Opinion

Windows XP SP3 Offers Enhanced Reliability and Security, But Not IE7

The long-awaited Windows XP Service Pack 3 became available as an Express Update May 6, 2008 on Windows Update, and offers enhanced reliability and security through a few new features: Network Access Protection (NAP), designed to work with Windows Server 2008; a product key-less install option; a Kernel Mode cryptographics module, and; a “black hole” router detection algorithm.

One puzzling thing, however, is that SP3 doesn’t include the more secure IE7–it ships with a fully-patched IE6 instead. As I found out, having applied SP3 to my systems, all of which are running IE7, this isn’t a problem; systems won’t be rolled back to IE6. Here’s an excerpt from the IE Blog:

XPSP3 will continue to ship with IE6 and contains a roll-up of the latest security updates for IE6. If you are still running Internet Explorer 6, then XPSP3 will be offered to you via Windows Update as a high priority update. You can safely install XPSP3 and will have an updated version of IE6 with all your personal preferences, such as home pages and favorites, still intact.

If you are currently running IE7 on XPSP2, Windows Update will offer you XPSP3 as a high priority update. If you choose to install XPSP3, Internet Explorer 7 will remain on your system after the install is complete.

If you’re still running IE6, you really should upgrade to IE7. Along with SP3, that will make your XP system as secure as it can be at this time.

Are You a Security “No” Man or a Security “Yes” Man?

We security wonks always seem to be put into a position of having to say “no.” That makes us unpopular with the I’m-not-hurting-anything crowd who insist on checking their webmail, IMing their friends, and running assorted and sundry downloaded and web-based applications (but only on their time, of course). Maybe they’re right on some level; many of those things are benign and don’t represent security threats. But there are also potentially dangerous applications such as peer-to-peer (P2P) file sharing that can expose your network to hackers via an open P2P connection (See P2P Leads to Major Leak at Citigroup Unit and Pfizer Falls Victim to P2P Hack).  What’s one to do?

Start saying “Yes.” You read that right. Look at it from the user’s standpoint: A blanket prohibition against anything and everything usually foments rebellion on the part of some and they’ll do whatever they want to do with wild abandon. Your network is less secure as a result. But, if you develop policies that allow webmail, online shopping, and IM instead of blocking them at the gateway, while prohibiting the potentially dangerous stuff, you just might find the users starting to ask you if it’s OK to do certain things.

And they just might listen to you if you say “No.”