Microsoft took more than two years to develop Windows XP Service Pack 2 (SP2), delaying its release several times. In the meantime, attackers have had a ball poking through Windows' multiple security holes with virus and worm attacks, spam and spyware.
The software giant took an important step Friday when it released SP2 to manufacturing and promised the full release by month's end. Information security experts said it's worth the wait.
"There's no doubt it significantly enhances security, both for the generic end user and the higher-level enterprise administrator," said Bradley Dinerman, technical operations manager for Newton, Mass.-based IT management firm MIS Alliance Corp.
But they have no illusion the package will be installed on every enterprise network overnight; nor do they think it should be. Companies must test SP2 to see if it's compatible with other programs on their network and educate their users on all the new features.
"My advice to IT managers is to check with their vendors and make sure there are no conflicts between the programs they have and SP2," said Russ Cooper, senior scientist for Herndon, Va.-based security firm TruSecure. "Make sure the vendors say 'yes, our applications work with SP2.'"
SP2 is designed to make Windows XP more ironclad against attacks from the likes of Sasser, Dowload.ject and Mydoom. Its security features include turning on the Internet Connection Firewall (ICF) by default, closing ports except when they're in use and improving the firewall configuration interface. Other steps taken to improve security include recompiling core Windows components to make the OS more resilient to malware-induced buffer overruns and improving Internet Explorer controls and user interfaces to block malicious ActiveX controls and spyware.
SP2 has been delayed several times as programmers worked to make sure the new security safeguards wouldn't be incompatible with other popular applications. The release to manufacturing, originally planned for June, was pushed to July and then August. The release was delayed for more tweaking again last week, when Microsoft discovered SP2 breaks the company's own CRM applications. To address the problem, Microsoft then released a patch, likely to make configuration changes, prior to making SP2 generally available.
IT managers say they're in no rush.
"At this point, we're still catching our breath after deploying the last XP release, so we're leery about taking on SP2 right now," said Kathleen Held, senior network support specialist for Great Lakes Gas Transmission Company in Troy, Mich. "But we do plan to aggressively test it to see if it fits with our group policy and interacts properly with other programs on the network."
Meanwhile, security vendors are worried users will get the impression SP2 offers full security and ditch their other safeguards. Fred Felman, vice president of marketing for San Francisco-based security firm Zone Labs Inc., noted that SP2's firewall catches inbound sinister code, but not the outbound stuff.
Since untold numbers of computers have been infected with Trojan horses that hijack them to send out malicious code, "The firewall in SP2 won't be all you need," Felman said. "You'll still need your other firewall so that trouble is blocked from both sides."