WinXP SP2 Sacrifices Compatibility for Security

goldragon writes "TechRepublic is reporting that "Microsoft is pulling out all the stops to improve security. So much so, in fact, that it will cause many problems because SP2 will de-emphasize backward compatibility with legacy systems and code for the sake of security." One small step forward for Microsoft, one giant leap backwards for mankind?"

Compatibility Woes?

[Oculus Habent]

Giant leap backwards?

Let's face it, you can't remain compatible with old software forever. It causes, well, Windows XP. XP is trying so hard to be everything to everyone, that it can't even pop up a delete confirmation fast enough to not make me wait for it (On an Athlon XP 2700+ with 1GB of DDR333, fresh from boot).

Compatibility is an important issue, but at some point shouldn't the ten-year-old programs run in a virtual environment separate from the OS?

Re:Compatibility Woes?

[gl4ss]

wonder though what they're doing?
turning on the firewall by default?

too bad it would be so ms like to add another program into the bunch when the problem is having too much of them already(you wouldn't _need_ a firewall by default if it didn't start any services by default, no? ).

Re:Compatibility Woes?

[Anonymous Coward]

if it didn't start any services by default

Try launching Linux with NOTHING RUNNING and see how productive you are. No cron, no logs, no fucking getty or login. Some services are necessary. Some of Microsoft's need to be fixed. Very few truly need to be disabled.

Re:Compatibility Woes?

[Anonymous Coward]

> Very few truly need to be disabled.

Very few truly need to be services.

Re:Compatibility Woes?

[Mr. Neutron]

Very few truly need to be disabled.

WinXP by default starts 36 services. I doubt any one user needs more than 10 of those.

http://www.winnetmag.com/Windows/Article/Article ID/40722/Windows_40722.html

Re:Compatibility Woes?

[Anonymous Coward]

WinXP by default starts 36 services.

The only one it doesn't start by default is the firewall :-/

Re:Compatibility Woes?

[Slashdot Insider]

Firewall is on by default with XP SP2.

Re:Compatibility Woes?

[Xeleema]

True, but how many of those services that you mentioned even know what a network adaptor is? login doesn't have any sort of interaction with a NIC, (by default) neither does cron. I don't think I've even seen a way to configure login to do anything over the network. The only major thing in my experience with most Linux distros is that the X server keeps port 6000 open and waits for requests. However, that lil' nuance can be taken care of by changing a line in the appropriate config file. For Example; if you're running XFree86, find the file(s) "Xaccess" and change the "#*" and "#* CHOOSER BROADCAST" to "!*". This will reject any requests for a logon window (which is maybe where you get the assumption that the login service is exploitable via the network).

P.S: I know I'm feeding the Troll, but I just want to calm any worrried n00bs before they fall for this kind of FUD.

Re:Compatibility Woes?

[t1m0r4n]

Let's get drunk and delete production data!

Hey, I did that once! Was on vacation, had way too much to drink, and got the bright idea to ssh into work to do a few things. Accidentally did an rm -f * on what I thought was a local temp directory. But I was still connected to the remote server (and was not in a temp directory). Oops.

Bottom line, secure netork requires remote access to include a breathalyzer.

Bottomer line, I did the above trick on linux boxes, but never did any such thing on a Windows machine, therefore Windows is more secure than linux
<|:0

Firewall

[Oculus Habent]

Actually, yes. The first listed security change is turning on the firewall by default. Before the network stack loads, even, to prevent a gap between network availability and firewall protection.

Other things that I find good include port management that both handle the opening and closing of ports, but also allows some applications to run as a regular user instead of administrator.

There first complaint with SP2 was the NX command - which isn't available on most current processors. The second sounds like a benefit, not a complaint:

there are literally scores of RPC-based services running, all of which provide a window for attack. That changes dramatically with SP2.

Then they go on to complain about not offering to pirated copies, but forget to mention it's only the ten most pirated product keys. It's still a large number, I imagine, but not the whole picture.

Re:Compatibility Woes?

[arose]

Compatibility is an important issue, but at some point shouldn't the ten-year-old programs run in a virtual environment separate from the OS?

DOSEMU and WINE under GNU/Linux?

Re:Compatibility Woes?

[Anonymous Coward]

aren't ten year old programs the only thing DOSEMU and WINE capable of running? *ducks*

Re:Compatibility Woes?

[Methuseus]

Yes, except be something that MS includes FOR FREE with their operating system to make people happy. And not charge extra for this capability either. That would up MS's reputation in my eye, however small of a jump that would be. This wouldn't make me want to use MS's products any more than I do now, though it would make a few things easier for people like my parents.

Re:Compatibility Woes?

[Short Circuit]

DOSBox [sourceforge.net] is available for Windows, too. From their screenshots, it looks like they've gotten Windows 3.1 to run under it. Dunno if you can install something like Win95, though.

Re:Compatibility Woes?

[Ubergrendle]

I think this is a realistic perspective. SP2 will have numerous enhancements and functionality changes, and will fix some long-standing bugs. For those programs that are 'broken' by SP2, businesses always have the opportunity to continue to run @ SP1 for a period of time while the kinks are worked out. I doubt MS will stop providing hotfixes for major problems under SP1 for a period of time.

I'm not a big fan of MS, but some of the criticism they receive is unfair -- damned if they do, damned if they don't. I'd rather have SP2 with some pain and be more stable and secure, vs running indefinitely under SP1.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Compatibility Woes?

[YouAreCorrect]

Almost all comments below stories are trolls. If story X is submitted 100 times by 100 different people, the one that will invoke the most responses is the one that will be chosen by the editors. Because this site is driven by responses (More ads viewed when people go to read the comments, etc, etc).

If someone submitted this story as "Microsoft toughens up Win XP with SP2" and wrote thoughtful, balanced comments to go along with it, it would be rejected in favour of the current one because it would not generate as many responses/page views/ad views.

So if you want to get a story accepted, write a flaimbait/troll comment with it. It rewarded when it's part of a story submission, just not when part of the discussion.

And besides.. it wouldn't be as much fun without the flaimbait/troll articles.

Re:Compatibility Woes?

[EvilTwinSkippy]

damned if the do, damned if they don't

Well, when you try to be everything for everybody these things happen. Heck, if you try to be anything to anybody these things happen. It's just human nature methinks.

That said, M$ did walk right into this situation. In their effort to force everyone to buy new software every other year, they yanked (or tried to yank) support for older versions of the OS. There are many folks out there running specialized apps that were written for the older versions. To be able to

OS X did it with Classic mode - works great

[tentimestwenty]

OS X did this brilliantly with the Classic compatibility layer. 99% of the time the layer was app-compatible and it ran at least as fast as running OS 9 alone. Many people bitched at first, but when they started using OS X, it was pretty clear that there was a huge advance in stability that made people actively dump their Classic applications and invest in the X architecture. We're still in the transition phase but with Apple proclaiming 9 dead last year, it has been successful for the OS transition.

Re:OS X did it with Classic mode - works great

[Anonymous Coward]

Interesting how the Classic layer is "brilliant" when it comes to bashing Windows. But if when read the Mac boards, Classic is totally unusable and every vendor was under extreme pressure to produce a native version of their app immediately. Using mainstay apps like Quark or Outlook was apparently impossible under Classic.

Classic is fine for what it is (us old OS/2 users used to call the VM the "Penalty Box"), but lets not pretend it's the compatibility solution for the ages. Frankly it's slow and the redraw is buggy and one only uses it when there is abosolutely no other choice.

Besides, the article is about MS breaking modern Win32 applications, not legacy apps running inside a VM.

Re:OS X did it with Classic mode - works great

[liquidsin]

The only issue I've had with Classic is that it let developers drag their feet on new versions, since their old wares could run just fine in Classic. That, and for the life of me, I can't get a consistent set of fonts working for OS X and Classic, and I've tried Suitcase, Font Book, and even violent physical abuse. It's kind of annoying that fonts that are installed on my system and even installed for Classic through font book don't get recognized by pagemaker.

Re:OS X did it with Classic mode - works great

[LightningBolt!]

> OS X did this brilliantly with the Classic compatibility layer.

It's not an OS transition. The "compatibility" problems will come from the enabling of no-execute memory regions on the few processors that support that feature. This will cause problems for the rare old program which contains self-modifying code. I imagine it will also require Sun and others to modify their JIT compilers to declare runtime-compiled code as executable.

In any case, there isn't really an analogy to OS9/OSX differences.

Re:OS X did it with Classic mode - works great

[lullabud]

I agree that having the classic environment available within OS X is a good thing for those applications that don't run natively, which is just about none anymore, but with XP it's a different story... XP SP2 is a SERVICE PACK. If microsoft did this same sort of thing it would be the equivalent of having OS 10.3 emulate OS 10.2, which is clearly retarded. However, to turn the paraphrase around, OS X emulating OS 9 is more like (although this might be a crude example) when Win9x allows you to run DOS prog

Re:OS X did it with Classic mode - works great

[Nintendork]

There are VERY few DOS and 9x apps that don't work with XP (Probably less than 1% don't work). It really isn't that large of an issue. How many apps don't work with SP2 is yet to be seen and it's unfair to judge them for it. Also, I would be pissed if the Microsoft product lifecycle was as short as Apple's. With Apple, they abandon prior OSes with the release of the new OS. I'm sorry, but that's just terrible support.

-Lucas

Re:Compatibility Woes?

[Torinaga-Sama]

That was exactly what I wanted to pipe in with.

I was amazed to see the first comment say excatly what I thought.

XP is a pretty giant leap forward in Desktop computing, as a Linux enthusiast grudgingly decided that was true a couple years ago. Now M$ is trying to go back and fix some of the things we have been telling them is messed up with their OS. I see nothing wrong with that at all.

Re:Compatibility Woes?

[gosand]

XP is a pretty giant leap forward in Desktop computing, as a Linux enthusiast grudgingly decided that was true a couple years ago.

Really? In what way? I have been using XP here at work for the last 6 months, and didn't see any real leaps forward. It just looked different, and took me a little while to get it looking like I wanted it (i.e. like Win2K). I was forced to upgrade, because that is the "corporate standard". As a desktop OS, I haven't seen anything better than Win2K.

And at home I use Linu

The difference

[Illissius]

Is that previous versions of NT were not meant to be mainstream desktop products. They were intended for workstation and server markets. If you'll recall, for example, WIndows ME was released at the same time as 2000, and targetted the mainstream desktop, unlike the latter.
They are two seperate product lines. If you'll compare XP to the previous iterations of the desktop line - 95, 98, ME - then you'll see that it is indeed a "a pretty giant leap forward in desktop computing".

just a "new look" shell th

Re:The difference

[argent]

previous versions of NT were not meant to be mainstream desktop products

Sure they are. They weren't intended to be "game engines" for home, but they were definitely targeted at the office desktop, otherwise NT 4.0 would have been significantly different: there's absolutely no reason to put GDI in the kernel on a server.

Have you been following any of the recent virus and spyware debacles at all?

Well, yes, I banned Internet Explorer, Outlook, and all products derived from them at work almost a decade ag

Re:Compatibility Woes?

[argent]

Fast User Switching is a nifty toy for home, but it's nothing more than a crippled subset of the virtual consoles that have been a standard part of PC-based UNIX (Linux, FreeBSD, even SCO) for over a decade. For Jobs to copy it instead of just taking advantage of the virtual console capability that's inherent in the OS Apple based Panther on is a wonderful example of the triumph of style over reality.

XP's "faster boot time" is an illusion. It takes XP a long time to complete booting... it just brings up the login dialog and lets you start logging in before it's finished booting. This can cause problems when you need services that don't get started until later from the users' login script... we always tell our users to wait for it to stop beating on the disk before logging in.

Re:Compatibility Woes?

[swordboy]

Let's face it, you can't remain compatible with old software forever.

Especially spyware.

I've found, that if you go into IE's securty preferences (TOOLS > INTERNET OPTIONS > SECURITY > CUSTOM LEVEL) and set all of the options that are set on "prompt" to "disable" keeps a PC from contracting spyware (that propagates through web browsing).

I've found that this is a better solution than telling my father-in-law to use the power button when he encounters a web page that LOCKS a user into picking YES when prompted with that ActiveX security warning garbage.

What will the slashdot community do when Microsoft fixes all of their problems? If they execute the antivirus and spyware solutions properly, It'll be a while until I look back.

Re:Compatibility Woes?

[ncc74656]

I've found, that if you go into IE's securty preferences (TOOLS > INTERNET OPTIONS > SECURITY > CUSTOM LEVEL) and set all of the options that are set on "prompt" to "disable" keeps a PC from contracting spyware (that propagates through web browsing).

Better yet, you can set up the less technically-inclined with Mozilla and sidestep the spyware problem altogether. My parents and grandparents have been running it for a while now, and I've heard no complaints...machines that had been clogged with

Re:Compatibility Woes?

[WIAKywbfatw]

Let's say that you have incompatibility problems with some of your common office applications and the Microsoft solution to this situation is to upgrade your applications.

Now, would you be happy that to get a secure computing platform you have to spend hundreds of dollars/whatever per seat upgrading to the latest version of your commonly used apps? To get a properly working version of Windows XP should you be forced to abandon those applications that work for you?

Microsoft has used incompatibility problems to its own advantage time and time again. Indeed, breaking the compatibility of competitors' applications was one of the company's standard operating procedure for many years. WordPerfect, Lotus 1-2-3, DR-DOS, etc all were victims at one time or another. There was even a little saying that went round Microsoft during the time that one major version of DOS was being developed: "DOS isn't done until Lotus won't run".

When you look at this new story in that context it's hard not to be suspicious of Microsoft's motives and difficult to give them the benefit of the doubt.

Damned if you do, damned if you don't

[Cro Magnon]

OTOH, Microsoft just about HAS to break some programs to get security halfway decent. There's no good solution, but I think MS is justified in breaking some compatability in this case.

Re:Damned if you do, damned if you don't

[red floyd]

It will break a lot of Broderbund programs. And about time.

The Sims, and Mavis Beacon Teaches Typing require Admin. There is NO F*CKING REASON that either of these should require it, except for sloppy/lazy coding on Broderbund's part (I suspect that they either write to HKLM or to the program directory). Maybe that would cause them to be fixed.

OT: I've read somewhere that MS is (finally!) discouraging putting all user settings into the Registry, but is recommending config files (human readability optonal) in C:\Documents and Settings\\Application Data. Once again, it's about time.

Re:Damned if you do, damned if you don't

[kettch]

I found this article [microsoft.com] on MSDN a while ago.

It points out that most registry access by software is not necessary and can be avoided.

They are also finally catching up to the idea of Least-Privelege users in Longhorn. It's about time.

Re: Is that quote accurate?

[King_TJ]

Just a few weeks ago, I heard it quoted that MS used to say "DOS isn't done until Novell won't run", not Lotus.

I have a feeling this one may just be another urban legend, like the "640K should be enough for anyone" quote.

In any case, I think you're *always* going to see a little bit of favoritism when a company builds both an OS and supplies commercial applications made to run on that OS. They may not want to out-and-out break the competitor's app, but they'd at least be willing to make tweaks to their O

One small step for M$?

[boarder8925]

One small step forward for Microsoft

Actually, any security step taken by Microsoft is an enormous step.

Re:One small step for M$?

[VividU]

M$ [penny-arcade.com]

Can we save the MS Bashing...

[kevin_conaway]

...for the comments? I know this is slashdot and all, but that really has no place in the article summary.

Re:Can we save the MS Bashing...

[TheSpoom]

I was gonna say. The comment that this is a "giant leap backward for mankind" is just not fair. How can you expect everything to stay compatible while trying to lock down parts of the OS against attack? You wouldn't be saying something like that if it was Linux we were talking about.

Surprise Surprise

[Ghost-in-the-shell]

Finally M$ catches on to what Telephony vendors and various other technology developers have been doing for years.

Had they started with a secure product, then being backwards compatible would not be that much of a problem. Hopefully the M$ code monkeys will not make more problems than they fix.

Re:Surprise Surprise

[joshmccormack]

I have a funny suspicion the "code monkeys" are not necessarily the ones to blame. Given clear specs and sufficient time I bet they'd love to make good software. Being led by marketing people who are more concerned with features to advertise, and don't have the overall architecture in mind is likely the problem.

Might this encourage

[foidulus]

less people to patch? I can bet it is going to drive IT managers crazy because now they will have to do hardcore tests of all their software to make sure it still works after the patch.
This might just make things less secure overall because nobody is going to want to bork their software. Will it be possible to roll back the patch quickly if someone finds they cannot run program X anymore?
But then again, who knows, it might "accidentally" break Office 97 so people think they need to upgrade to Office 2003.

Re:Might this encourage

[Ignignot]

But then again, who knows, it might "accidentally" break Office 97 so people think they need to upgrade to Office 2003. Exactly. Microsoft's big problem is that their users stop upgrading and stop paying them money for each new operating system. If they can make the old ones less usable _now_ instead of when they are shipped then they don't have to innovate at all to get people to upgrade. They've pulled this kind of stunt before, and they will again.

Re:Might this encourage

[BlueNexus]

I agree with you. We're going to have to spend months testing compatibility with the software our company uses. Even with the "promise" of better security management will allow us to install something that breaks critical software.

Then there are the home users who will hear "SP2 breaks 'Product X'" from the mass media and will be afraid to install it. We already have a hard enough time getting them to install normal patches that are supposed to be "safe". Image how eager people will be to isntall it when they hear it might break their favorite software!

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Might this encourage

[inquisitor]

RC2 is much more stable than RC1; I haven't seen any problems with RC2 at all, unlike with RC1.

Quite frankly, most software home user X is going to use will not have any problem whatsoever with SP2; it's only the same dodgy software that writes to its own directory instead of %appdata% or HKEY_CURRENT_USER (not restricted yet, unfortunately, but I'm hoping they'll do that for Longhorn), and/or uses all sorts of godawful hardware tricks that shouldn't have worked in the first place, and/or uses ActiveX on

What?

[TheMadRedHatter]

I wouldn't call this a small step forward. I'd call it a huge leap. It shows that Microsoft actually cares about security. You can't keep an API exactly the same forever. It'll get crufty eventually.

Hopefully, there'll be more breaking for the sake of security.

TheMadRedHatter

Re:What?

[Jim_Maryland]

You can't keep an API exactly the same forever.

True that at some point you have to obsolete it, but it should go through a phase out process. The security process would hopefully fix the underlying code of existing API's as well as documentation encouraging users to abandon the older versions over time. I haven't done enough research to say that MS has/hasn't done this so I appologize if I have MS wrong on this.

XP SP2 can be a great leap forward if enough of the vendors have verified their products

Sacrifice? Windows Users are used to it

[Gunfighter]

Aren't all Windows users already sacrificing security for compatibility just by using Windows? Perhaps this is just meant to level the playing field.

I'm sure Microsoft will be releasing an update full of application compatibility fixes shortly after the SP2 release. Even in vanilla XP, you can run applications in Win95/98 compatibility mode. I don't see any reason to change it now.

I figured it out!

[marnargulus]

Microsoft is making it more secure by not allowing their applications to run!

Seems deceptive

[stanmann]

The article indicates that most of the things being broken will be viruses and trojans.

And that the only other major change will be to Finally honor the NX(Non-executable) memory designation, IOW if you want self-modifying code, you can still have it, but you can't place a call to an area that has been marked as Data-only or NX.

Seems to be all good to me...

Re:Seems deceptive

[BlueNexus]

I'm running the public early release of SP2 and Visual Studio 6 won't install. There will be more applications that break besides viruses and trojans.

Re:Seems deceptive

[steve.m]

The NX flag was only announced 18th March [theinquirer.net], so I'd say that was 'quickly', not 'finally'. It only made it into Linux 20 days ago [lwn.net]

Re:Seems deceptive

[zulux]

OpenBSD has has NX for about a year now, and Solaris on Sparc has had if for much longer than that.

Re:Seems deceptive

[steve.m]

dunno about OpenBSD, but the UltraSPARC processor supports it (and that's really old). FYI it's enabled by adding:

set noexec_user_stack=1
set noexec_user_stack_log=1

into /etc/system

Part of the design...

[LostCluster]

SP2 represents a big change in Microsoft's security vs. ease-of-use stance.

In the past, Windows shipped with many unlikely-to-be-useful services such as the NetBIOS Messenger service turned on by default installations, meaning that a user who wanted to use the service just needs to start using it and it'll already be there ready to work. Of course, we all know how this has been exploited by spammers.

Now, such non-essential services will default to the "off" position, and the user will have to take a step to affirmatively activate the services they want to use. This makes plug-and-play operation a little harder to accomplish, but Microsoft has finally decided that the security gained is worth more than the ease lost.

Compatibility is Overrated.

[PhxBlue]

It was overrated when Apple told its users, "deal with it." And it's overrated now. If you want backwards compatibility, use a Win2k emulator.

backward?

[Feyr]

this is a giant step FORWARD. if it can keep my network from being bombarded by all those damned windows viruses it's GOOD no matter what. and i don't even use windows.

i'd say this is the brightest idea microsoft had in the last decade (if they deliver that is)

interesting

[pardasaniman]

It says there's a pop-up ad blocker enabled by default...

How innovative, I've never seen that before!

Hotmail?

[thedillybar]

While installing SP2 (RC2) through Windows Update this morning, my firewall noticed it was trying to access hotmail.com.
'Generic Host Process for Win32 Services' from your computer wants to connect to law15-f93.law15.hotmail.com [64.4.23.93], port 80

Oh no, Microsoft isn't trying to integrate everything...they're not a monopoly...weirdos.

Re:Hotmail?

[Cereal Box]

You have absolutely no evidence to support your claim that SP2 is causing your machine to access hotmail.com. In fact, it was probably a virus your machine got earlier that is making it act as an email relay. You're just aware of it now.

Re:Hotmail?

[thedillybar]

'Generic Host Process for Win32 Services' from your computer wants to connect to law15-f93.law15.hotmail.com [64.4.23.93], port 80

>You have absolutely no evidence to support your claim that SP2 is causing your machine to access hotmail.com.
You are correct, I have no evidence. I only know that it "happened" to occur as I was running Windows Update and that Windows Update "happened" to stall until I permitted the connection. I agree this is circumstantial at best, but interesting nonetheless.

>In fact, it was probably a virus your machine got earlier that is making it act as an email relay. You're just aware of it now.
First off, AVG scans daily and Adaware gets run once/week. Second, the "hotmail" machine in question isn't an MX server and won't accept connections on port 25 (SMTP). The connection attempt was on port 80 anyway.
Third, and most important, http://law15-f93.law15.hotmail.com:80/ [hotmail.com] redirects to http://windowsupdate.microsoft.com/ [microsoft.com].

To Be Fair

[sabat]

Hey, given the choice between the two, I think MS is right to choose security. You're often forced to lean toward security at the expense of some convenience, or vica-versa. And in this case, given the recent (past 10 years) track record, security is more important right now.

Interesting/Important blurb

[GillBates0]

at the bottom of the second page. Not sure how many people will RTFA till there, so here it is:

There's one item to highlight this week. Silicon.com and other sources are reporting that Apple's recent patch to fix a major threat in Mac OS X wasn't completely successful, and that a highly dangerous problem still exists in the operating system. The threat is especially noteworthy because it is the first important vulnerability discovered in the Mac OS X operating system that was not due to a flaw in the underlying FreeBSD UNIX on which Apple based OS X. This problem lies in the part of the code created by Apple, and it appears that it is quite difficult to repair. This is the first real challenge to Apple, and it will be interesting to see how the company responds to this critical threat. Previous patches were simply carried over from the Linux/UNIX community. Apple is on its own this time.

Check the dates-- both articles are old news.

[phillymjs]

The WinXP article is dated June 7. The link points to a Silicon.com article [silicon.com] about a security flaw in OS X, and that article is dated May 26.

It was on June 7, the same day, that Apple released a second Security Update that fixed the remaining vulnerabilities.

~Philly

SP2 Install Instructions

[cyb3rllama]

1. Launch Windows Update.
2. Prepare sacrificial animal in accordance with the EULA.
3. Open CD tray.
4. Allow some blood to drain into computer and close tray.
5. Smear remaining blood on monitor frame.
6. When install completes, reboot and enjoy the ritually clean goodness!

Progman

[mobets]

Does that mean they will finaly ditch program manager? I realy hope there isn't any one still using programs for win 3.1 that still require that. And if so, why are they running it on XP anyway...

Don't believe me, or just feeling nostalgic for windows 3.1, go to run, or a comand promt and execute progman.

So what?

[Supp0rtLinux]

The majority of XP users aren't using that many old apps anyway... the average XP user is just using XP, Office 2000+, IE6, and MSN. And the majority of 3rd party apps such as those from Adobe, Macromedia, etc will get free updates to be compatible. Its not such a big deal for the average user. I've often felt that M$ would be well served to release a new OS based on an entirely new codebase... get a group of developers that have never seen Windows source code, only the GUI and let them rewrite it without backwards. Then get the major vendors to release compatible versions of their software. Sure... things will lag for a bit, but Windows will get better and the app support will follow. Windows is still based on an almost 15 year old code base. Its time to rewrite it from the ground up. Screw the backwards compatibility. Move on.

Re:So what?

[Timesprout]

Brilliant idea. Why not piss off hundreds of millions of users by breaking all their apps, which they have paid for and making them wait for updates. Why not piss the vendors off because they now have no products because you have just removed the OS and the API's their products were based on. They have to build completely new products based on a new OS and API's (but thats just a bit of a lag to you). Why not piss the millions of windows developers off because their a big chunk of their skillset is now wort

Re:So what?

[Sique]

You are just lighting the one side of the medal.

There is as always another side: There are real faults in the system, which can't be fixed, because the fix is equivalent to breaking an application, which was working around the fault in a murky way. There were design mistakes you can't fix, because there are applications which expect exactly this misdesigned behaviour. There were books out there talking about some "hidden features", which were never to be exposed to the developpers, but the developpers found out and some started coding with those "hidden features". Now you can't remove them anymore, even though they made only sense for a special environment present at the moment of their design, and they should have been hidden forever behind the official API.

There is only one way to get out of this mess: Start anew. Screw those people who were trying to be clever. Define a stable subset of used API routines you know are quite bug free, useful and abstract enough to live along some architectural changes. Tell everyone that outside this API nothing is supported. It may be time for Windows developpers to learn how to write portable code.

The world of the 8086 based PC as defined by IBM and evolved from there was always about being "more or less compatible". I remember the articles in the computer mags of the Mid-80ies being full of compatibility tests for the IBM clones and awarding points for supporting even obscure utilities and games.

It was always a balance between keeping to the official interfaces and produce slow, kludgy software, which was assured to run on the next generation of PCs too, and to use nonofficial but common features, which made the life easier, saved on processor cycles, allowed for elegant code, but broke with a slight change in the underlying architecture. Most programmers were even able to write kludgy, slow applications by using nonofficial features, and maybe it's time to have a more Darwinian rule around: Adapt or die. The environment is changing.

I know there are lots of people out there, who have invested huge sums of money or time or sweat in software, that is now about to break with the installation of SP2. I know that those people will be pissed of. But they can run their legacy application on their current system, and they are not forced to change it. They just have to make sure it has a welldefined and controlled interface to the world out there, maybe transferring data only via CD-ROM or having the access to the systems heavily guarded by firewalls or whatever. It's basicly the same that happens to the old database applications running on old S/370 somewhere.

But there are more people pissed of by the security lapses aboundant, by strange and illogical designs in the API, and by the loss of money if something breaks because of the faults. So who do you want to please? The people with the legacy applications, who can't or won't upgrade, or the people dealing everyday with the problems arising from old legacy bugs and holes, which can't be fixed?

Funny how that works

[thefatz]

The reason Windows is in such a hurt is compatibility with everything. Even most Linux distros dont offer the level of backwards compatibility that windows xp or less does. You can still to this day run Win16 apps under windows and still print and save, as if it were no big deal. Thats just not possible with Linux. Try downloading or running a binary from 1994 that was compiled for linux and see if it works, im sure libc and glibc and aout and elf will make things fun.

Its kinda sad how things are around here for Microsoft, Damned of they do, Damned of they dont. Somebody shows progress and they get pounced.

"...one giant leap backwards for mankind?"...And recreating an OS from the 70's isnt? Thats pretty narrow thinking.

Re:Funny how that works

[bmwm3nut]

You can still to this day run Win16 apps under windows and still print and save, as if it were no big deal. Thats just not possible with Linux. Try downloading or running a binary from 1994 that was compiled for linux and see if it works, im sure libc and glibc and aout and elf will make things fun.

that's a fair statement, but you also need to think that the majority of programs for windows are not open source. chances are i would still have (or could get) the source for that 1994 linux binary and compile it on my newest bleeding edge linux box and it should compile (of course after i go through dependency hell to get all the extra libraries it needs). for the most part, i should (with some work) be able to get all the source i need to build and run the old linux binary. however, i'd bet that the old win16 app was closed source and the company probably doesn't even exist anymore. with stuff like that backwards compatability is much more important, because you have no other way to run the code.

Re:Funny how that works

[Luscious868]

that's a fair statement, but you also need to think that the majority of programs for windows are not open source. chances are i would still have (or could get) the source for that 1994 linux binary and compile it on my newest bleeding edge linux box and it should compile (of course after i go through dependency hell to get all the extra libraries it needs). for the most part, i should (with some work) be able to get all the source i need to build and run the old linux binary. however, i'd bet that the old

And you are complaining WHY?

[British]

Ie this message is moreso for the submitter. Love the tone of your voice. We see almost daily MS lack-of security woes and now MS does something about it. Then you have to bitch about not supporing legacy this or that in the name of security. I think I would rather choose security. hell, all you need to be considered a computer security expert is just say "everything's insecure."

Yeah yeah yeah...

[manavendra]

One small step forward for Microsoft, one giant leap backwards for mankind?"

All such posts on /. are met with "All your base are belong to us". Or with slight improvisation, "All your versions are belong to us".

So much for compatibility

Believe it or not...

[Anonymous Coward]

This is a good thing. It's basically going to break applications that make assumptions about the (in)security of DCOM and RPC. It's very easy to add an application as an exception to the firewall. DCOM and RPC are going to be the major issues, so it's not going to affect Grandma's cute shareware apps any. Any app broken by the NX flag was already broken to begin with. I'm looking at you, XFree86...

Compared to this relatively minor loss, the potential security gains are enormous. It remains to be seen how well it all works though...

Games...

[sqlrob]

I wonder how much of the copy protection on software this is going to break. Gamers are probably going to be the loudest yelling demographic when this hits.

Good in the long run, but...

[ErichTheRed]

I've been looking at XP SP2's release canadidate for a couple days now, and it's pretty obvious that it will cause nightmares for Windows admins for quite a while. However, it looks like they're making steps towards better security, which will be better in the long run.

Anyone who works in Windows shops knows the proliferation of COM-based software that was thrown together in Visual Basic, and this software often performs critical functions. It will take lots of testing/planning to make sure SP2 doesn't break these extremely fragile apps. There are many, many in-house applications that are still chugging along, even in compatibility mode, because they simply can't be replaced easily. Unfortunately, Microsoft can't test these in-house apps.

We'll see what happens...

Typical /. hypocracy

[Stevyn]

Blame microsoft for the problems brought on by bad programs made by other companies. Then bitch because windows is insecure. Then bitch because they're trying to fix the situation and remove backwards compatibility to lessen the problems. Then say how microsoft is only doing this so people have to buy updated software. Well sometimes you have to bite the bullet and upgrade. If you're using some ten year old word processor on top for windows XP, then you better have a good reason of doing so. If you don't want to spend the money, switch to open office.

I can't understand how microsoft gets bashed for having the security holes and then again for trying to fix them. Besides, how many people on here still use windows? I'm always under the impressions that everyone on /. uses linux and other 1337 shit.

Quote -

[DaveKAO]

"I expect to hear screams of pain as people deploy SP2 and discover that legacy applications no longer work, but those are probably the same people who complain so loudly (and legitimately) that Microsoft doesn't deploy secure systems."

Here goes my karma, but how true will this statement be here at slashdot?

Hmmm

[C_Kode]

One small step forward for Microsoft, one giant leap backwards for mankind?

Spoken like a true zealot. I'm an OOS advocate, but I disagree with this type of statement. It's a damned if you do/damned if you don't situation when someone makes comments like this. Hey, security is important here, and I'm sure Microsoft gauged this responce carefully before making these changes. Sure it's going to break some systems, but sometimes something has to give to move forward. I don't know about you, but security is very important to me. If the patch breaks your system, don't install it untill you're ready for the change. No one is forcing the service pack down your throat.

Re:Hmmm

[fzammett]

I agree completely. It's the supid-ass comments posted with the headlines that reveals Slashdot for what it is: Anti-MS Zealots Central.

I don't care if comments like that are posted, but they should be kept off the front page in my opinion. If your trying to be a semi-serious news site, then do it, which means keeping crap like that out of the headlines. If you just want to be a community of Microsft haters, that's fine, but get rid of your grandiose tagline because it doesn't apply.

About the news itself... Geez people, hate Microsoft all you want, there's plenty of good reason. But even they deserve SOME level of fairness applied, and as the parent here posted, they are damned if they do, damned it they don't, in the eyes of this community anyway. That's unfair, and even THEY deserve some degree of fairness.

This Just In

[lildogie]

Slashdot set to fork into MS-tolerant and MS-intolerant editions.

Lameness filters to be adjusted accordingly.

applishicious

[crackshoe]

Ironically, apple has often chosen the path microsoft has now taken - the compatibility with outdated OSes should not be a priority over advancement or security.

After RTFM...

[gillbates]

It seems that these changes won't break any well-designed applications, with the exception of viruses and worms.

Granted, MS is taking a "giant leap backward" in compatibility - with viruses! Apparently, the author misses having Blaster auto-install itself upon reboot, and still longs for the days when he had to close 5 or 10 popups to view the web page he really wanted.

How could Microsoft do this? After having spent so much time and effort to guarantee that viruses would run on their platforms, now they pull the plug!? The NERVE!

Quite frankly, this is what they should have done a long time ago. If there's any fault to be found, it's that they didn't do this sooner. Any app which breaks because of these changes wasn't well designed in the first place, and deserves to break. As far as I can tell, none of the Windows apps I've written will be affected by this. The only reason MS estimates that 1 in 10 will be affected is because Microsoft considers viruses to be an application for marketing purposes. This way, they can legitimately claim that there are "50,000 applications written for Windows..." True, 45,000 are viruses, but that hardly matters now, doesn't it....

And for once, they're doing the right thing - they're telling users beforehand that this patch is going to break things, rather than letting the user find out unexpectedly... This is an improvement for them.

Good Stuff

[geomon]

Microsoft should be applauded for taking such a bold step. This is definately the right move from a company who has always put usability at the top of the list for their programmers.

But I think that it will only be implemented by corporate users and tech-savy Windows users. I see a new generation of TweakUI-like applications on the horizion that will allow inexperienced users to defeat the controls that MS is building into this service pack.

Consider what will happen when someone wants to install an application that is not set up to override the port restrictions that are default in this SP. I can see a whole bunch of folks googling for hack-packs that will disable all of the port protection so that the app will run.

Keep in mind that not all software vendors are responsible corporations who have an image to protect. The smaller niche vendors may worry about their reputation, but they are more interested in making their product work despite what MS has done to the OS to provide better security.

As has been pointed out several times /., security is only as good as the vigilence of the system administrator. If users don't patch because it makes their machine 'hard' to operate, they will definately look for applications that will defeat security systems.

No offense intended, but when you make an OS so simple that a five-year-old can operate it, you should expect five-year-old reasoning from the system administrator.

Too many apps require Administrator

[Bondolo]

Far too many Windows applications require that the user be logged in as Administrator. So many apps unreasonably require admin privledges that many users opt to be permanently logged in as Administrator. This in itself is a huge security hole.

Microsoft needs to close this hole and improve the application install/uninstall process. Many of the other fixes in XP sp2 are just window dressing without these necessary loopholes being closed.

Hmm

[ajs318]

Part of the problem is that Windows has traditionally been so lax on security that programmers have got away with bodges that would be considered unforgivable on a system that had been designed with security in mind from the word go. At some stage, though, something has to give. If all this legacy software is depending for its very operation on the same things as the viruses, worms, adware and spyware -- and it is -- then that is the choice you have to make: whether to allow sloppily-written programmes to take advantage of the security holes but unavoidably also permit malware to use them; or to prevent malware taking a hold, but in the process, unavoidably break sloppily-written legacy software. The two are indistinguible.

Now, if SP2 breaks compatibility with so much legacy software, then surely this spoils one of the arguments against switching to an alternative operating system that also would break compatibility with legacy software?

On a slightly different topic, why is anti-virus and spyware removal software closed source? If I cannot view the source code of an anti-virus programme then how do I know it is not simply going to infect my system with a virus every so often just so it looks like it has done some good? How do I know it is not going to infect other people's systems with viruses just so they will buy their own copies of anti-virus software? How do I know it is not installing its own spyware? If the software is not a Trojan horse then why will the makers not just show me the source code?

Six in one hand, half dozen in the other.

[jkmiecik]

Are you guys ever happy? I honestly don't think you are. First, you biatch endlessly about the lack of security in XP. Then, when MS does something about it, you start right up biatching for more! I'm willing to bet 80% of the people who read this site hate Microsoft because it's the "cool" thing to do around here. I'll wait for the 20% to reply with their reasons for hating Microsoft, most of which will probably be the same babble I hear in every anti-MS thread.

Backwards?

[MasterVidBoi]

From a linux user, I see backwards compatability as the biggest nightmare of linux today. There is just too much of it, and it's holding back progress. Many of the points I'm about to address come from OS X, as I'm also a happy user of that system, and think it's a model for what can be improved about operating systems if you're willing to sacrifice some backwards compatability.

Over 4 years ago slashdot was full of posts about how it would take the OOS community a couple weeks, months at most, to match Apple's nifty new compositing window system. Well, today 99% of us are still using X, and it really hasn't changed significantly. Even the extensions being worked on at FreeDesktop aren't in wide use, and it doesn't look like they will be soon.

We're still stuck with an ancient standard directory hierarcy, and multiple search paths meant to find the same thing (what? I still have to have a huge autoconf macro in order to find both the LDFLAGS and CFLAGS necessary to include library foo?). This obviously isn't the best it could be, and yet no one even considers trying to change, because 'that's the way it was always done'. Again, look towards OS X. Headers, libraries, resources, documentation, XML files with library metadata, everything associated with libfoo is contained in a single directory 'foo.framework', not scattered in /usr/include, /usr/lib, /usr/share. This conventional *nix approach practically requires a package manager to keep things straight. Then, all that is required to compile against it, both finding includes and library search path, is a simple '-framework foo' argument to gcc, which follows a single search path. Easier to write makefiles, without wasting your time in autoconf.

A lot of lessons have been learned since these systems have been designed. If you insist on supporting everything ever made, you're never going to get anywhere.

They're Too Early

[krmt]

While I fully applaud what MS is doing, it seems like the wrong time to be breaking legacy apps. Put out an actual new Windows release, rather than just a point update. People will be far less surprised when old software breaks with a full release, but with an update to the old system you shouldn't be breaking compatibility.

This isn't a damned if you do, damned if you don't situation in reality, it just needs to be managed properly. By jumping the gun on this, they'll likely piss off users, but if it were longhorn or some interim release then some breakages are simply to be expected.

That said, since I don't run Windows on my own machines, I get to be one of those that benefits by not having as much email or log spam due to 0wn3d winboxes (less spam please indeed!) so I can't complain. This is a distinct advantage of the Free software model, since Mozilla, OpenOffice, etc can be updated for no cost if this release happens to break them.

Melancholy

[Ho-Lee-Cow!]

Usually, I'd say this was a good thing. But, as with all things M$, I must adopt the cynical view that this is just another way for them to force people to upgrade to the newer, still buggy, resources hogging software they put out today. Since a large number of places are refusing to upgrade because their systems are stable, and because the reputation of M$ patches and updates is shoddy at best, the promise of something secure, that actually works right seems rather an elusive fantasy.

I mean, who cares about empty promises from a morally bankrupt company that is known for predatory business practices and open hostility toward their customer base?

Apple broke a lot of backward compatibility and it did hurt, but at least the new software at the end of the tunnel didn't blow goats.

MSDN Magazine Camp 1, Raymond Chen Camp 0

[wdr1]

Joel Spolsky recently wrote an *excellent* article on this very topic called How Microsoft Lost the API War [joelonsoftware.com]. Like almost everything he writes, it's well worth a read.

One of his major points is how MS is breaking with it's past, from when backwards compatibility was a /big/ thing. He cites VB.NET and Longhorn as two examples, but it looks like Microsoft just gave him another big one.

-Bill

Re:Thank you, Microsoft!!

[azaris]

Just another reason for folks to migrate away from their closed systems with forced expensive updates and security holes.

You mean a free service pack that improves security somehow translates into expensive updates with security holes? I'm sorry I fail to get your bizarro logic.

Re:Pah.

[WormholeFiend]

You think the spam zombie/pwned newbie PCs will be upgraded?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Just introduces more dangerous issues

[nebaz]

Well then the area in memory where your virus is will be changed to NX and it won't be able to run.

Re:Bleh

[irokitt]

Microsoft tries to make their operating systems backwards-compatible to the point of running about half of the old 16-bit DOS programs that are still floating around out there. If you've studied WinAPI, you'll note that about half of the arguments and functions are never used, legacies of decisions made by Microsoft in the elder days. Yet those functions are still implemented and, for the most part, work the same way they did when they were first created.

This isn't fuel to bash Microsoft, this is good news for those of us who use their operating system, whether by choice or necessity.

Re:Have you seen the list?

[SuiteSisterMary]

to open ports IN ICF[Internet Connection Firewall]. (Emphasis mine.)

No, you don't need to be an admin to open a socket. But you do need to be an admin (rightly so) to blow open holes in your firewall.

Or, under the new system, you can tell the system, as a non-admin, to let the program open the port, but to take care of closing and what not, rather than trusting the app to do the right thing.