Guest Opinion

Can XP SP2 Protect Your Users?

Modify your applications so they run smoothly with Windows XP SP2, and better understand the issues that are motivating these changes in the OS.

You need to modify your applications to make sure they run smoothly with the new security restrictions of Windows XP Service Pack 2 (SP2). You might better understand the issues that are motivating these changes in the OS if you spent more time with unsuspecting end users like my 13-year-old niece Rachel. Recently, her Windows XP Home Edition booted but wouldn't display the Start button or desktop, and Explorer.exe wouldn't run at all. She suspected a virus but insisted the antivirus program was running "all the time, honest." Rachel was savvy enough to use Task Manager to run Internet Explorer and The Sims, but had to call me when her new cable ISP's support desk wouldn't troubleshoot her setup until Windows was running normally.

Ad-Aware uncovered plenty of spyware on her PC (she has a penchant for downloading games and music). A virus scan with updated definitions explained the persistent Windows Installer dialog box and repeated attempts to dial the Internet: It harbored two viruses and four trojans.

I opted for fdisk and a clean installation including SP2, Windows XP's big security update. However, I wondered if I'd have needed to do all this if SP2 had been installed already. Would Windows Firewall have prevented invasion, or would it have created a false sense of security? After all, Rachel was unknowingly inviting Trojan horses into her OS while downloading free games.

These days, Windows has so much stability that kids don't know what a "blue screen of death" is, but rogue programs can still take over. Whatever Microsoft's record on security is, hackers target the biggest player because it guarantees publicity and the bragging rights they crave. Besides, no matter how well you protect Fort Knox, a large enough army of well-armed, invisible attackers will find a weakness if given enough time. I suppose the Slashdot crew could argue that Microsoft, with all its billions, could develop a clairvoyance API to reveal the exploits the bad guys are conjuring up.

It irks me that Microsoft doesn't ship more pre-patched software, especially on its MSDN Subscriber Downloads site. We shouldn't have to install Windows XP original (complete with known defects) and immediately reinstall it with recompiled SP2 bits. We should be starting with Windows XP SP2. Dear Microsoft: Don't promise secure computing while letting me run a system with known vulnerabilities for even a second.

My own experience with a non-professional end user made me realize that Web sites I create need to be XP SP2-aware to avoid JavaScript "object not found" errors. I beta-tested SP2 for so long I stopped reading the messages in Internet Explorer's yellow warning band. Fortunately, IBM's Web page detected SP2 and explained why its ActiveX control couldn't scan her machine for updated drivers.

Microsoft's actions (or lack thereof) have caused many of us to eschew the use of ActiveX controls in IE and SP2. I now block all ActiveX controls. And that's saying something—I once was a finalist in a Microsoft "Activate the Internet" contest where incorporating dynamic ActiveX objects in Web pages was the entry requirement.

The ActiveX and scripting issues also remind me that developers need to consider the implications that Windows XP SP2 has on Web applications. For instance, be aware of SP2's new Local Machine Zone Lockdown settings. If your app hosts the IE browser control, then your app should adopt the same Registry security settings as IExplore.exe. Authors of e-mail or chat clients need to review the new CheckPolicy() and PromptUser() API calls in IAttachmentExecute. This will help protect users from executing malicious files. And you should tweak your JavaScript error handlers so that calls to window.open() deal gracefully with the Internet Explorer Popup Manager.

I'm waiting to see how Rachel and her computer fare with XP SP2's enhanced security. I doubt she can resist adding a Web site to the trusted sites zone to get a free game. Now that I think of it, I'd better do a cold reset on my Windows Powered Smartphone. While I was cleaning her PC, she was having a lot of fun with a strange new game on that device.

About the Author

Ken Cox is a Canadian .NET programming writer and the author of "ASP.NET 3.5 for Dummies" (Wiley).

comments powered by Disqus

Featured

  • IDE Irony: Coding Errors Cause 'Critical' Vulnerability in Visual Studio

    In a larger-than-normal Patch Tuesday, Microsoft warned of a "critical" vulnerability in Visual Studio that should be fixed immediately if automatic patching isn't enabled, ironically caused by coding errors.

  • Building Blazor Applications

    A trio of Blazor experts will conduct a full-day workshop for devs to learn everything about the tech a a March developer conference in Las Vegas keynoted by Microsoft execs and featuring many Microsoft devs.

  • Gradient Boosting Regression Using C#

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the gradient boosting regression technique, where the goal is to predict a single numeric value. Compared to existing library implementations of gradient boosting regression, a from-scratch implementation allows much easier customization and integration with other .NET systems.

  • Microsoft Execs to Tackle AI and Cloud in Dev Conference Keynotes

    AI unsurprisingly is all over keynotes that Microsoft execs will helm to kick off the Visual Studio Live! developer conference in Las Vegas, March 10-14, which the company described as "a must-attend event."

  • Copilot Agentic AI Dev Environment Opens Up to All

    Microsoft removed waitlist restrictions for some of its most advanced GenAI tech, Copilot Workspace, recently made available as a technical preview.

Subscribe on YouTube