This document focuses on the changes in Windows XP Service Pack 2 and its implications for developers. Examples and details are provided for several of the technologies that are experiencing the biggest changes. Future versions of this document will cover all new and changed technologies.


This article says that XP SP2 will utilize hardware memory protection and will not allow code to execute in stack and heap segments. But ATL is using windows thunks (“atlbase.h”) which are exactly that: code in the heap segment. Furthermore, the code is inline so simply updating atl.dll will not fix the problem. Does this mean that all current applications will stop working?
A nice way to shut off bloat ware like mozilla, staroffice
Xp has an application compatiblity layer.
There has been press for months about the updates included in XP SP2. Microsoft released docs on MSDN a while ago detailing some of the planned changes. Other than the addition of multi-session RDP to better handle Smart Displays, the main additions to the SP are to further strengthen security. It’s why they delayed the SP in the first place.
I am not here meant to attach anyone. But i am really frustrated by some people who always attach Microsoft. I really do not understand what is the reason behind.
No doubt that microsoft make some mistakes, but they also did great things. It is unfair that we always critize them without really looking into the real issues.
By the way, i am not pro-microsoft or bias towards linux
I am using Linux now. only linux in my PC.
I did not moderate it down, but I can understand why it happened. The statement you made was so silly that someone perceived it as merely flamebait.. I would not say you confused stable and bloat. I would say you confused capable and bloat. If you want a simple install that only has about as much as Windows, look at Mandrake Discovery. Most Linux distos have much more capability and choice of applications than Windows. That is a good thing.
Slapstick said: “I don’t want to run “write once run anywhere” Linux crapware on my Windows XP.”
Unfortunately for Slapstick, Java came from Sun not Linux so Slapstick will have to wait until the Linux community can convince Sun to stop making Java. It is a shame people have to say false statements just to start a fight. Why didn’t Slapstick just say that Java sucks or something.
As for the Service Pack, I certainly hope Microsoft fixes some security issues. Can not complain about better security.
the crowd i hang out with uses xp for games.
that’s it.
they apply the patch for msblast/welchia, disable over a dozen services(including workstation/server), disable the stupid primary colors gui(and fade effect), system restore, remote login, remote help etc etc etc.
nuke iexplore.exe and outlook
you end up with a fast, stable and damn near impervious(for windows) system.
I remember laughing the first time I looked at the remote attack surface of windows 2000 and XP. I could have told you MSBlaster and Nachi were on the way within 5 minutes of installing WIndows 2000 for the first time. They dropped the ball when failing to audit the remote attack surface of an OS for end users. If an end user is goiung to run a virus on the PC I admit the difficulty in preventing that, but there is no excuse for the number of services that are in listening state by default on Windows XP. Anyway, reading this document it looks like they are taking some valid steps in the right direction. I know what it’s like working for a large company and I am sure there when the UI groups wanted all this crap on by default there were groups of engineers at MS yelling “you gotta be F*ck’n kidding!”. It is a security vs functionality battle they obviously lost. I would just like to say to MS from that group of Enginers: “I TOLD YOU SO!!” And I would like to extend a special thanks to those geeks at MS for making my life just a little bit easier.
Yes functionality versus Security is a balance. Technically windows by default aint secure but not saying it can’t be made to be pretty secure you know. Why does it have to be the OS’s job to have firewall enabled? I dont get that. Mandrake doesnt by default, unless you set security to high which they dont reccommend unless you run a server. Yet no one was complaining then. Also half the the virus and bugs had patchs which most users just didnt install.
So to be fair MS has some bad security options at times, especially with their IE-OE programs. However, at the same time a lot of problems are just end user. Oh well, just keep updating folks, something that we will never avoid whether linux or windows.
They included a tool to view, manage, and block internet explorer add-ons. This is a good idea since makes for some of the hardest spyware to locate, hyjackthis is currently the only app I know of that will do this. MS has this to say about it:
“Windows Error Reporting data has shown that add-ons are a major cause of stability issues in Internet Explorer. These add-ons significantly affect the reliability of Internet Explorer. These add-ons can also pose a security risk, because they can contain malicious and unknown code.”
Other features include popup-blocking (with deny/allow list), window restrictions for popups (no more full screen or invisible popups), was more functionality with ICF, and execution protection preventing many types of buffer overruns (e.g non executable stack).
In reply to Josh:
The types of people running Mandrake are not the same as the ones running default installs of XP Home. I know people that have been using PC’s for longer than I have that still don’t know how to download or install a setup.exe, you simply cannot expect these people to securely administer their operating systems. They just want to surf porn and send email, why interrupt the utopia with system administration?
Good Point. I would like however, people to become educated in being able to secure their own computer. Sure the user wants it setup and done, but you cant reap without Sowing 😉 and so I think it really is inevitable for someone to know about computers. Heh heh, but then again there would be a job loss for those that get money fixing/cleaning peoples systems. Maybe its better they dont know. lol.
You moderated down a comment that was factual, included reference links, and followed every one of your so-called “terms”.
So just how much money does Microsoft pay you?
There really can be no other reason as to why you erase all the messages that in the smallest way bring to bear an iota of criticism against Microsoft.
I am not a Windows user, however, any move by Microsoft to bring better security forward is a good one. Btw, regarding support for application effected, there is NOTHING stopping third party vendors from getting the beta versions of the Windows XP SP2 and test their applications with it.
There is one thing I hate more than buggy applications and that is whining software vendors who don’t mind taking $400 off you for a piece of software but they whine when they might just have to re-invest a bit of that money back into the product to produce service packs and make their application compatible with new service pack releases.
As for anti-virus software, could these companies out there realise that their software isn’t the focal point of the user. The user just wants to install it and be done. The end user doesn’t want a huge memory hogging, mega-bloated “web interface” rubbish.
Talk to the number of end users who have installed anti-virus software only to find that their perfectly working system is now crashing and running slower than usual. Can you blame the end user for being hesitant about installing so-called “firewalls” and “anti-virus”.
The one I push ahead of Symantec and McAfee is Kaspersky. Basic interface, stable, reliable and non-bloated interface. Once you have run it once, you’ll want to covert everyone to it.
“But i am really frustrated by some people who always attach Microsoft. I really do not understand what is the reason behind.”
It’s quite simple really. In this day and age when you can’t even step outside your door or turn on your tv or log on to the internet without having the Windows and Microsoft logos in your face. And then you come here have Microsoft loyalists telling you that OS X, Linux, BSD and everything else besides Windows sucks (and simulataneously bitching about “Linux zealots”). Then you factor in the healthy breeding ground for worms that Windows is while at the same time pondering Microsoft’s shady business practices, and when you sum it all up, you can see where Microsoft might have earned all this bad feeling and negative attention it’s getting.
Can someone shed light on this topic?
Page 64 and following state that NX is available only on processors with support for that. Athlon8 and Itanium are mentioned.
However, I always thought that this kind of memory protection has been in ia32 ever since. I do remember a book (something like “operating system principles”) that stated:
– “modern” (yeah, it was an older book!) 32-bit OS mark pages in the adresse space as either write, execute or read
– so code pages can only be executed, data pages be r/w and you can even have read-only pages for constants or the like
– as this is achieved by setting the corresponding bits in the descriptor, applications on a priviledge level less than 0 cannot do anything against that!
– to allow the operating system doing modifications (when loading a library for example you have to write to that code page) a technique called “aliasing” is used, where the OS creates another descriptor for the same page that allows write access (of course, that descriptor is not published to the application process)
Well, I understood all these explanations and I always thought the ia32 was a pretty well design, however today´s Operating Systems like Windows and Linux do not use (for whatever reason) the access bits in the descriptors (or is it a selector I am talking about?).
So why are technologies like NX oder OpenBSD´s “w^x” considered new and challenging to implement?
Could someone try to explain to me what I missed?
Thanks alot!
Rugbuz
So why are technologies like NX oder OpenBSD´s “w^x” considered new and challenging to implement?
There is a performance penalty for architectures without that particular feature built in. Microsoft most likely made the judgement that the price of the performance hit was too high and decided not to cause a “back lash” from the fps toating pc fanboys.
Just finished going over the ICF stuff and this really bothers me:
Why have the application prompt the user for conset before calling the various INetFwV4AuthorizedApplication functioms. If any prompting should be done the OS should handle it because there does not seem to be a way of validating that the application did prompt the user and the user did conset.
“the crowd i hang out with uses xp for games. that’s it.”
So I guess that’s why you remain primarily booted in Windows 99% of the time then?
(Sorry, I just couldn’t resist)
On the x86, you have two means of memory management: segmentation and paging. Most modern OS’s use paging, because it’s simple and all CPUs support it. On x86, each page has 2 bits for access control – one for read, and one for write/execute. So if an x86 OS only uses paging for memory management, any portion of memory that is writable is executable.
x86 also supports segmentation for memory management. Segmentation got a bad name in the 16 bit days because each segment was limited to 64k in size. But on 32 bit chips, segments can be 4 gigs in size. Segment descriptors have seperate bits to control write access and execute access. So if an OS used segmentation for memory management, you could mark portions of memory as non-executable.
Thanks Ed.
All modern OSs use paging don’t they?
So thats why the new use of NX in XP SP2 requires an AMD64 or IA64. I’ll probably be upgrading sometime next year anyway.
First off…..I would have to say its 99% of the time Linux/BSD/OSX people bashing MS.
And second I think you see the most virus activity for windows becuase it has most of the user base. If Linux/BSD/OSX ever have the same market share on the desktop I think there will be just as many viruses surfacing as you see on a MS platform. What are you going to do then….go back to MS and bash other OS’s
Get a clue man/.