Security issues, purchasing a new, pre-loaded, Windows XP computer

From: De Velopment (devel@www2.kparker.org)
Date: 10/07/02


Date: Mon, 7 Oct 2002 09:46:32 -0700 (PDT)
From: De Velopment <devel@www2.kparker.org>
To: Focus-MS <focus-ms@securityfocus.com>

Hello,

   I asked a casual question on another forum and believe I have
opened a major can of worms.

   The casual question came up when a friend of mine told me that she
purchased a new PC (I think Gateway, but manufacturer not important).
The PC comes pre-loaded with Windows XP Home. Simple enough. There
are probably millions of preloaded Windows XP boxes sold every week.

   The problem is security. Out of the box, Windows XP has some rather
dangerous vulnerabilities, including Universal Plug-n-Play, a number
of Internet Explorer / Outlook Express holes, including incorrectly
labeling an executable file as an audio (sound) file, and just maybe
a version of IIS that can be hit from outside by Code Red and Nimda.

   The question I brought up is what is required to make a PC, just
purchased, with Windows XP, safe on the Internet? One answer I got
was that all downloads, (Service Pack 1, Security Rollup, and
miscellaneous patches) would come up to 105 Megabytes. The problem
is that my friend only has dialup access! How long would it take
to download 105 Megs on a dialup line? How about if the phone line
is dirty? A related question, for those outside the USA, is how much
would it cost to download all of these fixes?

   So, my question to this list: Exactly what should I tell my friend?
How dangerous it it to have an unpatched Windows XP Home system on
the Internet? How many steps does it take to secure it? And, does
anybody have an estimate on how long it takes with Dialup? Can this
upgrade be done at night while she is sleeping? (Or does it take
several reboots and answers to questions (i.e. EULA) along the way?)

   Finally, has Microsoft been approached with the idea of releasing
a bug-fix version of Windows XP that has the patches pre-applied,
at least for the OEM distributers?

   Thanks in advance and best regards,

           Ken Parker



Relevant Pages

  • Re: Vista - stillborn?
    ... I doubt you consider me a friend. ... If there is any hostility, it is definitely not on my part, I assure you. ... Windows posters don't use any such language. ... "xxx Fanatic" doesn't fit the kind of people commonly ...
    (comp.sys.mac.advocacy)
  • Dual-boot w/ME vs. XP vs. W98se
    ... I have a friend that is currently dual-booting Debian Sarge with Windows ... 'bought and paid for' by Microsoft. ... " Bill Turner ...
    (Debian-User)
  • Re: Windows 2000 vs. XP Home Edition ?
    ... myself in a discussion with a friend... ... I was insisting that Windows 2000 came out in two flavors for client ... background in I/T and was so confident in the truth of my conviction. ... to think that doing this amounted to downgrading my operating system. ...
    (microsoft.public.win2000.general)
  • Re: opinions about MS Vista
    ... I just received an email from a friend (Actually he is a windows lover). ... He attended a session organized by Microsoft to introduce the most recent ... Tell your mom to remind you to switch on your computer at a specified time. ...
    (Ubuntu)
  • Re: Activating Windows XP
    ... Arlene, the big problem is that your friend should not have reinstalled XP; ... What he did was reinstall windows xp. ...
    (microsoft.public.windowsxp.help_and_support)