CERT Advisory on XPSP2 – “significantly improves your computer’s defenses”


US-CERT published an advisory on XPSP2 the other day.   Main statement – “Microsoft Windows XP Service Pack 2 (SP2) significantly improves your computer’s defenses against attacks and vulnerabilities.”

They specifically talked about IE changes, including local machine zone lockdown. 

Full advisory is at http://www.us-cert.gov/cas/alerts/SA04-243A.html.

Thanks.
Scott

Comments (15)

  1. Anonymous says:

    What about when they recommended that people use a different browser than IE, to get better security?

  2. Anonymous says:

    That was before SP2.

  3. Anonymous says:

    "That was before SP2."

    Right, which is XP-only. IIRC, IE6 runs on Windows 98+, sadly enough.

  4. Anonymous says:

    But all they are basically saying, is that you should get SP2 because there are so many security holes in XP that in order to not be majorly open to attack you need a patched system.

  5. Anonymous says:

    But all they are basically saying, is that you should get SP2 because there are so many security holes in XP that in order to not be majorly open to attack you need a patched system.

  6. Anonymous says:

    >> "That was before SP2."

    >

    > Right, which is XP-only. IIRC, IE6 runs on Windows 98+, sadly enough.

    Ooh, zing!

  7. Anonymous says:

    And yet the CERT advisory on IE still stands… even after SP2. In case you forgot, CERT recommended everyone dump Internet explorer 🙂

    Microsoft did mention that they plugged this security hole but it can still be routed around using a shell call and hence is an even more scary security hole.

  8. Anonymous says:

    For anyone interested in a more secure (and feature-rich) alternative, try:

    http://www.GetFirefox.com

    Competition is good. 😉

  9. Anonymous says:

    Just testing if we can leave out the "http://" and still get a clickable link: http://www.GetFirefox.com

  10. Anonymous says:

    Hmmm, guess not. 🙁

  11. Anonymous says:

    Firefox s amazing. I haven’t had a single problem with it. And just to make sure IE doesn’t pop up anymore, I routed all system calls to IE straight to Firefox. 🙂

    http://crackbaby.com/article.php?sid=10093

    Can you believe Microsoft told me that they wouldn’t include this answer? The site now pops up as the number one site on Google for ‘remove internet explorer’ 🙂

  12. Anonymous says:

    To the IE people:

    Sorry about all the people who are essentially spamming here. Sure, Firefox is better, but with SP2 IE is also better — just not better enough. 😉 We can do better to promote Firefox (and do it more ethically) than to take over the comments section on a blog for a browser that many users don’t even realize they’re using.

    I don’t know whether it’s just me or not, but I get the impression that IESP2 isn’t really that great a jump in security compared to IE<SP2 in the hands of an intelligent user. The main changes (doubtless there were smaller bugs, many security-oriented, that were fixed — not huge defense improvements but improvements nonetheless) as I see them are:

    -firewall ON by default

    -activex OFF by default, prompt to whitelist by site

    -popup blocker added

    -somewhat tighter divisions between security zones (?)

    The firewall was off before, but could be enabled if desired. ActiveX was enabled but could be turned off. Granted, the UI for toggling these wasn’t really present, so this isn’t optimal, but it would seem to make them more UI changes than major features added. Popup blocking might be a security feature in some instances, but I see it more as an annoyance remover as opposed to a security feature. Perhaps those more familiar with software security know of ways that popup blocking would enhance security for the intelligent user.

    Anyways, feel free to add to this list with any other big changes, because I’m interested in hearing exactly what else has changed in SP2 — my knowledge of the changes is obviously rather lacking.

    Note:

    I’m not disputing that IESP2 is definitely worth downloading — SP2 was my first action after I got a new laptop recently. However, from my knowledge it seems that CERT’s advisory title might be slightly overemphasized (or rather, targeted towards the less clueful users).

  13. Anonymous says:

    I don’t know whether you guys already know this, but on my XP SP2 with latest Windows updates, this JEPG mage CRASHES IE.

    http://sylvana.net/test/AP4.jpg

    And this is where I found this:

    http://it.slashdot.org/comments.pl?sid=122855&cid=10327905

    This is really embarrasing…

  14. Anonymous says:

    "significantly improves your computer’s defenses"…

    Ridiculous. How long we use browsers? Many years. And the talk about security is only GROWING since the beginning. It’s a shame IE/WinXP still has ANY security holes. The basic design is just wrong. This is because MS main drive is making profits instead of offering security, privacy.

    Not to mention the stability and growing system specifications. Mostly because all the easteregg like stuff, way too much unneeded things in Windows/IE, etc. And then MS doesn’t offer any tools to remove these unneeded resourceslurkers.

    Cut down to the basics (which CAN be enough for 99%, if not all), and we can run Longhorn on a Pentium1 with 64Mb memory.

    Oh, and i forgot the embarrasing lock-in strategy (like creating- unneeded-pushed-MS-standards) of MS… Etc.

    Plain and honest competition? Not to my standards.