Why You Can Trust CNET Microsoft Windows XP SP2 review: Microsoft Windows XP SP2
Microsoft Windows XP SP2
Windows XP Service Pack 2
Like the Titanic's passengers, Windows XP users often find themselves in choppy, dangerous waters--instead of hypothermia, think Web viruses; instead of circling sharks, quickly crawling worms. Unfortunately, Microsoft's lifeboats have been, until now, just dinky security patches that saved us from only a few attacks at a time. Last Friday, burlier rescue boats arrived in the form of Microsoft's long-delayed Service Pack 2 (SP2), which will help all of us keep our heads above water. SP2 tightens your PC's security with a new Windows Firewall, an improved Automatic Updates feature, and a pop-up ad blocker for Internet Explorer. Plus, the newly minted Security Center gives you one easy-to-use interface for keeping tabs on your PC's security apps. We suggest you pause before jumping ship, however. We downloaded and installed SP2 and weren't surprised to find a handful of conflicts with existing apps and wireless network settings on some of our test machines. Starting Wednesday, August 18, 2004, Microsoft began offering SP2 to people who have Automatic Updates turned on, but it will still take several weeks before everyone will have the chance to update their computers. Our advice: Be patient and wait until SP2 is made available to your PC via Microsoft's Automatic Updates service. By then, Microsoft should have had enough time to work out the kinks. In order to get our hands on Windows XP Service Pack 2's final code, we downloaded the whopping 266MB network installation package for all of our test machines as soon as it was available at Microsoft's Download Center. We suggest you exercise a bit more patience. After installing SP2, we encountered problems with our wireless network, which we suspect were related to an existing driver that the new version of Windows didn't like. (Microsoft says that some driver conflicts are to be expected.) Previously stable systems developed a tendency to disconnect and jump onto other available wireless local-area networks (WLANs), and one of our test systems kept losing its connection to a secure WLAN completely. Only rebooting would reconnect it.
Microsoft expects to add SP2 to its online Windows Update service later this month. Download sizes will vary because your system will download only the components of the service pack it needs. If you've diligently updated XP, Microsoft estimates the download will be between 80MB and 100MB. That number could balloon to 270MB for less up-to-date systems, however. Dial-up users not looking forward to such a large undertaking should note that Microsoft will ship--free of charge--SP2 on CD-ROM, but delivery could take up to two months. Boxed retail versions of Windows XP with SP2 will be available by the end of October. If you've been waiting for a reason to upgrade to XP from an older version of Windows, this is as good a reason as any (Longhorn is still years away). Corporate IT managers will want to deploy with limited trials to check for compatibility with their current configurations.
The new Automatic Updates feature gives you more say on how and when to download and install updates from Microsoft's Windows Update service.
Occasionally, a Microsoft fix may cause some problems with a particularly delicate Windows configuration. If you're worried that this will happen, you can set Automatic Updates to download but wait for your word before installing or simply alert you that there are updates available for download. Or, should you go it alone, you can just turn it off, but we reserve the right to say, "We told you so."
One-stop shopping: the new Security Center gives you control over your PC's security settings from a single, easy-to-use interface.
Most of the new features found in Windows XP SP2 are related to making your PC more secure. Among its many enhancements, you'll find a new firewall, a pop-up ad blocker for Internet Explorer, added protection against attachments, and--in some systems but far from all--technology that helps keep malicious code from attacking via system memory.
Microsoft built a software firewall called Internet Connection Firewall (ICF) into the first release of Windows XP, but it was turned off by default. For protection, you either had to hunt through system settings to turn it on, or more likely, you installed ZoneAlarm or another third-party firewall program. (The extremely security-conscious use a hardware firewall router between their PC and Internet connection.) SP2 ushers ICF out the door and replaces it with Windows Firewall, a more comprehensive and aggressive firewall. The first change you'll notice from the new software is that as soon as you install SP2, the firewall is turned on by default.
Since no single firewall in entirely foolproof, we ran Windows Firewall alongside an existing installation of ZoneAlarm Pro. In our tests, the two coexisted fairly well: ZoneAlarm flagged every attempt by a new or updated software component to access the Internet, so we did get several warnings after upgrading to SP2. This problem quickly went away, however; we needed only to grant access for a program once to avoid future warnings for it.
In some experiments with earlier versions of SP2, we found that the new Windows Firewall blocked programs with legitimate reasons to access our test PCs, such as ActiveSync connections with Pocket PCs. We didn't face this issue with the final version of SP2, however. Should you encounter such problems with your existing apps, you can easily make exceptions to allow your programs to skirt the new Windows Firewall. Using the new Firewall control panel, which you launch from Control Panel or by right-clicking any Internet connection, you can pick whatever networking or Internet connections you use (dial-up, broadband, or sundry networking connections) and set up exceptions and rules on a case-by-case basis.
Windows Firewall will block some programs from accessing the Internet or your network. Thankfully, it takes directions well, giving you the option of unblocking or continuing to block certain apps.
Windows Firewall is still rudimentary compared with firewalls in the security suites from McAfee, Symantec, and Zone Labs. It does an admirable job of blocking programs from accessing your computer, including during bootup and shutdown, but it doesn't block outbound traffic, a standard feature on third-party firewalls. Outbound blocking is important in case you do accidentally or unknowingly allow an authorized app onto your PC. Windows Firewall can't prevent such an application from broadcasting personal information it finds on your system or making you an unwilling participant in a distributed denial-of-service (DDoS) attack. We recommend that you run Windows Firewall but that you don't rely on it. You should continue to employ more-capable third-party firewalls in addition to Windows' new built-in firewall.
In our tests with medium-strength settings, IE's new pop-up blocker kept most offenders at bay, including JavaScript-spawned pop-ups such as those found at Tripod and Newsweek. In one or two cases, the pop-up blocker prevented a few windows from appearing that we wanted. At Download.com, for example, it suppressed our download window, and it also disabled one of Trillian's best features: an indicator that new Yahoo mail has arrived. (SP2 deemed the ActiveX code that signs you into the Yahoo Mail site insecure.)
Fortunately, the newly updated IE displays a gray bar beneath the address bar explaining what action its pop-up blocker has taken. To let pages through selectively, you just click this bar and select the Allow option. You can also add sites to an exceptions list by clicking a new Tools menu option and entering the URLs you want to allow through. Or if you prefer to use a third-party app, you can turn IE's new pop-up ad blocker off altogether.
Another SP2 security feature cautions you against opening e-mail and IM attachments. Whether you're opening or saving an attachment from your e-mail or IM client, you'll be given a warning to make sure you trust the source. This is the software equivalent of being asked at the airport, "Did you pack your bags yourself and have they left your sight since you packed them?" Yes, it's a good message to reinforce, but no, it's not a real security measure.
SP2 also throws in a welter of retooled features, including DirectX 9.0b multimedia API for better graphics and sound, and a setup routine for SmartKeys. The service pack includes Windows Media Player 9.0, also with improved security features. And two special versions of Windows XP get a complete OS overhaul with SP2. Tablet PCs receive Windows XP Tablet PC Edition 2005, which improves handwriting recognition among other tablet-specific enhancements. And first-generation Media Center PCs will be upgraded to Windows XP Media Center Edition 2004, an updated version of the specialized OS for machines that also serve as media hubs.
Finally, XP's wireless capabilities are improved. There's a new user-friendly interface for wireless LAN (Wi-Fi) setup. But there are still too many configuration pages underneath the fancy new interface, and they are mostly unchanged from the previous version of XP. More substantive is XP's new native Bluetooth support. We plugged a Linksys Bluetooth adapter into our test system. Using XP's new built-in user interface and native Bluetooth hardware drivers, we were able to easily connect with a Bluetooth phone to transfer images and use it as a modem. Technical support for Windows XP SP2 covers the usual bases: you can e-mail questions to Microsoft or find answers to some questions on an online FAQ page. Toll-free phone support is available from 5 a.m. to 9 p.m. (PT) on weekdays and from 6 a.m. to 3 p.m. on weekends. We called the phone line with our problem of dropped wireless connections and spent nearly two hours getting nowhere. The support technician we spoke with chalked it up to a driver conflict and stressed that SP2 was essentially a new operating system and that driver problems were to be expected. At press time, the issue was still not resolved, but it was escalated to Microsoft's research division.
Like the Titanic's passengers, Windows XP users often find themselves in choppy, dangerous waters--instead of hypothermia, think Web viruses; instead of circling sharks, quickly crawling worms. Unfortunately, Microsoft's lifeboats have been, until now, just dinky security patches that saved us from only a few attacks at a time. Last Friday, burlier rescue boats arrived in the form of Microsoft's long-delayed Service Pack 2 (SP2), which will help all of us keep our heads above water. SP2 tightens your PC's security with a new Windows Firewall, an improved Automatic Updates feature, and a pop-up ad blocker for Internet Explorer. Plus, the newly minted Security Center gives you one easy-to-use interface for keeping tabs on your PC's security apps. We suggest you pause before jumping ship, however. We downloaded and installed SP2 and weren't surprised to find a handful of conflicts with existing apps and wireless network settings on some of our test machines. Starting Wednesday, August 18, 2004, Microsoft began offering SP2 to people who have Automatic Updates turned on, but it will still take several weeks before everyone will have the chance to update their computers. Our advice: Be patient and wait until SP2 is made available to your PC via Microsoft's Automatic Updates service. By then, Microsoft should have had enough time to work out the kinks. In order to get our hands on Windows XP Service Pack 2's final code, we downloaded the whopping 266MB network installation package for all of our test machines as soon as it was available at Microsoft's Download Center. We suggest you exercise a bit more patience. After installing SP2, we encountered problems with our wireless network, which we suspect were related to an existing driver that the new version of Windows didn't like. (Microsoft says that some driver conflicts are to be expected.) Previously stable systems developed a tendency to disconnect and jump onto other available wireless local-area networks (WLANs), and one of our test systems kept losing its connection to a secure WLAN completely. Only rebooting would reconnect it.
Microsoft expects to add SP2 to its online Windows Update service later this month. Download sizes will vary because your system will download only the components of the service pack it needs. If you've diligently updated XP, Microsoft estimates the download will be between 80MB and 100MB. That number could balloon to 270MB for less up-to-date systems, however. Dial-up users not looking forward to such a large undertaking should note that Microsoft will ship--free of charge--SP2 on CD-ROM, but delivery could take up to two months. Boxed retail versions of Windows XP with SP2 will be available by the end of October. If you've been waiting for a reason to upgrade to XP from an older version of Windows, this is as good a reason as any (Longhorn is still years away). Corporate IT managers will want to deploy with limited trials to check for compatibility with their current configurations.
Sign on for updates
If you've disabled Automatic Updates in your copy of Windows XP, we suggest you turn it on now. Once you install SP2, it too will urge you to turn on Automatic Updates. You can set Automatic Updates to do its magic at a given time each day--a good idea, given what CNET security expert Robert Vamosi calls the Eschelbeck Theory. Within the first month of any security flaw going public, a rain of worms and Trojan horses flood the Internet to take advantage of that flaw. The faster you fix the flaw, the safer you'll be--and the safer we'll all be since the worms won't spread.The new Automatic Updates feature gives you more say on how and when to download and install updates from Microsoft's Windows Update service.
Occasionally, a Microsoft fix may cause some problems with a particularly delicate Windows configuration. If you're worried that this will happen, you can set Automatic Updates to download but wait for your word before installing or simply alert you that there are updates available for download. Or, should you go it alone, you can just turn it off, but we reserve the right to say, "We told you so."
Front and Security Center
Microsoft bundles most of SP2's security enhancements into a single interface called the Security Center, which hides in the All Programs menu, under Accessories > System Tools. In addition to providing a single interface for monitoring your system's firewall, (either Microsoft's or a third party's), Automatic Updates, and your third-party antivirus app, it tracks certain antivirus programs to make sure they and their virus signature databases are up-to-date. If you're using eTrust EZ Antivirus, F-Secure, McAfee Security, Panda, Symantec/Norton, or Trend Micro, SP2 hooks into your software and alerts you when updates are available. If you use more obscure software, such as Frisk's F-Prot, you can click an "I'll take care of it myself" box to avoid constant warnings that your system is not secure.One-stop shopping: the new Security Center gives you control over your PC's security settings from a single, easy-to-use interface.
Microsoft built a software firewall called Internet Connection Firewall (ICF) into the first release of Windows XP, but it was turned off by default. For protection, you either had to hunt through system settings to turn it on, or more likely, you installed ZoneAlarm or another third-party firewall program. (The extremely security-conscious use a hardware firewall router between their PC and Internet connection.) SP2 ushers ICF out the door and replaces it with Windows Firewall, a more comprehensive and aggressive firewall. The first change you'll notice from the new software is that as soon as you install SP2, the firewall is turned on by default.
Since no single firewall in entirely foolproof, we ran Windows Firewall alongside an existing installation of ZoneAlarm Pro. In our tests, the two coexisted fairly well: ZoneAlarm flagged every attempt by a new or updated software component to access the Internet, so we did get several warnings after upgrading to SP2. This problem quickly went away, however; we needed only to grant access for a program once to avoid future warnings for it.
In some experiments with earlier versions of SP2, we found that the new Windows Firewall blocked programs with legitimate reasons to access our test PCs, such as ActiveSync connections with Pocket PCs. We didn't face this issue with the final version of SP2, however. Should you encounter such problems with your existing apps, you can easily make exceptions to allow your programs to skirt the new Windows Firewall. Using the new Firewall control panel, which you launch from Control Panel or by right-clicking any Internet connection, you can pick whatever networking or Internet connections you use (dial-up, broadband, or sundry networking connections) and set up exceptions and rules on a case-by-case basis.
Windows Firewall will block some programs from accessing the Internet or your network. Thankfully, it takes directions well, giving you the option of unblocking or continuing to block certain apps.
Windows Firewall is still rudimentary compared with firewalls in the security suites from McAfee, Symantec, and Zone Labs. It does an admirable job of blocking programs from accessing your computer, including during bootup and shutdown, but it doesn't block outbound traffic, a standard feature on third-party firewalls. Outbound blocking is important in case you do accidentally or unknowingly allow an authorized app onto your PC. Windows Firewall can't prevent such an application from broadcasting personal information it finds on your system or making you an unwilling participant in a distributed denial-of-service (DDoS) attack. We recommend that you run Windows Firewall but that you don't rely on it. You should continue to employ more-capable third-party firewalls in addition to Windows' new built-in firewall.
Pop-up ads, begone
The bane of most Net surfers is the constant stream of pop-up ads. Wander into the wrong Web neighborhood, and you not only get assaulted with unwanted advertising, you can also be infected by opportunistic code that changes your home page or worse. With SP2, Microsoft Internet Explorer gets a much-needed pop-up ad blocker. Like the new Windows Firewall, it's turned on by default.In our tests with medium-strength settings, IE's new pop-up blocker kept most offenders at bay, including JavaScript-spawned pop-ups such as those found at Tripod and Newsweek. In one or two cases, the pop-up blocker prevented a few windows from appearing that we wanted. At Download.com, for example, it suppressed our download window, and it also disabled one of Trillian's best features: an indicator that new Yahoo mail has arrived. (SP2 deemed the ActiveX code that signs you into the Yahoo Mail site insecure.)
Fortunately, the newly updated IE displays a gray bar beneath the address bar explaining what action its pop-up blocker has taken. To let pages through selectively, you just click this bar and select the Allow option. You can also add sites to an exceptions list by clicking a new Tools menu option and entering the URLs you want to allow through. Or if you prefer to use a third-party app, you can turn IE's new pop-up ad blocker off altogether.
E-mail and IM protection
But SP2 blocks more than just pop-ups. The new update adds a feature to Outlook Express that's available in the Microsoft Office 2003 version of Outlook: It can prevent HTML-formatted messages from displaying images and executing code. The HTML code within Bagle.aq, for example, will automatically execute the download of a Trojan horse on some vulnerable PCs without a user's intervention. This setting is reversible; you can display images on a case-by-case basis.Another SP2 security feature cautions you against opening e-mail and IM attachments. Whether you're opening or saving an attachment from your e-mail or IM client, you'll be given a warning to make sure you trust the source. This is the software equivalent of being asked at the airport, "Did you pack your bags yourself and have they left your sight since you packed them?" Yes, it's a good message to reinforce, but no, it's not a real security measure.
Don't forget about system memory
To combat viruses and worms that take advantage of buffer overruns in your system's memory (Sasser, for example), SP2 includes its so-called data execution prevention (DEP) feature, sometimes referred to as no execute (NX), which prevents portions of your system's memory from running this rogue code. Only a small percentage of PCs, however, support this feature so far. No current Intel Pentium 4-based PCs can take advantage of DEP, and Intel won't release chips with DEP support until the end of the year at the earliest. The only desktop CPUs that support DEP are AMD's Athlon 64 and Sempron chips. Regardless of the type of system you own now, it's a good idea to install SP2. If you are considering purchasing a new PC soon and are really worried about buffer-overrun attacks, however, we suggest that you choose a PC with a new AMD processor or postpone your purchase if you want an Intel-based system.SP2 also throws in a welter of retooled features, including DirectX 9.0b multimedia API for better graphics and sound, and a setup routine for SmartKeys. The service pack includes Windows Media Player 9.0, also with improved security features. And two special versions of Windows XP get a complete OS overhaul with SP2. Tablet PCs receive Windows XP Tablet PC Edition 2005, which improves handwriting recognition among other tablet-specific enhancements. And first-generation Media Center PCs will be upgraded to Windows XP Media Center Edition 2004, an updated version of the specialized OS for machines that also serve as media hubs.
Finally, XP's wireless capabilities are improved. There's a new user-friendly interface for wireless LAN (Wi-Fi) setup. But there are still too many configuration pages underneath the fancy new interface, and they are mostly unchanged from the previous version of XP. More substantive is XP's new native Bluetooth support. We plugged a Linksys Bluetooth adapter into our test system. Using XP's new built-in user interface and native Bluetooth hardware drivers, we were able to easily connect with a Bluetooth phone to transfer images and use it as a modem. Technical support for Windows XP SP2 covers the usual bases: you can e-mail questions to Microsoft or find answers to some questions on an online FAQ page. Toll-free phone support is available from 5 a.m. to 9 p.m. (PT) on weekdays and from 6 a.m. to 3 p.m. on weekends. We called the phone line with our problem of dropped wireless connections and spent nearly two hours getting nowhere. The support technician we spoke with chalked it up to a driver conflict and stressed that SP2 was essentially a new operating system and that driver problems were to be expected. At press time, the issue was still not resolved, but it was escalated to Microsoft's research division.
Score Breakdown
Setup 7Features 7Support 7