Flaws in XP SP2

[mls]

Here's something interesting:

Flaws in SP2 security features

Hmm, SP1 and SP2 were roughly about 370Meg each, so that means everyone has already totally installed XP over itself twice and they still haven't got it right.

What I really find interesting is that once again Microsoft says:

"at this time we do not see these as issues that we would develop patches or workarounds to address

Strange that was their same general attitutude way back BEFORE Windows XP was even put on the market when people like Steve Gibson (grc.com)
warned Microsoft about a large number of things that eventually did become MAJOR security problems.

Guess everyone fell for the bull with Clinton saying "that depends on what the meaning of is, is" type nonsense.

Even that never made any sense, but everyone went along with it. Seems like anyone can get away with anything now and it don't matter if they bother fixing things.

Shove the problem under the carpet and maybe it will go away if nobody pays any attention.

[heffe2001]

Have you actually looked at the flaw? It's a pretty far reach for it to be a problem. How would you like it that every time you ran a program from a command prompt that it pops up a window that tells you it might not be secure?

Jeez, why do people LOVE to hit on Microsoft? This security 'flaw' is about the biggest non-issue I've ever seen, and been TOTALLY blown out of proportion by the media.

The user has to actually open up a command prompt, and drop the file on it, or execute it manually. NO DIFFERENT from installing any other application. If you've got a current antivirus and it's update (like the SP will nag you to death to do), you shouldn't have a problem...

Maybe there should be a computer-user license, sort of like a license to drive a car... If you can't pass the competancy test, you can't use one...

[mls]

Quote:

Originally posted by heffe2001
NO DIFFERENT from installing any other application. If you've got a current antivirus and it's update (like the SP will nag you to death to do), you shouldn't have a problem...

Hmm, for those that did an install of XP in the last year or so, it had automatically installed networking components to connect to Micorsoft to both get updated install data and also for registrations.

Not bloody likely that helped anybody with all the massive stuff floating/searching for open unprotected/updated computers unless they new to have an external firewall or keep everyting unplugged that might have Internet access. Strange they never told anybody about that until it was too late.

Quote:

Maybe there should be a computer-user license, sort of like a license to drive a car... If you can't pass the competancy test, you can't use one...

Now that's something I can totally agree on. Ask any tech support person and they'll tell you how many people really shouldn't own/operate a computer.

My favorite is when a tech suport actually did that. Shortened story, got a call about computer that would not boot, asked for info from the monitor screen... got told there was a power outage so she could not see the screen.

He told her to box the computer up and ship it back because she was to stupid to own one. I happen to agree.

[falchulk]

Quote:

Originally posted by mls
[B]Hmm, for those that did an install of XP in the last year or so, it had automatically installed networking components to connect to Micorsoft to both get updated install data and also for registrations.

Not bloody likely that helped anybody with all the massive stuff floating/searching for open unprotected/updated computers unless they new to have an external firewall or keep everyting unplugged that might have Internet access. Strange they never told anybody about that until it was too late.



Now that's something I can totally agree on. Ask any tech support person and they'll tell you how many people really shouldn't own/operate a computer.

My favorite is when a tech suport actually did that. Shortened story, got a call about computer that would not boot, asked for info from the monitor screen... got told there was a power outage so she could not see the screen.

He told her to box the computer up and ship it back because she was to stupid to own one. I happen to agree.

MLS, I am not trying to be a jerk, what are you trying to say here. Personally I am haveing a hard time following.

[mls]

Which part? I'll try to clearify if I can.

[PGPfan]

mls-

I'm very confused also by your rationale in this thread. You have on many threads denounced XP as being bloatware, security risk, not worth the money, etc. Your perception is that Win9x is just great when run correctly (the right apps/drivers/etc.).

Why not apply the same mentality on XP? When you use it with the same line of thought (the right apps/drivers/etc.) where is your security threat? Heck, for that matter you still end up with a FAR SUPERIOR product than Win9x architecture by default.

Why the XP bashing? Doesn't a company have a right to increase features in a product, and release it as a new product if they wish? Even if it adds 'bloat' as some call it? If you don't like to spend the additional money, fine. But don't take every opportunity to abuse the anti-Microsoft 'hype machine' and point out ridiculous security 'flaws'. Windows XP is a VERY COMPLEX beast, with well over 4 millions lines of code in the original release. Why can't Microsoft, if it wishes, release say 15 or 20 "rewrites" of the OS without having to ask 'you' if they've "gotten it right"?

I can guarantee this - not you, Microsoft, Heise security, or anyone else will ever be able to say "they got it right this time" and have a clue what they are talking about - there a too many possible differences in possible configurations to test them all. So, you test your largest customer bases (Compaq, HP, Sony, IBM, Dell, Gateway, etc.) and use as much beta hardware as you can get your hands on, and then call it good.

Please, lighten up on the MS bashing.


-PGPfan

[PGPfan]

mls-

Sorry if this seems like a personal attack, I'm a former MS employee (on dev teams for both Win2k, and XP) and am a 'bit' sensitive to people's opinions considering the 'inside' perspective that I was fortunate to have had.

Again, I'm sorry if it offended you. You've ALWAYS been helpful to me on the occaisions I've asked for it, and I thank you.

-PGPfan

[mls]

Quote:

Originally posted by PGPfan

Why not apply the same mentality on XP? When you use it with the same line of thought (the right apps/drivers/etc.) where is your security threat?...
Why the XP bashing?

Only because Microsoft was informed and fully aware of the 100's (if not 1,000's) of security issues with XP long BEFORE they ever first sold it to the public and totally ignored them even though the could have been fixed BEFORE it ever went on the market.

On the other hand, they didn't have hardly any advance warning about security flaws in Win98, yet it still had far less than XP had even from day one.

XP has a reasonably good base with NT, but they just blew it all way for a "general public" version.

Quote:

Doesn't a company have a right to increase features in a product, and release it as a new product if they wish? Even if it adds 'bloat' as some call it? If you don't like to spend the additional money, fine... Why can't Microsoft, if it wishes, release say 15 or 20 "rewrites" of the OS without having to ask 'you' if they've "gotten it right"?

I can guarantee this - not you, Microsoft, Heise security, or anyone else will ever be able to say "they got it right this time" and have a clue what they are talking about - there a too many possible differences in possible configurations to test them all. So, you test your largest customer bases (Compaq, HP, Sony, IBM, Dell, Gateway, etc.) and use as much beta hardware as you can get your hands on, and then call it good.

Would you mind quoting the above section and posting it over in another thread: Compatiblity Problems

Seems like if a small company like Frey Tech screws up its unforgivable, yet if a multi-billion dollar company like Microsoft screws up we should all just ignore it.

When people stop complaining about things that are outside of Frey's control, maybe then I'll stop complaining about things that WERE within Microsoft's control for XP.

I've tried using your rational in that other thread, but nobody there will believe it. Maybe you can convince them?

Quote:

Please, lighten up on the MS bashing.

I've stood by Microsoft all the from back with DOS 3.3 up until they went into the history books with releasing the ABSOLUTE WORST OS ever sold to the public with WinME.

Heck, I almost forgave them for that screw up until if found out how many things they knew about and didn't bother fixing before releasing XP.

Sure, I could (even might) lighten up, but that still won't make XP worth the money they charge for it. If nobody says something is wrong, they sure aren't gonna bother improving it either.

Somehow you feel putting something known to be totally flawed on the market and then not worry about fixing it until you absolutely have to later is better than putting something good on the market and then improving upon it. I can't go along with that logic.

[heffe2001]

You do realize that all software has bugs, and if every developer fixed all their bugs before releasing a product, you'd really not have anything to run on your PC? Look how at the bugs that were left in Sage when it was released, they knew about some of them, and released anyway. I've never once even mentioned a screwup by Frey (I love the software, minute flaws and all ).

My problem is people bashing Microsoft JUST FOR THE SAKE of bashing them, no other reason. Every time there is the slightest problem with anything they make, all the fanboi's for the He-man, Microsoft Haters club come out of the woodwork.

Let see how everyone feels about their PVR when they release their new version of MCE, it'll do 99% of the stuff that the current ones on the market will do, and they have hardware coming out that sits at the TV wirelessly that will basically control the entire MCE interface without a PC. I can tell you right now, it works, and works well, but I still prefer my Sage install, easier to manipulate the produced files.

And as for the XP installs in the last year, that's not what was being discussed here, the new SP2's so-called 'flaw'. Those installs don't enter into it, nor anything that was installed previously or not. It's pretty funny you mention the updated install & registration stuff, those aren't required by the system at first boot to be done, you can skip the search for updates, and delay registration for several days. Also, if you're savvy enough to build and install your own system, you'd think you'd be smart enough to not plug it into the net until after you get antivirus & stuff on it...

*EDIT* And FYI, even though I don't work for Microsoft, I am one of their beta testers, and helped test the SP2 package as well as several others (MCE2k5 beign one), and I don't think most people realize the lengths they DO go to for finding and fixing bugs. On the MCE side, I've gotten 2 full OS updates in less than 10 days time, that's full re-installs for each one. While that's alot of trouble, it's worth it in the end if the system has fewer bugs because of my troubles...

[PGPfan]

mls-

I understand your sentiment, but as passionate as you are about it some of your views just aren't correct. I'll try to elaborate a little as to why, but for the record I've never complained about the job that Dan and Jeff (all of Frey, that I'm aware of) that they have done with SageTV.

As for your mistaken logic, here are the flaws:

Quote:

XP has a reasonably good base with NT, but they just blew it all way for a "general public" version.

This flat isn't true. I know, I was there at MS working on this project everyday. There is nothing that was "blown" away to release XP to the general public. In reality, many things were 'added'.

Quote:

Only because Microsoft was informed and fully aware of the 100's (if not 1,000's) of security issues with XP long BEFORE they ever first sold it to the public and totally ignored them even though the could have been fixed BEFORE it ever went on the market.

This one is slightly different. The reason that some folks like yourself believe that the 9x OS's are somehow 'more secure' is that quite simply Microsoft mistakenly didn't see the significance of the internet at that time (general timeframe, mind you) Almost noone at the enterprise level thought a whole lot about security (especially compared to now) and there wasn't nearly as much of a 'hacker' base. By this time Win9x had become the defacto standard, and in the business world Win2k was in the works. Win2k still wasn't meant for the general public, but with the much more stable 32-bit kernel design it was much better for use at the enterprise level. Because still there wasn't too much activity with hackers doing much more than playing with Linux, and cracking software more effort was put at the OS kernel for chasing stability. (point to keep in mind: Windows OS, and Internet Explorer are designed and built by 2 totally seperate groups at Microsoft) The IE guys were working at the speed of sound trying to create a browser that could compete with Netscape at the time. Correct, the focus was NOT on security. A poor business decision in hindsite, but given the climate it's not surprising. Herein lies the biggest area's of vulnerability. IE became the most popular browser, and the largest target for mischivous (sp?) folks to 'see what they could do' to f'with peoples machines since 'anyone who's anybody' is 'online'.
Security has always been about trying to 'catch up', whether it be MS, Linux, Apple, Sun, etc. The key thing to understand is "size of userbase". If anyone of the previously mention entities have even a fraction of the userbase of Windows, they will (and do)suffer from security vulnerability.

Quote:

I've stood by Microsoft all the from back with DOS 3.3 up until they went into the history books with releasing the ABSOLUTE WORST OS ever sold to the public with WinME.

No argument here!
Heck, I'll come clean with what I know (you might find it interesting). WinME was never supposed to exist. The reason it is there is simply that some market person at MS mentioned that MS would have the follow-on to 98SE at such and such a date. When they did this, they put intense pressure on developement to meet that goal. The original intention was to have Windows2000 be a release for the general public, but we couldn't make the deadline with the feature set we commited to provide. As a 'last ditch' effort, the decision was made to try to merge some of the good parts of Win2k (networking stack, among a few others) into 98SE and make it work. Other than on very limited combinations of hardware, it didn't work.

I'll try to end this long post with this:

Quote:

Somehow you feel putting something known to be totally flawed on the market and then not worry about fixing it until you absolutely have to later is better than putting something good on the market and then improving upon it. I can't go along with that logic.

To the contrary, XP is NOT known to be "totally flawed"! In reality it is known to be the BEST OS Microsoft has EVER produced by almost everyone who's ever written about it. Does it have flaws? HELL YES! Will it ever be perfect? HELL NO! But given all that it does do, NO OS is even close to it. Well, maybe that's an exaggeration, but maybe not (ever tried to configure Linux?).

-PGPfan

[heffe2001]

I have to agree with PGPfan, NO OS or any other software will be totally 100% without a doubt secure. The ONLY way to make it secure is remove all input devices (keyboard, mouse, CD/floppy/USB), and remove any network connections. Then it's secure. Until you do that, there will always be a backdoor/exploit into the system.

I also guess that including older versions of some of the network services in some of the linux distros out there would also be construed as releasing a totally flawed distro..

Same would go for OS/X, there are several critical flaws in that system, but it's stil being shipped without the patches pre-installed...

[PGPfan]

Quote:

And FYI, even though I don't work for Microsoft, I am one of their beta testers, and helped test the SP2 package as well as several others (MCE2k5 beign one), and I don't think most people realize the lengths they DO go to for finding and fixing bugs. On the MCE side, I've gotten 2 full OS updates in less than 10 days time, that's full re-installs for each one. While that's alot of trouble, it's worth it in the end if the system has fewer bugs because of my troubles...

heffe2001-

Sounds like your getting off lucky with just 2 OS refreshes in 10 days. I know in my lab, we turned as many as 2 per day! Although things have changed at Microsoft in the past few years, they used to maintain a 2:1 test to dev ratio (2 test engineers for each developement engineer) which was/is higher than any other software company that I've heard of. FWIW, my final project at MS was running a usability lab for MCE, just as it was being released for the first time.


-PGPfan

[heffe2001]

So far that has been the closest 2 releases I've seen, and one was a optional update . I just hate getting everything how I want it, and having new CD's showing up on my doorstep .

[phenixdragon]

Quote:

Originally posted by heffe2001
Have you actually looked at the flaw? It's a pretty far reach for it to be a problem. How would you like it that every time you ran a program from a command prompt that it pops up a window that tells you it might not be secure?

Jeez, why do people LOVE to hit on Microsoft? This security 'flaw' is about the biggest non-issue I've ever seen, and been TOTALLY blown out of proportion by the media.

The user has to actually open up a command prompt, and drop the file on it, or execute it manually. NO DIFFERENT from installing any other application. If you've got a current antivirus and it's update (like the SP will nag you to death to do), you shouldn't have a problem...

Maybe there should be a computer-user license, sort of like a license to drive a car... If you can't pass the competancy test, you can't use one...

I know, people should be glad there is one dominate OS. I remember back in the day when there were several ones. It was such a pain to get all the programs you wanted to run on the same system.

Without one dominate OS, computer prices in general would be much higher then it is now. The only reason why prices came down is compatibility and everyone running on the same page.

Plus even if Linux or the MacOS became the main OS, they would have just as many security issues and flaws as Windows has now.

I love how the MacOS has been getting beat up with viruses themselves since gaining popularity a few years ago. I would have to say for any normal user on the MacOS they are just as likely to get a virus as their Windows counterpart. Well since I work in IT and deal with viruses everyday I have a different view then most but it is very common.

[ErsatzTom]

I've never gotten a virus on my mac, which is my main email an web machine and I have no anti-virus software. However, even with antivirus software, it seems like a couple of times a year I have to fight with a virus on one or another of my windows boxes.

t

[phenixdragon]

I have had to deal with Mac viruses starting about 3 years ago and every few months it seems to be getting hit on more and more machines. But the main point is that any OS that is mostly being used it going to be hit with more viruses and security holes no matter what OS it is. They all have their own flaws and that is just the game along with running so many diffrent hardware peices nothing is ever going to be perfect for everyone.

[heffe2001]

Way back when the Mac first came out, there were way more virii on the Mac than the PC at the time. First piece of Antivirus software I ever saw was for a mac, they didn't have it for PC's back then...

Here where I live I would have said then that 99% of all of the Mac's in town had at least one virus, if not multiple infections, mainly because of the local users 'swapping that floppy' with all the other Mac users in town...

[phenixdragon]

Ohh ya, I think a lot of the viruses on Macs now is from swapping from each other and most people think Mac can't get a virus. But then again this is when you are dealing with end users and not techies.

[mls]

I'm glad to see this thread kept on going with me off busy with other things. Although I may not be right all the time, I do fell it is worth the effort to get things out in the open so they can be discussed rather than just ignore things.

I'll try to get back to some other items in time, but for now I'll just try to clear up one item.

My comment about MS "blowing it all way" compared to NT with XP is in regards to 2 areas. The first of course it the extra bloat of all the eye candy. The more you add to an OS, the more possibilities there are for flaws. That's easy enough to understand.

The other part is with the defaults. Too many extra processes and networking features that really aren't needed by a "home" computer user normally.

Now, before everyone gets excited, I do kind of understand why they did that (in fact they did so in 98 too). It's just a lot easier to default everything for the business use side so that all computers in a LAN can connect without having to set each one up one at a time.

Unfortunately, the left the "home" users with computers that had way too many other possible security problems when connected directly to the Interent rather than thru a LAN (with business type routers and Firewall).

Biggest mistake in that area was having the built in XP Firewall off by default. That's ok in a business type network, but clearly a mistake for anyone installing it on a "home" computer.

Now that SP2 is out for XP, I will mellow down on my complaints about XP. Still don't see why they released XP before though considering how many outside security people had BETA tested it had reported all kinds of flaws (check sections of grc.com).

That's what really bugged me most... the fact that MS knew and just kept saying "that'll never be a problem" and marketed it anyway. And look at the mess it developed into on the Internet since.

[broderp]

All I know is as a PC builder, with over 150 builds/rebuilds and counless upgrades, XP is the STABLE windows.

I have done DOZENS of XP software installs and even more updates. (Dont like the AUTO updates)

Then along came SP2. KILLED my system, and after 6 hours going through hoops visiting forums to get cryptic info on recovery console and command line parameters, was able to start my PC, so I can down load files I needed to save.

Now after spending a nother full day reistalling and setting up my sag box, WINDOWS says I need SP2.

BULL!!!!!

WHO cares about "SECURITY"? As a private citizen, I'm small potatoes to these people, and my only PC with my financial info on it is not on my network unless I'm on it. As far as online banking, I'm forced to believe that the web sites secure and encrypted are adequete, what other choice do I have?

So basically, I say, if it aint broke, don't FIX IT!!!


SP2 has flaws, and I only resent myself for thinking I needed to update this and that because everyone else was. My PC's are as generic, widely accepted platforms and are not proprietary in any way (cept, the dell laptop).

I like MS, would love to work for them, but I still think sp2 HAS ISSUES AND i for one wil not be installing it on any of my systems for quite a while.