Service Pack 2 Blues
The security upgrade that reinforces Microsoft's market dominance
By Scott Berinato
September 08, 2004
—
CSO
—
Windows XP Service Pack 2 is Microsoft's biggest, most expensive patch in history
But for all of Microsoft's efforts at figuring out how to secure its products, the folks in Redmond don't seem to have invested much in the logistics of getting that enhanced security out to users. Then again, why would they? If Microsoft is the market-dominating center of the universe, we revolve around it, not the other way around.
How has Microsoft flubbed the execution of SP2's release? First, consider the size of the patch. It is essentially a new version of the operating system, yet it was available through Windows automatic update services. How many companies want their thousands of clients detecting an update and downloading it when it's this big and this complex? Not many. They want to do serious regression testing.
So when automatic update services started downloading SP2 and then breaking other applications, those pesky customers demanded that Microsoft do something it never anticipated would be necessary
From a CISO's perspecitve, a series of smaller patches, each steeled against other applications and released over time, probably would have worked better than an omnibus upgrade. From Microsoft's perspective, though, iterative upgrades would have been more complex and taken more time and required more coordination and effort. So guess who wins that battle?
Nor did the company seem concerned about third party apps at all. Else, why would SP2 break at least 50 different vendors' applications?
Then there was the laughably bad timing of the release (after a one-week delay), as millions of students returned to college. University CISOs were sent into a tizzy, some blocking the download and installation of the patch for fear the problems it created wold overwhelm campus IT services.
Microsoft's message to schools was the same as to everyone else: Here, take it. Look at the online instructions for SP2 on Microsoft's website to see Microsoft's attitude: The first three things Redmond says on a " Get Service Pack 2" page are:
To add insult to injury, there's the cross-marketing. The company has attached to the package of necessary security upgrades some largely unnecessary efforts to get you to use more Microsoft stuff, like Internet Explorer. I couldn't scan my system and download SP2 using Windows Update unless I switched to Internet Explorer. In other words, to get security patches, I'd have to switch to a less secure browser. (Many of the security features for IE and Outlook Express in SP2 I've enjoyed for a year on Firefox and Thunderbird, including pop-up blocking, filtering and download manager technology.)
- Introduction to VMware vCenter Site Recovery Manager 5
- Reliable Disaster Protection with VMware vCenter Site Recovery Manager
- Introduction to Virtualization
- Preventing Unplanned Downtime with Server Virtualization
- Secure Cloud Infrastructure and Next-Generation Data Centers - An Interactive Panel for Decision Makers
- Gartner Next Generation Network IPS Webcast
- Watson - A System Designed for Answers. The future of workload optimized systems design
- The Value of Threat Intelligence
- Overcome Top 7 Admin Challenges of Active Directory
- Insiders Can Ruin Your Company. Take Action.
- Top Solutions and Tools to Prevent Devastating Malware
- X-Ray of the PCI Process-4 Proactive Steps
- Patch Tuesday preview, February 2012
Microsoft published its Patch Tuesday Preview for February of 2012 a few minutes ago. IT admins can expect nine bulletins to address 21 security vulnerabilities.
It looks like four bulletins will be rated critical while the rest are designated as important.
Affected Microsoft products are:
- M86 report proves water is wet
- Actor, banker, soldier, spy: Suits and Spooks Anti-Conference aims to redefine security
More Salted Hash with Bill Brenner
