XP SP2 here soon?

Well, well, well. Microsoft has removed the beta versions of Service Pack 2 for Windows XP from its Web site.

The note on the site says they’ve been removed to make way for the final release. That must mean that Neowin.net was right in its report that the service pack will be released very soon. The specific dates they reported were August 4, for automatic downloads, with manual downloads available on Thursday and files on Windows Update around August 25.

I’ve been using various test builds of SP2 for roughly a year, and I recommend it highly. It goes a long, long way to repairing the major security issues that have plagued Windows in recent years.

If you have any feedback on SP2, send me a note. Unless you specifically request that I keep your message private, I’ll consider the contents of any messages eligible for publication here.

Should pirates get SP2?

I bookmarked this column by Bruce Schneier some time ago but am just getting around to discussing it here. It’s titled, Microsoft’s actions speak louder than words:

Initial news stories reported that Microsoft would make this upgrade available to all XP users, both licensed and unlicensed. To me, this was a smart move on Microsoft’s part. Think about all the ways the company would benefit. Licensed users would be more secure and happier. Worms that attack Microsoft products would be less virulent, so Microsoft wouldn’t look as bad in the press. Microsoft would win, its customers would win and the Internet would win. It’s the kind of marketing move about which best-selling books are written.

Then Microsoft said the initial comments were wrong; SP2 would not run on pirated copies of XP. Only legal copies of the software could be secured. This is the wrong decision, for all the same reasons that the initial decision was the correct one.

[…]

This decision, more than anything else Microsoft has said or done in the past few years, proves to me that security is not the company’s first priority. Here was a chance for Microsoft to do the right thing: to put security ahead of profits. Here was a chance to look good in the press and improve security for all its users worldwide. Microsoft says that improving security is the most important thing, but its actions prove otherwise.

Well, I agree, mostly. It would be nice if SP2 was available for everyone, in the interests of making the Internet at large a safer place.

But I think this may be a bit of a red herring, too. This block occurs for what I suspect is a very small group of people who are running truly pirated copies of Windows XP. These copies are downloaded from warez sites and use product keys that were originally intended for use on volume licensed copies. It does not include those that were sold through gray-market channels, or those where someone has activated an extra copy or two. Technically, those are pirated copies as well, but they will have no trouble upgrading to SP2.

Schneier hints at the reality underlying all this: Anyone running one of these specific pirated versions of Windows XP knows full well their copy is illegal. They get reminded of it every time they try to download an update. And I suspect that the overwhelming majority of people who run one of these pirated copies will be able to find a “cracked” version of SP2 at the same place they got their original CD.

I would be curious to see whether one of these volume-licensed copies of Windows XP will be upgradable to SP2 using a CD or a separate download. I don’t have a pirated copy of Windows XP to test with, however.

Security hysteria

The mainstream media is going nuts over a new security warning. Probably the worst reaction came from Dan Gillmor of the San Jose Mercury-News, who is one of the most reasonable people in the world until he hears the word “Microsoft.” In Yet More Microsoft Insecurity Outrages, he quotes a BBC News story that claims: “Users are being told to avoid using Internet Explorer until Microsoft patches a serious security hole in it.”

Then he adds:

How many billions of dollars of damage is Microsoft’s inadequately secure software causing every year? Why is the company not liable for any of its nonfeasance?

Where are the trial lawyers on this one? I don’t get it.

Oh yeah. That’s what we need. More lawyers. Sheesh.

Read Microsoft’s official warning on this issue. If you use Windows XP, consider installing Windows XP Service Pack 2, which is available as a very stable Release Candidate beta. I can confirm from personal testing that it blocks this type of exploit effectively.

Update your antivirus software. Trend Micro’s PC-Cillin (my favorite) protects against this exploit. So does Norton AntiVirus. So, I presume, does just about every other maker of antivirus software. If your virus definitions are up to date, you’re protected. If they’re not, well, you’re vulnerable to this and many other attacks.

If you run a Web server using Windows 2000 and IIS, install the latest patches. This exploit depends on Web servers that are running without the proper attention to security.

If you don’t think Microsoft can handle security, you have lots of alternatives, starting with Mozilla and ending with Linux. But please, don’t start talking about lawsuits and lawyers. Class action suits make lawyers richer. They won’t make you safer. Not one bit.