The second service pack for Windows XP will implement more significant changes than usually appear in a service pack. These changes are designed to bring Windows XP in line with the Trustworthy Computing "Secure by Design, Default, and Deployment" framework which has led to significant changes in Microsoft's product development process, and to noticeable improvements in recent products such as Windows Server 2003. But the service pack poses a dilemma for Microsoft and users: the changes that will increase the security of XP may break some applications.

Expanded SP Goal Causes Dilemma

The goal of Windows XP Service Pack (SP) 2 is to improve the security and reliability of the OS—the service pack will patch the growing number of security vulnerabilities unearthed since Windows XP SP1 (released in Aug. 2002). To reduce the security risks caused by these vulnerabilities to all users of Windows, Microsoft needs SP2 to achieve widespread and rapid adoption. Because these patches have been well-tested, users should not have to perform extensive testing on this part of the service pack.

But this service pack will also deliver some new functions and change the default state of other functions, which could slow adoption. Windows Server 2003, which underwent similar changes so it could be released as "secure by default," does appear to be more secure than Windows XP, as some recent security bulletins that applied to Windows XP did not impact Windows Server 2003. But the changes in Windows Server 2003 were implemented during the beta process prior to the release of the product, servers tend to run a limited number of applications, and servers are managed by administrators who should understand the implications of the changes being made. Therefore, the security changes being made to Windows Server 2003 could be tested before release.

With Windows XP, the case is substantially different: the OS has already been released and widely deployed, a huge and diverse number of applications run on it, and the user community is much more diverse—from novice to expert. Furthermore, because administrators and OEMs expect a service pack to safely bring computers to a known support level, they do not like a service pack to change existing features or contain new features that must be extensively tested before they can be deployed. If the changes are too severe, then the service pack will likely result in increased support calls and user frustration.

Therein lies the dilemma: Microsoft needs to make these changes to improve the overall security of Windows XP, but too many changes could interfere with the normal function of the system and delay adoption of the service pack.

Extent of Proposed Changes

Proposed changes for Windows XP SP2 will impact the Windows Firewall, e-mail applications, Internet Explorer, and applications that use low-level functions, such as Distributed COM (DCOM) and Remote Procedure Calls (RPC).

Windows Firewall. Typically, making a feature secure by default implies turning the feature off, but in the case of the Windows Firewall (formerly the Internet Connection Firewall, or ICF), Microsoft thinks security would be improved by turning this feature on for all users. In addition, the Windows Firewall will be enabled earlier in the computer’s boot process, eliminating a window of vulnerability that occurs when a PC can communicate over the network but the Windows Firewall has not yet started.

To mitigate the effects of these changes to the Windows Firewall, Microsoft will make it easier to configure. For example, Group Policy will be able to configure the Windows Firewall, and the Windows Firewall will be configurable for different network scenarios, such as on a corporate LAN or on a public wireless network. The company will also work to ensure that typical scenarios, such as file and printer sharing, will work with the Windows Firewall enabled, but developers and IT beta testers will have to focus on this area to ensure their applications work with the Windows Firewall.

E-mail applications. New APIs will provide a consistent way for applications to determine whether attachments are safe, and a consistent user interface to help users work with attachments. In addition, the new APIs will ensure that when an application opens or executes an attachment, it does so with the least possible privilege, reducing the likelihood that a problem could affect critical files or services. Outlook Express, Internet Explorer, and Windows Messenger, all of which ship with the OS, will be updated to use these new APIs. Office 2003 currently provides a similar attachment-blocking feature, but if Office is going to use the new APIs in Windows for safe attachment management, Microsoft will need to release an updated version.

Internet Explorer (IE). Changes to IE will prevent Web sites from repeatedly asking a user to install a malicious ActiveX control until the user reluctantly accepts, or from using a site-generated window to obscure a security dialog box. IE will also attempt to block some pop-up windows, including advertisements. Web site developers will need to ensure that the changes still allow users to interact with their sites.

DCOM and RPC. Changes to DCOM and RPC include changing the core RPC functions to allow pieces of RPC to execute with reduced privileges to try to limit any damage that may occur in an exploit. The goal is to ensure that if there is a future vulnerability in these services, the impact of the damage will be limited. Developers need to ensure that any application they created which uses these services continues to work.

Windows XP SP2 will also include support for the no execute flag in new 64-bit processors from both AMD and Intel. This flag makes execution of all applications safer, as it can be used to limit the exposure of a buffer overflow, which occurs when a program tries to store more information in a memory buffer (temporary storage area) than the buffer is able to hold. The flag allows the overflow area in memory to be marked as non-executable, so any code forced into the area by an exploit cannot do any damage. This change is another benefit of adopting 64-bit processors in addition to that of pure performance.

Nonsecurity Changes

Windows XP SP2 could include other nonsecurity-related changes, such as the following:

• The Advanced Networking Pack for Windows XP, currently a stand-alone update, which enables peer-to-peer networking on the Internet Protocol version 6 (IPv6) protocol stack
• Changes to how IE works with browser plug-ins to comply with recent court rulings in a patent-infringement lawsuit
• User interface elements for a single Microsoft Update that combines the currently separate Windows and Office update sites into a single Microsoft Update
• The Software Update Services client will provide a standardized patch detection engine.

It is also not clear whether the service pack will have to be deployed on Windows XP Tablet PC Edition 2004, which is likely to ship at the same time, or whether Tablet Edition 2004 will already have these changes incorporated.

Availability and Resources

Windows XP SP2 is scheduled to begin beta testing in Dec. 2003. It is currently scheduled for release in mid-2004.

For more information on Trustworthy Computing, see "SD3 Forms Basis for Security Push" on page 9 of the Oct. 2002 Update.

For more information on the changes made to Windows Server 2003 to make it Secure by Default, see "Applications Require Updates for Windows .NET Server" on page 7 of the Jan. 2003 Update.

For more information on Windows SPs, see "Windows Service Pack Roadmap Shows Gaps" on page 3 of the Oct. 2003 Update.

For more information on the development of SPs, see "Windows Sustained Engineering in Spotlight" on page 3 of the Nov. 2003 Update.

For details on changes proposed as a result of the Eolas patent suit, see "Lawsuit Drives Browser Changes" on page 7 of the Nov. 2003 Update.

For more information on the impact of XP SP2 on developers, see msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnwxp/html/securityinxpsp2.asp.