I thought I ought to post this link in light of my recent post about WinXP SP2 news coverage.

Via OSNews comes WinXP SP2 = security placebo?

The Register did an analysis of the security features in Service Pack 2 and concluded that it just plain wasn’t enough. Lots of services are still on by default, and as others have pointed out, the firewall only checks incoming connections, meaning once the spyware gets on your machine, the firewall won’t do you any good.

It’s an interesting read, and it approaches the issue from a completely different perspective. Rather than “It breaks stuff (which probably shouldn’t have worked in the first place),” it’s “It doesn’t do enough to fix stuff.”

To be fair, even the Register concludes that it is at least better than XP SP1, so the security isn’t all in your head. But there is the risk that people will think installing it is enough, when they still need to practice safe computing and make some effort to harden the system.

Microsoft has spent the past few decades focusing on convenience and backward compatibility. As a result many of their products are so riddled with security holes that worldwide virus outbreaks hit every few months, and unpatched Windows systems are compromised within 20 minutes of being connected to the Internet. And let me tell you, Microsoft has gotten a lot of flak over this.

Windows XP Service Pack 2 represents a major shift, promoting out-of-the-box security at the expense of compatibility and convenience. So what happens? Just about all the coverage I’ve seen looks like this:

Come on, people. You’ve spent the last five years criticizing MS for neglecting security in favor of compatibility, and when they finally switch gears, you criticize them for that?

Certainly you should check the list of compatibility issues before installing — you should do that with any upgrade. And of course SP2 won’t solve everything, but it’ll help considerably.

I just find it amazing (although I suppose I shouldn’t) that they finally do what people have been saying they should do for years, and they still get criticized.

CNet reports that Windows XP SP2 has been delayed again.

  1. Schedule for June
  2. Postpone until July
  3. Postpone until August
  4. Postpone until some unspecified probably-still-August (we hope)

Y’know, maybe the Linux kernel-style “when it’s done” schedule is a better way to plan it. It might not be concrete, but at least they wouldn’t get “delayed again!” headlines every few weeks.

Update Aug. 6: That was faster than I expected: they’ve decided it’s ready.