XP SP3 in 2008?

Neowin reports that the Windows Service Pack Road Map has been quietly updated. Service Pack 3 for Windows XP Home and Professional is now planned for release in the first half of 2008, nearly four years after the Service Pack 2.

Crap. That’s an awful lot of roll-ups and individual patches for Windows XP users to have to deal with.

Mary Jo Foley says out loud what you’re probably thinking:

There’s no doubt that some (many?) Microsoft customers will see the latest slip as a less-than-subtle attempt by Microsoft to force them to upgrade to the latest versions of Windows that are coming down the pike. Why stick with an operating system that hasn’t gotten a full-fledged set of bug fixes and updates for two-plus years? Why not just make the move to Vista and Longhorn Server?

I think this is a sign that Microsoft’s development resources are stretched awfully thin.

SP2-phobic? Then circle October 10 on your calendar

Mary Jo Foley points out that support for Windows XP SP1 ends October 10.

SP2 has been out for more than two years. It’s been installed on hundreds of millions of computers. If there’s an issue that’s keeping you from installing it, there’s undoubtedly a solution.

Frankly, I can’t imagine why someone would insist on running an outdated, demonstrably insecure version of Windows. If you’re still resisting SP2, please tell me why. (And “I tried to install it and it crashed my system” isn’t good enough. If that’s true, there’s almost certainly a specific incompatibility that you can troubleshoot and fix.)

One more service pack for XP

CNET News.com says that a spokesman for Microsoft France has confirmed that Service Pack 3 will appear sometime after Windows Vista ships next year:

Windows XP SP3 will be available sometime next year–after the launch of Windows Vista, which “is the priority for the development teams,” according to Microsoft France.

Microsoft has yet to reveal details about the contents of the service pack. Laurent Delaporte of Microsoft France said: “Historically, certain functions of new versions of Windows are integrated in the service packs of previous versions.”

Intriguing. Wonder how many Vista features can be ported backwards?

Dear Microsoft, why not sell Starter Edition everywhere?

I originally wrote this post about six months ago and never published it. Given the current discussion about different editions of Windows Vista, and especially the contention from Robert McLaws that Microsoft still hasn’t decided on the product mix for Windows Vista, I thought it made sense to update it.

The Internet has a big problem: People continue to use old, insecure versions of Windows. I can’t find any up-to-date statistics, but my WAG is that between 10 and 20% of people on the Internet today are running operating systems from the Windows 9X family. These old computers are less reliable and far less secure than they would be if they were running Windows XP, and they aren’t able to install many modern programs.

Why don’t these people upgrade? Because upgrading is expensive. The upgrade package is $90-100 if you’re a good shopper. A new PC is going to run between $400 and $500. That’s a lot of money for people who are on a fixed income or who are struggling to make ends meet.

Microsoft already has a solution: Windows XP Starter Edition. It was designed for use in emerging markets where the average annual income can’t justify the cost of a full Windows XP license. First released in Thailand, Malaysia, and Indonesia, it soon spread to Russia, India, and Brazil, and it’s now available in 22 countries and in six languages. (There are some interesting details in this article from Microsoft Watch and a very Microsoft-friendly profile, with screen shots, at Paul Thurrott’s site.)

Well, we have plenty of people in this country who can’t afford the cost of a new PC or an expensive upgrade. But they might pay $30, especially if they got some bonuses kicked in with the deal, like a six-month subscription to Microsoft’s OneCare security software, or a limited version of MSN.

Would Starter Edition cannibalize sales of existing Windows versions? I don’t think so. The operating system has some serious limitations that would rule out its use by any computer enthusiast:

Only three programs run at a time. (Hey… You can’t reliably run more than a handful of programs on Windows 9X anyway.)
The display runs only at 800 X 600 resolution. Most people who are stuck with old hardware and an old version of Windows are probably running at this resolution anyway.
No home networking or multiple user accounts.
Settings are preconfigured for novices.

But think of the serious advantages. Upgraders would have all the security fixes of Service Pack 2. They’d be able to run IE7 when it’s available later this year. They could run Windows AntiSpyware. They’d have an easier time with digital cameras and portable music players.

So why not make Windows XP Starter Edition (and the Windows Vista equivalent, when its time comes) available here? Sell it for $29.99. Make it available only as an upgrade to Windows 98 or Windows Me. Maybe the Bill and Melinda Gates Foundation could set up a program with clinics in low-income neighborhoods that could offer upgrade services or low-cost, Starter Edition-powered computers for families with school-age kids and seniors.

I suggested this back in January, but the more I think about the idea, the more I like it. Windows 98 and Windows Me are long overdue for retirement, and a move like this would help make the Internet a better, safer place.

Yet another reason to install SP2

In the comments to an earlier post, someone noted a screen shot of an ActiveX dialog box that included the “Always trust content from this company” option. He asked the obvious question: Why isn’t there a “Never trust content…” option?

Short answer: There is. But only if you’re running the latest Windows version.

If you’ve installed Windows XP Service Pack 2, you’ll find that the wording in this dialog box has been changed to specifically refer to installing software rather than the confusing “trust content” wording. Here’s what the new dialog box looks like; note that you first have to click the Information Bar to display this dialog box and then you have to click a More Options button to see these settings:

Never_install

We noted this important change in Windows XP Inside Out, Second Edition and the larger Windows XP Inside Out Deluxe, Second Edition), both of which cover SP2 thoroughly:

In earlier versions of Windows XP, the dialog box used with signed downloads included a check box that allowed you to specify that you always trusted the publisher using that certificate. By selecting this check box, you could automatically install future downloads from your favorite publishers without having to see the Security Warning dialog box every time.

Windows XP SP2 adds the counterpart to that feature—a check box that lets you identify a publisher as untrusted. If you determine that a particular company’s widely distributed ActiveX controls and programs don’t belong on your computer, you can designate that publisher as untrusted, and no user of your computer will be able to install software that uses that publisher’s digital certificate.

If you haven’t installed SP2 yet, this is yet another reason to do so. If you’re holding off because you’ve heard bad things about SP2, please do some more reading starting here. SP2 is quite safe and reliable, and the few known issues are relatively easy to deal with.

Is that Internet Explorer add-on safe?

Internet Explorer supports all sorts of add-ons and extensions. The most popular are Browser Helper Objects (BHOs), browser extensions, and toolbars. If you run Windows XP Service Pack 2, you can view a list of all installed add-ons by choosing Tools, Manage Add-ons. From this dialog box you can enable, disable, or update anything on the list.

So how do you tell which add-ons are good and which ones are evil? Start at the CastleCops Master BHO and Toolbar List. The list is currently at 1609 entries and does an excellent job of sorting the good, the bad, and the ugly.

How long will you survive without SP2?

The folks at Techweb claim that without SP2 or a third-party firewall, your computer will fall to hacker bots in just four minutes:

AvanteGarde deployed half a dozen systems in “honeypot” style, using default security settings. It then analyzed the machines’ performance by tallying the attacks, counting the number of compromises, and timing how long it took an attack to successfully hijack a computer once it was connected to the Internet.

The six machines were equipped with Microsoft Windows Small Business Server 2003, Microsoft Windows XP Service Pack 1 (SP1), Microsoft Windows XP SP1 with the free ZoneAlarm personal firewall, Microsoft Windows XP SP2, Macintosh OS X 10.3.5, and Linspire’s distribution of Linux.

Not surprisingly, Windows XP SP1 sans third-party firewall had the poorest showing.

“In some instances, someone had taken complete control of the machine in as little as 30 seconds,” said Marcus Colombano, a partner with AvanteGarde, and, along with former hacker Kevin Mitnick, a co-investigator in the experiment. “The average was just four minutes. Think about that. Plug in a new PC–and many are still sold with Windows XP SP1–to a DSL line, go get a cup of coffee, and come back to find your machine has been taken over.”

Windows XP SP1 with the for-free ZoneAlarm firewall, however, as well as Windows XP SP2, fared much better. Although both configurations were probed by attackers, neither was compromised during the two weeks.

Still waiting for more proof?

I’ll say it again: Tens of millions of computers are running SP2 successfully. If you try to install it and you have problems, that means you have an issue with your hardware or your software. In either case, it should be relatively easy to find and fix. That won’t be the case if your machine is compromised by a worm, a virus, or a virulent piece of spyware.

One “so-so” verdict on SP2

Michael Froomkin installs SP2 (partially on the strength of my say-so), and says, So Far, So-So.

The results are mixed. The laptop seems a little slower, especially on boot up. And one other change I made at the same time is not working out at all well. Having read all this tech advice about XP, I saw that there was a strong consensus that I sholuldn’t ordinarily be logged in as an “admistrator” but should be operating as a “limited” account to prevent anything untword taking over my PC.

Well, OK, I’m a very obedient guy when it comes to computer security (unlike most of the rest of my life), so I create a “root” account, make it an administrator and change my ususal account to “limited” status. But now when I try to turn off the computer, both Explorer and the “Power Meter” hang. This doesn’t seem to happen when I am running solely as “root.” All I can say is … harumph.

As a general rule, I recommend making one change at a time when reconfiguring a system. That makes it easier to identify the source of a problem.

In this case, the problem is running as a limited user, which is a fabulous idea in theory but, unfortunately, problematic in practice with Windows XP. Linux boxes manage the concept of segregating root vs. user well. Windows currently does not. If all you use is Office and other modern programs installed using the latest version of the Windows Installer, then you’ll do just fine. But I suspect that Prof. Froomkin has one or more programs on his computer that don’t play by the rules. (I’ve made my feelings on the subject known in this post.)

So, bottom line, run as an Admin under Windows XP and concentrate your security efforts elsewhere.

For some excellent (albeit somewhat dense) reading on this subject, see this article by Michael Howard and this one by Dana Epp, both of whom are as authoritative as you can get on the subject.

Update: In a follow-up comment, Hellsbellboy points out Tim Anderson’s excellent post on the subject (you can read it here). Tim does argue that most Windows users should try to run with limited rights. However, his main point (I think – it’s a pretty opaque post!) is that Microsoft’s developers should be forced to run with limited rights so that they can learn about what it means to run in this mode and code accordingly.

Prof. Froomkin also wonders why Microsoft didn’t fix this in SP2. The problem is that this is a basic part of the architecture of Windows, and it’s based on the way that applications interact with the OS. If all your applications follow the rules, then you can indeed run using a limited account. But there are way too many non-compliant applications out there, and the operating system doesn’t have a graceful way to prevent them from assuming that you’re running as an administrator.

This change in architecture is a key part of the design for the next version of Windows, code-named Longhorn. And I repeat that you can run with a limited account if you are willing to get rid of applications that don’t play be the rules. In fact, doing so will probably make your system more reliable and secure, at the cost of losing access to a program or two. It shouldn’t be that difficult, but it is.

Will you puh-leeze install SP2?

Larry Seltzer of eWeek is one of my favorite columnists. His column this week is another gem: So Now Will You Install SP2?

Whatever excuses you had just aren’t good enough anymore. The problems without SP2 far exceed those from installing it. …

For a very long, long time now, long before SP2 was released, it’s been known that as a direct result of solving security problems in Windows it would cause application problems. Microsoft released several test versions of the service packand large customers get access to more than just the milestone betas and release candidatesto help developers and users adopt to the new platform. …

This has been going on for over a year now. … And yet people are still resisting installing it, and generally for the same reason: They are worried that their programs won’t work.

A study by SupportSoft, a software vendor, shows that IT managers are still worried about the impact to their applications. Seventy-three percent of them say this is their biggest concern about SP2. Fifty percent of them expect problems that will disrupt their businesses as a result of the migration.

Sorry buddy, but if your program won’t work it’s probably because there was a problem in it. Most of the application problems I’ve seen are as a result of shady window management techniques in Web applications. There are lots of other reasons a program might fail, and for most of them the proper response is to change the behavior of the application. There were reports early on of large numbers of machines crashing after installing SP2, but it turned out that this typically happened to systems already infected with spyware or adware.

Exactly. I have stopped being amused by people who complain that they have to clean spyware off their computers several times a week but refuse to install SP2 because it might cause some unspecified problem. The significant problems with SP2 are well documented and easy to fix. If your system crashes or hangs when you install SP2, the problem is with your computer, and you should fix it.

SP2 woes? Don’t give up

In the Seattle P-I, Dan Richman has written a well-balanced piece on SP2, “Microsoft’s SP2: A fix that derails some computers.” I’d say the single most important sentence in the story is this piece of advice:

Don’t give up. The protection it offers is worth the pain it may cause.

On a healthy PC, SP2 should install quickly and without incident. In unbiased surveys, I’ve seen indications that more than 90% of the people who install SP2 have no issues at all, and my personal experience matches that figure. If you’re experiencing problems with SP2, those are warning signs that something is wrong with your computer. If you ignore those signs and just decide to deal with them by uninstalling SP2, your PC is a ticking time bomb. A far better strategy is to find out what the problem is and fix it.

If you’ve successfully installed SP2 and you want more information about how to work with it, consider picking up a copy of Windows XP Inside Out, Second Edition. If you’re an IT professional or you work with corporate networks, pick up the Deluxe Edition. Carl Siechert, Craig Stinson, and I worked with SP2 throughout the best testing cycle and have lots of good information on how it works and how to work with it.