Originally posted by: Philippine Mango
Originally posted by: MercenaryForHire
"This is labeled as a critical update creating several major flaws ... should I install it?"
:roll:
- M4H
Fixed
The irony is, in terms of the built-in firewall in XP SP2, if the user only has RAS connections and no LAN connection - that's actually true!
And the patch that MS released, six months later, to fix the gaping hole in their default firewall - the hole that essentially treated WAN RAS connections as "trusted" LAN subnet, if the machine didn't have any other LAN connections, meaning the entire internet was "trusted", and thus the firewall let everything in - was labeled "critical" in the MS KB article, but wasn't even listed among the patches released that same day on "patch day"! MS
intentionally hid the patch, to make it appear that their recent security advisory didn't have any "critical" patches as part of it.
I found out about it, only via a thread on DSLR, because some people had noticed that it was showing up in their WU/AU patch logs, but wasn't on MS's web site. Indeed, going to their site, and manually searching for it, on their "security for IT pros" web site (where you would go as an admin to manually download security patches), turned up nothing!
Edit: Oops, old thread, who bumped it?
Anyways, while it's bumped, I thought I'd add another comment. I'm honestly really disapponted with MS, in how they handled XP SP2, for a multitude of reasons. One being that MS had previously (in the days of W2K), "promised" that service packs were indeed going to be bugfixes only, and not introduce new nor radically-change existing features. That all went out the window with XP SP2. This actually caused major pain for many 3rd-party and site-customized software vendors, because of the low-level functionality changes made with XP SP2. Second, is that they held off releasing XP SP2, until those new features were ready, when in fact the "bugfix" portion of XP SP2 was ready to go, more or less, easily 6-8 months earlier, but MS wanted to beta-test the "new features" portion of the SP longer. This effectively denied existing XP SP1 users of badly-needed system-level bugfixes for quite some time. Some of them (such as the Explorer.exe update to prevent crashing, and the write-cache-flush bug with 48-bit LBA IDE HDs, were both eventually released as standalone hotfixes). But not all of them were.
IMHO, what MS
should have done - and they could have actually made more money doing so - is to release all of the functionality changes/feature additions, as a "Windows XP Security Plus Pack", much like the "Plus Pack" add-ons for Win9x, that added things like DriveSpace3 compression features, etc.) That way, existing W2K/XP users, would be able to use XP's original functionality, with the bugfixes provided by the SP, but not have to deal with the potential incompatibilities added by the new features, while home users (the primary target market for the "enhanced" built-in security features, like the "Security Center", default firewall, etc.), could just go buy the "XP SP2 Plus Pack" for $20 or so. MS could have kept their corporate customers happy, while making more money off of their home users, at the same time! Why they didn't, is a bit of a mystery to me. My guess is that there are also a number of lesser-documented changes under-the-hood in XP SP2, dealing with DRM and some other things, that MS wanted to
force onto people's machines, regardless, and that's why they didn't split it up that way. (Much like their prior campaign to "require" IE5/5.5/6.0 to be installed onto a machine, in order to run some other 3rd-party app that was totally unrelated to IE at all - for example a DirectX-based game. It was just a phony campaign to force IE onto people's machines, to compete/destroy competitive browser makers. And it worked. Now MS is doing the same thing with XP SP2.)