CNET también está disponible en español.

Ir a español

Don't show this again

Christmas Gift Guide
Security

Stumbling over SP2

CNET News.com's Mike Ricciuti says Microsoft has no choice but to get the Windows XP update on solid footing--and soon.

People have Bill Gates all wrong. He doesn't want to rule the world (or at least the computerized portion of it). And although he may secretly hope that all Linux source code spontaneously combusts, that isn't his biggest wish.

No, the man just wants a return to the old days. Think back to the early 1990s, when Microsoft would introduce a new version of, say, Excel. The only things that mattered were what kinds of charts people could draw and how many formulas they could embed in spreadsheets. Customers--lots of them--willingly shelled out $300 or $400 a copy for the new software. The notion of security was left to the folks in uniform who kept reporters like me away from the customer briefing rooms, where good food and strong drinks were served.

How things change. For the past nine months, Gates has spent hundreds of millions of dollars to have his best programmers build a free update to an operating system that many people still don't want.

SP2 is finally here, and it's been one rough week for Microsoft.
For the last few years, the world's largest software company has been held hostage by tireless security assaults aimed at Windows and its Internet Explorer browser. Finally, last year, Gates and Microsoft Chief Executive Steve Ballmer had had enough: The result was Windows XP Service Pack 2, which, Microsoft said, would patch many of Windows' most gaping security holes.

Well, SP2 is finally here, and it's been . After telling big companies that SP2 was ready to go, one of the first things Microsoft did was make it harder to get.

Microsoft said that SP2 doesn't play well with 50 or so existing programs. Par for the course as far as Windows updates go, you might say. But unfortunately, the list includes one of Microsoft's own systems management tools that big companies could use to install SP2 to their internal PCs.

So in order to keep employees within big companies from getting SP2--and immediately crashing some of those 50 programs--Microsoft temporarily put the brakes on automated distribution, which was supposed to be one of SP2's best side benefits. Users of Windows XP Home Edition are just starting to get the update, and the remainder of XP users will be able to get it before month's end. But businesses are in no hurry. Many said this week that they'll wait for the SP2 kinks to be worked out before taking the plunge.

Then, on Wednesday, security researchers said they'd found some gaping holes in SP2 that--at least theoretically--could let malicious users gain access to SP2-protected PCs.

Did Microsoft bungle SP2's debut? With my columnist hat on, I can give you an unqualified yes. That's a shame, because by all accounts, SP2 is a fine update to Windows XP, which was already the best-ever version of Windows. And rest assured that Microsoft will work out the kinks--it has to.

For Microsoft, SP2 could finally take some of the heat off of the company and its historically cavalier attitude toward security.

Perhaps SP2's greatest accomplishment will be to increase the number of Windows users who actually install bug fixes.
Even though SP2 is a free download, it could eventually boost Microsoft's bottom line by convincing the many companies still running Windows 2000 that it's all right to move up to Windows XP--and by extension, Office XP and other programs.

And let's not forget that SP2 also fine-tunes Windows XP's internals, making it less susceptible to malicious attacks (as long as you're using the latest hardware). It also delivers in one rather pudgy download many other updates, such as Service Pack 1 and the latest security patches and bug fixes.

Perhaps SP2's greatest accomplishment will be to increase the number of Windows users who actually install bug fixes. For years, Microsoft has been saying the problem with Windows security isn't necessarily with Windows but rather with users. If they'd just take the time to install the available patches, most of their PC security problems would go away.

Easier said than done. Asking system administrators to keep their company's Windows systems up-to-date is one thing. After all, that's what they get paid to do. Still, in our IT budget-constrained world, there are fewer administrators, and those who are around are responsible for more PCs than in years past.

But expecting consumers at large to keep up with the blizzard of confusing and sometimes contradictory software patches is ludicrous. Remember, computing is mainstream. Senior citizens shop on eBay. Teenagers chat on instant messaging. Do you think any of these people understand why they should apply an "Update for Background Intelligent Transfer Service (BITS) 2.0 and WinHTTP 5.1 (KB842773)"? You'd have better luck asking them to split an atom. There's got to be a better way.

And there is, Microsoft says: It's called automatic patching. By default, SP2 turns on Microsoft's automatic updating service, which funnels the latest bug fixes directly to your PC. Well, here's the true test: If Microsoft's theory holds, there should be fewer trashed Windows PCs the next time an MSBlast-size worm slithers through town.

Since most security professionals think that the next big virus will hit sooner rather than later, we shouldn't have to wait too long for an answer.