
> > That having been said, I'm not sure MS has put enough pressure on ISVs
> > to produce SP2 compliant software. MS has spent more than 18 months
> > working on SP2 and yet major vendors continue to have no clue about
> > supporting it. Symantec is a great example. Their various and
> > sometimes conflicting documents talk about updates being ready today (10
> > Aug 04) for retail products and depending on the rep you get Corp Ed
> > products can either be patched now with a patch that is a pain to deploy
> > (9.0.0.1400) if you're running v9 or wait up to 6 weeks for patches if
> > you're running any build prior to 9.
>
> We've been in a major hurry to support XPSP2. You would be surprised
> how hard it is for even us to get information and builds from Microsoft,
> however. I wrote the XPSP2 support that is in Symantec Client Security
> 2.0 and is now being backported.
>
<deletion>
> > Other companies like AutoDesk have no documents that I can find
> > containing XP and SP2 on their support site. How can they not at least
> > have a document that says 'we're fully compatible'? We have 2 firms
>
> We had a hard time getting builds and information out of Microsoft and
> are considered a very close friend. There you go.

Another perspective from an Open Source ISV: http://www.openafs.org.
Even with PSS contracts getting information and access to builds was
extremely difficult. I work very closely with the Microsoft Windows
Security team due to my IETF Standards work. This enabled me to gain
access to builds which other did not and provided me an ability to
get access to information on why things in my code which had worked
on every previous version of Windows no longer did. In fact, at IETF 60
I was still working with Microsoft developers to solve some
incompatibilities which had been added in the last couple of weeks.

Even with this I was shocked to find on Saturday that Microsoft had
added a new restriction at the last minute which caused XP SP2 to fail
to boot when OpenAFS for Windows was installed. Including the XP SP2
compatible version I was about to release to the world on Sunday.

I have got to tell you, if I was a commercial provider I would not have
released anything to the public which claimed to be compatible with XP
SP2. The code was changing at such a rapid pace it was impossible to
keep up. Bill Gates commented last week that less then 5% of the source
code was changed and that was supposed to make be feel better. How
large is the XP source code these days? 40 million lines? 100 million
lines? Anyway I think you get the idea.

Microsoft tried extremely hard to get people to test applications
against pre-release versions of XP SP2. They documented the major
issues which they were attempting to address. Unfortunately, the devil
is in the details and unless you have access to the source code it is
impossible for you to know what those details are.

Here is one example of a detail:

Windows XP SP2 no longer allows SMB/CIFS authentication to be performed
across the loopback interface if the SMB/CIFS service name does not
match the name of the local machine. However, this means that it is not
possible to host your own SMB/CIFS server on the machine.
Unfortunately, the details of how to work around the restriction are not
documented.

It turns out there are two things you can do:

   (1) We can disable the check for matching host names. This does not
   require a reboot:
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
     "DisableLoopbackCheck"=dword:00000001

   (2) We can add the AFS SMB/CIFS service name to an approved list. This
   does require a reboot:
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
     "BackConnectionHostNames"=multi-sz

Clearly you want to use (2) whenever possible. However, there is no way
that Jane Doe developer is going to be able to find this out unless you
can get someone to look at the source code for you and figure out what
was done.

In my case I am lucky. The developer who wrote the code is a friend but
he certainly could not be answering the questions of every ISV in the
world and still make progress securing future versions of Windows.

If I am upset about anything it is due to the fact that Microsoft did
make what I consider to be significant last minute changes in the final
days and weeks without providing even those with extraordinary access
the ability to test their applications. I am extremely lucky that a MVP
caught a fatal incompatibility and was able to report it to me within
hours of the XP SP2 compatible OpenAFS release. The release was delayed
for two days to discover the incompatibility, correct it, and issue
advisories.

In the end though it would not have made a difference. Given how fast
copies of XP SP2 spread through P2P networks on Friday night as beta
testers and MVPs gained access to the final build and redistributed it,
there is no way that Microsoft could have ever published a final build
and redistributed it to developers only for some period of weeks.
The gradual roll out of XP SP2 to end users will give most vendors at
least a short period a frenetic breathing to double check things and
work out issues before the vast majority of their users have been upgraded.

The individuals I have known there have always tried to do the right
thing. Its been the message from the top which made it so hard to
follow through. Kudos to Microsoft for the change in direction. Its
about time.

Jeffrey Altman
Secure Endpoints Inc.

-----
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
-----

• Previous message: Russ: "Administrivia #30313 - Where'd my post go??"
• In reply to: David Luxford: "Re: XP SP2 - Statement of the NTBugtraq list"
• Next in thread: Dan Houtz: "Re: XP SP2 - Statement of the NTBugtraq list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]