After almost a year in the making Microsoft Corp. has announced the availability of Windows XP Service Pack 2 (SP2). While the anticipated upgrade is intended to address enterprise concerns surrounding XP’s security, the Redmond, Wash.-based software firm is allowing users to disable installation of SP2 until they are ready to deal with the multitude of installation issues it brings.
Windows XP Service Pack 2 is Microsoft’s response to concerns over security that have hovered over the company’s flagship operating system, particularly in the aftermath of last year’s MS Blast worm. Microsoft has admitted that developing the XP service pack has pushed the timetable back for upcoming technologies, most notably development on the Longhorn OS.
Microsoft execs said SP2 is the Redmond, Wash.-based firm’s biggest free update to Windows yet. According to Elliot Katz, senior product manager for Microsoft Windows with Microsoft Canada in Mississauga, Ont., the “critical” SP update is intended to boost XP’s security by improving the security configuration features.
Among the new enhancements is improved version of Windows Internet Connection Firewall, now named the Windows Firewall, a new, user-friendly interface for managing security settings and improved features for detecting and blocking malicious content downloaded from Web sites.
Leigh Popov said the Credit Valley Hospital is testing SP2 before fully implementing it.
So far the Mississauga-based hospital has had no no major issues, other than programs such as Internet Explorer running a few seconds slower, said Popov, the hospital’s manager of technical services and telecommunications.
The update will initially be available via Microsoft’s automatic update Internet feature. Katz noted that IT managers can also download the service pack from Microsoft’s Web site. Users can prevent the installation of SP2 while permitting the installation of all other automatic OS updates, Katz said.
The idea behind it is that smaller organizations may find that the update process overwhelms their resources, whether download bandwidth or the time needed for technical staff to manage the potential fallout of a massive OS update.
In the Technet section of its site, Microsoft said that “some organizations have requested the ability to temporarily disable delivery of this update via AU (automatic update) and WU (Windows update)…these customers would like to temporarily block the delivery of SP2 in order to provide additional time for validation and testing of the update.” The move follows IBM Corp.’s instruction to its employees not to install SP2.
Microsoft released a network installation package to help IT professionals update multiple computers on a network. The company has also published a list of nearly 50 applications that may not work correctly after installing SP2. The list on Microsoft’s Web site includes developer and backup tools, antivirus software and an FTP client.
But almost as soon as SP2 launched came reports of potential security flaws. Security researchers inspecting a new update to Microsoft Corp.’s Windows XP found two software flaws that could allow virus writers and malicious hackers to sidestep new security features in the operating system.
German Internet security portal Heise Security published a security bulletin, dated Aug. 13, describing two holes in the Windows XP Service Pack 2 (SP2) and warning users about running programs from untrusted Internet sites. The flaws could allow virus writers to circumvent the security feature and write worms that spread on XP SP2 systems, according to the bulletin. However, the researcher who discovered the holes said he does not consider the flaws to be serious and he still recommends installing SP2.
Microsoft is investigating the reports of a method to bypass what it calls the Attachment Execution Services in Windows XP SP2, but was not aware of any way for an attacker to use the flaws reported by Heise Security to gain access to a Windows machine, a spokesperson said.
