Guest Opinion

Can XP SP2 Protect Your Users?

Modify your applications so they run smoothly with Windows XP SP2, and better understand the issues that are motivating these changes in the OS.

• By Ken Cox
• 10/01/2004

You need to modify your applications to make sure they run smoothly with the new security restrictions of Windows XP Service Pack 2 (SP2). You might better understand the issues that are motivating these changes in the OS if you spent more time with unsuspecting end users like my 13-year-old niece Rachel. Recently, her Windows XP Home Edition booted but wouldn't display the Start button or desktop, and Explorer.exe wouldn't run at all. She suspected a virus but insisted the antivirus program was running "all the time, honest." Rachel was savvy enough to use Task Manager to run Internet Explorer and The Sims, but had to call me when her new cable ISP's support desk wouldn't troubleshoot her setup until Windows was running normally.

Ad-Aware uncovered plenty of spyware on her PC (she has a penchant for downloading games and music). A virus scan with updated definitions explained the persistent Windows Installer dialog box and repeated attempts to dial the Internet: It harbored two viruses and four trojans.

I opted for fdisk and a clean installation including SP2, Windows XP's big security update. However, I wondered if I'd have needed to do all this if SP2 had been installed already. Would Windows Firewall have prevented invasion, or would it have created a false sense of security? After all, Rachel was unknowingly inviting Trojan horses into her OS while downloading free games.

These days, Windows has so much stability that kids don't know what a "blue screen of death" is, but rogue programs can still take over. Whatever Microsoft's record on security is, hackers target the biggest player because it guarantees publicity and the bragging rights they crave. Besides, no matter how well you protect Fort Knox, a large enough army of well-armed, invisible attackers will find a weakness if given enough time. I suppose the Slashdot crew could argue that Microsoft, with all its billions, could develop a clairvoyance API to reveal the exploits the bad guys are conjuring up.

It irks me that Microsoft doesn't ship more pre-patched software, especially on its MSDN Subscriber Downloads site. We shouldn't have to install Windows XP original (complete with known defects) and immediately reinstall it with recompiled SP2 bits. We should be starting with Windows XP SP2. Dear Microsoft: Don't promise secure computing while letting me run a system with known vulnerabilities for even a second.

My own experience with a non-professional end user made me realize that Web sites I create need to be XP SP2-aware to avoid JavaScript "object not found" errors. I beta-tested SP2 for so long I stopped reading the messages in Internet Explorer's yellow warning band. Fortunately, IBM's Web page detected SP2 and explained why its ActiveX control couldn't scan her machine for updated drivers.

Microsoft's actions (or lack thereof) have caused many of us to eschew the use of ActiveX controls in IE and SP2. I now block all ActiveX controls. And that's saying something—I once was a finalist in a Microsoft "Activate the Internet" contest where incorporating dynamic ActiveX objects in Web pages was the entry requirement.

The ActiveX and scripting issues also remind me that developers need to consider the implications that Windows XP SP2 has on Web applications. For instance, be aware of SP2's new Local Machine Zone Lockdown settings. If your app hosts the IE browser control, then your app should adopt the same Registry security settings as IExplore.exe. Authors of e-mail or chat clients need to review the new CheckPolicy() and PromptUser() API calls in IAttachmentExecute. This will help protect users from executing malicious files. And you should tweak your JavaScript error handlers so that calls to window.open() deal gracefully with the Internet Explorer Popup Manager.

I'm waiting to see how Rachel and her computer fare with XP SP2's enhanced security. I doubt she can resist adding a Web site to the trusted sites zone to get a free game. Now that I think of it, I'd better do a cold reset on my Windows Powered Smartphone. While I was cleaning her PC, she was having a lot of fun with a strange new game on that device.