Posted: 8/14/2004 7:53:53 AM EDT
MS has released a tool to temporarily disable delivery of Windows XP Service Pack 2 fro 120 days.
Windows XP Service Pack 2 (SP2) contains major security improvements designed to provide better protection against hackers, viruses, and worms. Windows XP SP2 also improves the manageability of the security features in Windows XP and provides more and better information to help users make decisions that may potentially affect their security and privacy. Because of these significant improvements, Microsoft views Windows XP SP2 as an essential security update and is therefore distributing it as a “critical update” via Windows Update (WU) and the Automatic Updates (AU) delivery mechanism in Windows. Microsoft strongly urges customers with Windows XP and Windows XP Service Pack 1-based systems to update to Windows XP SP2 as soon as possible.
What is the purpose of this mechanism?
While recognizing the security benefits of Windows XP SP2, some organizations have requested the ability to temporarily disable delivery of this update via AU and WU. These organizations have populations of PCs, upon which they have enabled AU. This is done to ensure that these PCs receive all critical security updates.
Since SP2 will start to be delivered to PCs running Windows XP or Windows XP with SP1 via AU starting on August 16, these customers would like to temporarily block the delivery of SP2 in order to provide additional time for validation and testing of the update. In response to these requests, Microsoft is providing the following guidance, resources, and communication vehicles to meet the needs of these customers.
Please note that the mechanism to temporarily disable delivery of Windows XP SP2 will be available for a period of 120 days (4 months) from August 16. At the end of this period, Windows XP SP2 will be delivered to all Windows XP and Windows XP Service Pack 1 systems.
Temporarily Disabling Delivery of Windows XP Service Pack 2
Yep, the company I work for has a population of about 500+ workstations running Windows XP. MIS is delaying implementation of SP2 until they can test it.
I guess they just don't trust Uncle Bill.
I have installed Windows XP Service Pack 2 on several computers so far without a hitch. Unless someone were managing a large number of machines with a specific proprietary software/hardware configuration that might cause a problem I would recommend going ahead with SP2.
Apparently there are some changes in the memory management that could possibly break custom applications. These are probably places that run in-house software.
I run SUS and I haven't seen it come down yet so apparently it's not being distributed yet via SUS. I would guess that most of these companies are running it too, you have got to be a masochist to want to run regular windows update on 500+ pcs.
Been running the RTM (released to manufacturer) version for a week with no problems.
Initial Windows XP SP2 fallout limited
Some users study the update before applying it
By Joris Evers, IDG News Service August 12, 2004
Since Microsoft Corp. began the staged rollout of Windows XP Service Pack 2 (SP2) late last week only minor compatibility issues have come up, but that might be because many users are waiting to install the update.
Microsoft has had to issue warnings that its CRM (customer relationship management) product and Baseline Security Analyzer tool need updates to work with SP2. Also, Symantec Corp. is working on an update to make its products work with the new Windows Security Center, which shows the status of security products installed on a user's system.
The limited fallout to date could be because many users are holding off on applying the update, despite Microsoft labeling it "critical" and urging all users to install it as soon as possible. Earlier this week Microsoft released a network installation package for IT professionals to update multiple computers on a network.
Also, many users haven't got the service pack yet. Microsoft on Monday plans to start pushing out SP2 via the Automatic Updates feature in Windows and make it available to users of its Software Update Services (SUS) deployment tool. The service pack should be available on Microsoft's Windows Update Web site for self-installation later this month. Retail distribution, free CDs from the company and inclusion on new PCs will follow.
Companies are testing SP2 for compatibility issues, both for the desktop and the Web. SP2 is more than the usual compilation of bug fixes and updates.
Changes to Windows XP made by SP2 fall into four main areas: network protection, memory protection, e-mail security and browsing security. Microsoft has made a trade-off, focusing on security at the expense of compatibility. As a result, SP2 can break some existing applications and make some features on Web page inaccessible, through changes in Internet Explorer.
"We're going to sit back at least a couple of weeks, possibly a couple of months before broadly rolling out SP2," said John Studdard, chief information officer at Lydian Trust Co. in Palm Beach, Florida. "We have to get our arms around all the things that are in there. Until you get it, you don't know what it is going to do to your environment."
Studdard is mainly concerned about Lydian's online services, particularly its banking Web site, he said. The site uses pop-ups to display features such as a mortgage calculator. SP2 includes a pop-up blocker. When it comes to its XP desktops, Lydian is treating SP2 as a new Windows release. Experienced users will test the service pack for a month and other XP systems will be updated if there are no issues, Studdard said.
IBM Corp. already found that some of its business-critical applications conflict with SP2. The company instructed its employees not to download SP2 because of the compatibility issues, and it plans to deploy a customized version of the service pack once the issues have been addressed, according to an IBM memo. A company spokeswoman declined to provide additional details.
Compatibility issues are also a concern at LandAmerica Financial Group Inc., said Ken Meszaros, assistant vice president and infrastructure manager at the real estate transaction services provider in Richmond, Virginia. Meszaros fears Microsoft may have gone overboard with the security features in SP2.
"Applications run the business. Security, although extremely important, cannot disable the organization," he said. "I am glad Microsoft took the time to provide methods for controlling the behavior of the security features in SP2. The implementation must provide the necessary flexibility to continue daily operations, while improving overall security. Only in testing over the next few months will we determine if Microsoft’s efforts were good enough."
Microsoft has recommended that customers thoroughly test SP2 before deploying it. Users who rely on Windows' Automatic Updates feature for patches, but don't want SP2 to be downloaded automatically, can block the download by setting a registry key that will instruct the system to skip service pack, but still download other critical updates. A tool to set this key is available on Microsoft's Web site.
Pundits have praised Microsoft's security efforts with SP2, but while users are testing the service pack, hackers and security professionals are picking it apart, looking for vulnerabilities.
"We will see new vulnerabilities discovered in SP2 over the next few weeks. Give it a month or two and we will also see worms that affect SP2," said Thor Larholm, senior security researcher at PivX Solutions LLC in Newport Beach, California.
Microsoft has published a list of nearly 50 software programs that require tweaking in order to work with its most recent Windows update.
Microsoft Lists Apps Affected by XP SP2
you mean bill doesen't test product before release?
I swear to god, if I didn't use my PC for gaming, I would have stuck with the Mac.
Our users can't dl it themselves because IE update requires admin access which our users do not have.
I have it running on a few machines at work and home with no problems yet.
Oh come on get real…
If you own a Apple you get the annual OS X upgrade/bug fixes and they only charge you $130, Apple owners should be thankful that Steve is willing to take their dirty money and not subject them to the indignity of free upgrades. All praise Steve and drink the Kool-Aid.
FYI SP2 showed up in SUS Tuesday morning.
tagged for later testing...Thanks!!
XP Service Pack 2: First security flaws found
August 19 2004
by Robert Lemos
"Microsoft never claimed that SP2 would close all the security holes"
Security researchers say they're starting to find flaws in Microsoft's latest major update for Windows XP.
Last week, German company Heise Security announced that two flaws could be used to circumvent the new warnings that Windows XP Service Pack 2, or SP2, normally would display about running untrusted programs, potentially giving a leg up to a would-be intruder's attempts to execute code on a victim's PC.
And more revelations about vulnerabilities are on the way, Thor Larholm, senior security researcher with vulnerability-assessment company PivX Solutions, said. Larholm has been looking for holes in the security of SP2 since the update was released and has notified Microsoft about several issues but he would not discuss the details.
"I'm positive that we will see critical flaws over the next few weeks, and worms that will circumvent SP2 features over the next few months," he said.
Larholm has found dozens of flaws in Windows XP and Internet Explorer over the past few years and had previously maintained a web page of unpatched vulnerabilities in the software giant's browser.
Microsoft would not discuss whether it had received reports of new vulnerabilities in Windows XP Service Pack 2 but did say that the company's researchers had investigated the Heise issues and found them wanting.
"The security response centre is investigating those reports," said a representative of the company. "This feature is one that is supposed to protect users against executable files from an unknown source or untrusted locations. At this time, [Microsoft's security response centre is] not aware of any instance that attackers could specifically bypass the service through email or a browser."
Security researchers also point out that Microsoft has not solved some well-known issues with a few of the security technologies incorporated into SP2. Though the firewall is improved, it can be circumvented by any locally running program, a problem with most personal firewall programs, said Marc Maiffret, chief hacking officer for security software maker eEye Digital Security. Maiffret and his staff are analysing the security update as well.
"We have seen some interesting things but it is only about a week into it," Maiffret said.
The flaw reports could cause companies to hesitate even more before installing Microsoft's latest step to secure Windows. Many companies have said they will hold off on the update until it has been thoroughly vetted.
SP2 is designed to add better security to the operating system's handling of network data, program memory, browsing activity and email messages by changing the system's code and configuration. For example, a revamped firewall is intended to keep attackers out and attempts to prevent malicious applications from connecting to the internet by requiring that the user give specific permission to each application.
The major software update, which took almost a year to create, came to life after the MSBlast worm hit the internet on 11 August. Almost 26 days before, Microsoft had issued a patch for the security hole the worm exploited, but many people did not install the fix even though there was widespread expectation that a virus would be created to take advantage of the flaw.
Microsoft chairman Bill Gates has described SP2 as the most extensive free update to Windows ever and executives have acknowledged that work on the update has delayed other projects, including Longhorn, the next major version of Windows.
In addition to making the software available via automatic update, Microsoft will allow information-technology managers to download an upgrade that companies can use to update their machines.
As for flaws in XP itself, eEye's Maiffret points out that the update is about making Windows XP more secure by adding new protection features and better configuration, not about finding all the vulnerabilities in the operating system.
"Microsoft never claimed that SP2 would close all the security holes," he said.
CNET News.com's Ina Fried contributed to this report.
Robert Lemos writes for CNET News.com