Initial Windows XP SP2 fallout limited
Some users study the update before applying it
By Joris Evers, IDG News Service August 12, 2004
Since Microsoft Corp. began the staged rollout of Windows XP Service Pack 2 (SP2) late last week only minor compatibility issues have come up, but that might be because many users are waiting to install the update.
Microsoft has had to issue warnings that its CRM (customer relationship management) product and Baseline Security Analyzer tool need updates to work with SP2. Also, Symantec Corp. is working on an update to make its products work with the new Windows Security Center, which shows the status of security products installed on a user's system.
The limited fallout to date could be because many users are holding off on applying the update, despite Microsoft labeling it "critical" and urging all users to install it as soon as possible. Earlier this week Microsoft released a network installation package for IT professionals to update multiple computers on a network.
Also, many users haven't got the service pack yet. Microsoft on Monday plans to start pushing out SP2 via the Automatic Updates feature in Windows and make it available to users of its Software Update Services (SUS) deployment tool. The service pack should be available on Microsoft's Windows Update Web site for self-installation later this month. Retail distribution, free CDs from the company and inclusion on new PCs will follow.
Companies are testing SP2 for compatibility issues, both for the desktop and the Web. SP2 is more than the usual compilation of bug fixes and updates.
Changes to Windows XP made by SP2 fall into four main areas: network protection, memory protection, e-mail security and browsing security. Microsoft has made a trade-off, focusing on security at the expense of compatibility. As a result, SP2 can break some existing applications and make some features on Web page inaccessible, through changes in Internet Explorer.
"We're going to sit back at least a couple of weeks, possibly a couple of months before broadly rolling out SP2," said John Studdard, chief information officer at Lydian Trust Co. in Palm Beach, Florida. "We have to get our arms around all the things that are in there. Until you get it, you don't know what it is going to do to your environment."
Studdard is mainly concerned about Lydian's online services, particularly its banking Web site, he said. The site uses pop-ups to display features such as a mortgage calculator. SP2 includes a pop-up blocker. When it comes to its XP desktops, Lydian is treating SP2 as a new Windows release. Experienced users will test the service pack for a month and other XP systems will be updated if there are no issues, Studdard said.
IBM Corp. already found that some of its business-critical applications conflict with SP2. The company instructed its employees not to download SP2 because of the compatibility issues, and it plans to deploy a customized version of the service pack once the issues have been addressed, according to an IBM memo. A company spokeswoman declined to provide additional details.
Compatibility issues are also a concern at LandAmerica Financial Group Inc., said Ken Meszaros, assistant vice president and infrastructure manager at the real estate transaction services provider in Richmond, Virginia. Meszaros fears Microsoft may have gone overboard with the security features in SP2.
"Applications run the business. Security, although extremely important, cannot disable the organization," he said. "I am glad Microsoft took the time to provide methods for controlling the behavior of the security features in SP2. The implementation must provide the necessary flexibility to continue daily operations, while improving overall security. Only in testing over the next few months will we determine if Microsoft’s efforts were good enough."
Microsoft has recommended that customers thoroughly test SP2 before deploying it. Users who rely on Windows' Automatic Updates feature for patches, but don't want SP2 to be downloaded automatically, can block the download by setting a registry key that will instruct the system to skip service pack, but still download other critical updates. A tool to set this key is available on Microsoft's Web site.
Pundits have praised Microsoft's security efforts with SP2, but while users are testing the service pack, hackers and security professionals are picking it apart, looking for vulnerabilities.
"We will see new vulnerabilities discovered in SP2 over the next few weeks. Give it a month or two and we will also see worms that affect SP2," said Thor Larholm, senior security researcher at PivX Solutions LLC in Newport Beach, California.
www.infoworld.com/article/04/08/12/HNxpfallout_1.html