|
Editorial
|
|
Written by Aidan
|
|
Wednesday, 11 August 2004 05:37 |
As Microsoft have released Windows XP Service Pack 2, interesting news begins to leak out about it. IBM warn it's employees not to install it. DivX stops working under it, Firewire 800 becomes Firewire 100 and many more applications and drivers will fail to operate correctly. The new version of the firewall defaults to allowing access to Remote Assistance, lowering the level of security offered by the previous firewall. So, is this just a service pack, or is it more akin to a new OS? Certainly the transition between Windows 2000 and Windows XP appears to be easier and smoother than the transition from Windows XP SP1 to Windows XP SP2! Let's take a look at what's actually changed.
Without a doubt the security of the system has been tighted up in a number of ways. Microsoft have been making noises about the security of their products for a good while now, and it's about time they started to demonstrate this. "Security in depth" is a very current watchword, and it refers to ensuring that there's more than on layer of security protecting things. Many of the changes in Service Pack 2 pay homage to this, so it's no surprise when you start to take a look at the list of changes. As far as the author can see, perhaps the biggest change is in the way that memory is handled. Most users do not know how programs handle memory, and nor should they have to know. However, this is where one of the biggest problems comes from - buffer overflows!
The changes in memory handling add a number of features. For example, both canary values and non-execution are powerful tools against the buffer overflow. Canary values are known values of data written to specific points in memory. When a program comes back from handling some data, the OS checks to see that the canary values are still correct. If the canary values have changed, it means that something has tried to overwrite sensitive memory. There's only two reasons for sensitive memory to be overwritten. Firstly a program could suffer from bugs and have done something stupid. Secondly, the data that the program handled was actually a buffer overflow. In the first instance, the program was going to crash anyway, so no change there. In the second instance, someone was trying to exploit a program and inject their own code. This is now caught.
The second tool that Microsoft is using comes from AMD's 64bit processors. That's the NX (Non eXecute) bit. Part of the processor is devoted to tracking physical memory and virtual memory. This part can tell when a program needs a bit of memory from the swap file, or when a program tries to write to a bit of memory it doesn't own. There are already flags to control reading and writing, but until AMD's introduction of the NX bit, there was nothing to stop a PC processor from executing from memory. Other processors and archtectures already have an NX bit of their own, but it's taken a while for it to migrate across to the PC. The aim of the NX bit is to mark a bit of memory as non executable. That means if the processor tries to run that bit of memory as a program, such as in the case of a buffer overflow, the memory management unit on the processor would inform the OS that something was wrong. Unfortunately it seems to be taking the advent of 64bit processors in the PC world to introduce this feature. Fortunately, both Intel and AMD appear to be bringing these features to their 32bit processors!
Some of the services are also disabled by default. Both the Alerter and Messenger services are disabled. These two services are the two that many spammers used to send pop-up messages to unwitting recipients across the Internet. Unfortunately, a number of programs also use these services in order to alert an administrator that there are problems with another machine on the network. This isn't a problem for most home users, but could cause issues in the corperate world.
Microsoft has also finally rolled in their Bluetooth stack into XP. Whilst on the surface this appears to be good news, issues have been seen when users already have another Bluetooth stack on their system. Microsoft's Bluetooth stack provides some Bluetooth Profiles such as Personal Area Networking (Ethernet over Bluetooth), Hard Copy Replacement Profile (Printing), Host Interface Device (Keyboards, mice, joysticks and other input devices), Dial-up networking, Object Push Profile (to send files) and Virtual COM ports. This leaves out perhaps the most used features of Bluetooth: Synchronising your Phone/PDA with your computer, sending and receiving individual contacts and audio headsets. Additionally, a number of Bluetooth dongles are not officially supported yet (There's a workaround hack that can be done to INF files), presenting a problem to those who already have Bluetooth kit.
There's also changes to the TCP/IP stack, that change the way things behave. Raw sockets now have extra restrictions that make them much less useful. TCP data cannot be sent via Raw sockets, and UDP datagrams have to have the correct source address. The number of outbound TCP connections attempts is also rate limited, causing some security tools to run far more slowly than normal, and possibly causing problems with some peer to peer programs. The Windows XP firewall is now on by default, but this has been known to cause problems with some programs that the firewall can't do stateful filtering for. Additionally, the firewall can now be configured on a global basis, so rules can be configured for the whole machine rather than just a single interface. Microsoft have also added a Firewall Exceptions list, so that you can configure which applications are allowed to act as a server, rather than just opening a port and hoping. Even better is that Microsoft has merged the IPv4 firewall and the IPv6 firewall into a single entity. Previously they had to be configured seperately using seperate programs. However, Microsoft have now introduced a command line tool that can be used to configure the firewall, including turning it off and opening ports up. If you were hoping for a program that could restrict outbound connections, be aware that the firewall on restricts inbound connections. Spyware can still phone home quite happily through the new XP Firewall!
Both RPC and DCOM have had substantial changes - RPC and DCOM are often used for communication between programs either on the same machine or on different machines. These changes should tighten up security, but may well break applications that are not expecting them to become more restricted. Those who were hit by one of the worms that attacked RPC are probably happier now!
Several changes are made to Wireless, including the Wireless Provisioning Service. However, this feature needs Service Pack 1 for Windows Server 2003, which hasn't been released yet.Support for PEAP (Protected Extensible Authentication Protocol) and WPA is also included. Also added is the Wireless Network Setup Wizard, which is supposed to offer an easier way to set up security of Wireless Access Points (WAP) and wireless clients.
Outlook Express gets a quick overhall - There's a feature to disable the HTML display of messages, and render them in plain text instead. This can prevent scripts, viruses and tracking images from being used, as long as the user displays everything in plain text. However, for some strange reason, if you use the plain text display mode, you can no longer do full text searching of the body of a mail message! Internet Explorer also gains an program that's designed to help track down which IE add-on caused IE to crash. This could be helpful for those trying to track down spyware that causes IE to behave badly. Along with this is an add-on manager that can be used to view and control the list of add-ons that are loaded by IE. The way that ActiveX controls are downloaded has also changed, and the information will now appear in the Information Bar. In the same way pop-ups will be blocked with a note in the Information Bar, as well as some active content. This could cause some web sites to stop working correctly.
There's also a whole host of other changes, but the author decided to touch on those that are perhaps the most important in terms of security. Some of the additions are welcome but are cautiously viewed; some users may feel the extra security means they no longer have to be as careful. The author would argue that the opposite is true - users need to be just as careful, if not more careful. Many hackers will attempt to break the security of Service Pack 2 for XP, as they have broken other protection on other platforms. Much of the changes appear to be for the good, but may well cause difficulties initially. Think of it as short term pain, in the same way as upgrading from Windows 98 up to Windows 2000 was difficult in the short term. The list of changes is so large that it appears to be more of an upgrade to the operating system than just a patch. The next few months will be a telling time as users discover all the problems and issues between Service Pack 2 and existing applications and drivers.
Had experience of Win XP SP2? Tell others in the forums!
|
|
|
