Microsoft released Windows XP Service Pack 2 to the masses today after months of delay and mountains of hype. But don't think IT managers are chained to their desks feverishly working to install it across their networks.
Those asked said they'll carefully study the package on test computers to ensure compatibility with other programs before loading it onto every machine in their enterprise.
"At this point, we're still catching our breath after deploying the last XP release, so we're leery about taking on SP2 right now," said Kathleen Held, senior network support specialist for Great Lakes Gas Transmission Company in Troy, Mich. "But we do plan to aggressively test it to see if it fits with our group policy and interacts properly with other programs on the network."
Hype over SP2's added security muscle has risen steadily in recent months, and its release has been delayed several times. Information security experts said it'll be worth the wait and will go a long way in protecting computers against virus and worm attacks, spam and spyware. But given the enormity of the upgrade, they said Held's caution is prudent.
"My advice to IT managers is to check with their vendors and make sure there are no conflicts between the programs they have and SP2," said Russ Cooper, senior scientist for Herndon, Va.-based security firm TruSecure. "Make sure the vendors say 'yes, our applications work with SP2.'"
A 'significant step' toward better security
SP2 is designed to make Windows XP more ironclad against attackers who have successfully exploited its multiple security holes, most recently in the form of Sasser, Dowload.ject and new strains of Mydoom. Among its security enhancements, SP2:
- Turns on the Internet Connection Firewall (ICF) by default, closes ports except when they're in use and improves the firewall configuration interface.
- Recompiles core Windows components to make the OS more resilient to malware-induced buffer overruns.
- Arranges default settings in Outlook Express and Windows Messenger more securely.
- Improves Internet Explorer controls and user interfaces to block malicious ActiveX controls and spyware.
"Service Pack 2 is a significant step in delivering on our goal to help customers make their PCs better isolated and more resilient in the face of increasingly sophisticated attacks," Microsoft Chairman Bill Gates said in a statement.
Microsoft has urged users to prepare for SP2's full release by turning on the Automatic Updates feature. The software giant expects to distribute SP2 to approximately 100 million PCs through Automatic Updates over the next two months. In the coming days, customers will also be able to order an SP2 CD from Microsoft free of charge. Microsoft will also offer versions of SP2 in 25 languages.
A long time coming
The wait for SP2 has been long. Its release was delayed several times as programmers worked to make sure the new security safeguards would be compatible with other popular applications. Most recently, the software release candidate was pushed back from May 12 to May 26. The release to manufacturing, originally planned for June, was pushed to July and then August. The release was delayed for more tweaking again last week, when Microsoft discovered SP2 breaks the company's own CRM applications. To address the problem, Microsoft then released a patch, likely to make configuration changes, prior to making SP2 generally available.
Bradley Dinerman, technical operations manager for Newton, Mass.-based IT management firm MIS Alliance Corp., believes SP2 will be worth the wait. "There's no doubt it significantly enhances security, both for the generic end user and the higher-level enterprise administrator," he said.
But if Dinerman's clients are any indication, Held isn't the only one eying SP2's release cautiously.
"I need to sell the concept of the service pack to my clients, typically small businesses, to justify its installation as well as the time needed to research whether or not it will impact their common applications," Dinerman said. "This latter point will be the greatest obstacle to its deployment. People are already hearing word that the service pack might break functionality of some client-server applications and this scares them. They know they supposedly need to stay up to date, yet the possible repercussions make it seem like a Catch-22."
In the end, Dinerman said, "I suspect we'll eventually sell all the clients on it, but it will take some work. In the meantime, we're looking into group policy as a deployment technique for our larger clients and will probably wait at least a few weeks after its official release date so we can first keep an ear to the ground about any problems it may cause. Hopefully, there won't need to be a SP2a to correct problems with the actual service pack."
Since SP2 marks the biggest Microsoft update in more than two years information security experts said any responsible IT manager should approach it with caution.
"Due diligence in testing will be critical," said David Gnall, technical architect for Windham, N.H.-based Internosis, which specializes in Microsoft-based IT services. "SP2 will give customers the handle on security they've been looking for, but there will be management issues."
Cooper agreed, saying, "Most people won't know what (SP2) is so it'll take awhile before you see it widely deployed."
Other safeguards still needed
Fred Felman, vice president of marketing for San Francisco-based security firm Zone Labs Inc., warned users not to ditch their current security safeguards on the belief SP2 will provide full security. SP2's firewall, for example, catches inbound sinister code, but not the outbound stuff, he said. Since untold numbers of computers have been infected with Trojans that hijack them to send out malicious code, "The firewall in SP2 won't be all you need," Felman said. "You'll still need your other firewall so that trouble is blocked from both sides." Like the others, Felman predicts enterprises will need time to work out compatibility issues between SP2 and their networks.
Security vendors have sought to assure their customers that their products are indeed compatible with the package, including Cupertino, Calif.-based firms Trend Micro Inc. and Symantec Corp.
"Integrating the detection and management of our antivirus security software into the operating system management console allows for more proactive protection for consumers," said Eva Chen, chief technology officer for Trend Micro. "Microsoft's efforts to work closely with leading security providers like us will ultimately help consumers reduce the burden on them to stay protected."