Windows XP Service Pack 2 shipped publicly this past Tuesday — 24 August. The release is, by Microsoft's own framing, the first major test of the Trustworthy Computing trajectory. I have been running it on a test machine for the past few days; first impressions follow.
This is a substantive post because the SP2 changes are substantial and the structural implications are larger than any single past Microsoft release.
What SP2 does
Three architectural changes that matter most.
The Windows Firewall is on by default. Previously, Internet Connection Firewall was available but off by default; most users never turned it on. SP2 renames it to "Windows Firewall", switches the default to on, and applies it to all network interfaces by default. The firewall rules permit only outbound traffic and replies to outbound; inbound connections require explicit user permission.
The cumulative effect: typical XP installations are no longer reachable from the internet on most ports by default. The vulnerable population for Sasser-class worms shrinks substantially as SP2 deploys.
Data Execution Prevention. SP2 implements DEP — software DEP for all systems, hardware DEP where the CPU supports the NX bit. DEP marks specific memory regions as non-executable; attempts to execute code from those regions cause an exception and terminate the process.
The cumulative effect: a meaningful class of buffer-overflow exploits no longer work against SP2 hosts. Specific exploitation techniques bypass DEP; many do not. The defence is partial but substantial.
Internet Explorer hardening. The IE built into SP2 has substantial behavioural changes — pop-up blocking by default, restrictions on automatic file downloads, restrictions on scripted Microsoft Active Setup, the new Information Bar warning users of blocked actions, more conservative defaults for the Local Intranet Zone.
The cumulative effect: passive exploitation through web browsing is more difficult on SP2 than on earlier versions. The defence does not eliminate the threat; it raises the difficulty.
What else has changed
Various smaller changes that are individually modest but collectively meaningful:
Outlook Express attachment blocking. Specific dangerous file types are blocked by default. The behaviour can be overridden but the default reduces exposure.
Wireless networking improvements. The wireless connection wizard prompts for security settings; WEP-by-default is gone in favour of more conservative wireless defaults.
Windows Security Center. A unified dashboard showing firewall, automatic-updates, and antivirus status. The dashboard is more useful for awareness than for actual security; users who would not have configured these things still benefit from the visibility.
Improved Automatic Updates. Smaller, more reliable, easier-to-configure. Operators who want to defer updates can; operators who want them automatic get them automatic.
RPC service restrictions. RPC over named pipes is restricted by default. Specific exploitation paths that worked against XP RTM no longer work against SP2.
The cumulative architectural shift is meaningful. SP2 is the largest single change in default Windows security posture in any release I have observed.
What I am seeing on my test deployment
The test machine has been running SP2 for several days. Specific observations:
The firewall blocks more than I had expected. Several legitimate applications attempted inbound connections that the firewall blocked; each prompted the user for permission. The user-experience is workable; legitimate use is preserved; unauthorised inbound is filtered.
DEP fires occasionally on legitimate code. A few older applications I have on the test machine triggered DEP exceptions. Updating to current versions resolved most cases; one application required adding it to the DEP exception list. The friction is real but bounded.
IE behaviour is meaningfully different. Sites that depend on automatic file downloads now require explicit user action. Pop-up blocking catches most pop-ups (legitimate ones can be permitted per-site). Several sites are visibly broken under SP2's IE; they were not previously.
Update behaviour is reliable. Patches install cleanly; the reboot pattern is unchanged. The cumulative reliability of patch deployment seems improved over earlier XP versions.
What this means for operators
For organisations running Windows XP on user desktops:
SP2 deployment is the operational priority for the rest of 2004. The structural improvements are large enough to justify accelerated deployment. Most large organisations will need 3-6 months for full deployment given the application-compatibility testing required.
Application-compatibility testing is non-trivial. Some applications break under SP2's tighter defaults. The testing identifies problems; the fixes are usually straightforward; the timeline is what it is.
The firewall defaults need verification per environment. Some internal services need inbound exceptions. The configuration is per-environment; the discipline is to plan rather than to leave defaults.
User communication matters. Users will see different behaviours — pop-up blocking, file-download restrictions, security-warning prompts. Communication ahead of deployment reduces support load during deployment.
For organisations not yet running XP:
Migration planning should account for SP2 baseline. Any XP deployment from this point forward should ship with SP2 included. The compatibility considerations apply at deployment rather than retrospectively.
For home users:
The automatic-update prompt is the right answer. Most home users will see SP2 offered through Windows Update over the coming weeks. Accepting is the right choice for almost everyone; the security improvements substantially exceed the application-compatibility friction.
What this means structurally
Three observations.
Microsoft is delivering on the Trustworthy Computing memo. The memo from January 2002 promised structural change; SP2 is the first concrete evidence of that change in a major release. The trajectory is real.
The cumulative attack surface for typical Windows installations shrinks substantially. Previously, XP RTM was reachable from the internet on many ports by default; vulnerable services were exposed; exploitation against unpatched hosts was straightforward. SP2 closes most of this surface. The cumulative effect over the deployment cycle will be visible in worm-propagation patterns through 2005.
The pressure on remaining vulnerable platforms grows. Windows 2000, older XP installations, unpatched servers — all are increasingly the long-tail of vulnerable population. The targeting will shift correspondingly.
What I expect over the next year
Three predictions:
Worm propagation rates against current Windows decrease meaningfully. 80%. SP2 deployment plus better patching produces measurable reduction.
The remaining vulnerable population (Windows 2000, unpatched older XP) becomes the targeted segment. 85%. Worm authors follow the vulnerable population.
Specific compatibility issues drive operator pain in the deployment phase. 95%. Every organisation will have specific application-compatibility issues; the cumulative pain is bounded but real.
For my own writing: continued tracking of the SP2 deployment and what it produces. The structural impact will be visible across many subsequent posts.
More in time.