Credit Unions, Vendors Eyeing, Testing Windows XP Service Pack

COLUMBIA, S.C. – What takes a couple hours to download on broadband, more like a couple days if you’re using dialup? It’s the new Windows XP Service Pack 2, perhaps the “mother of all patches” and Microsoft’s latest and perhaps biggest bid to help plug the security breaches plaguing its mega-brand of operating systems and Internet browsers. SP2, as it’s becoming known, can be up to 300 or so megabytes to download, less if your patches are up to date. Microsoft does plan to make it available on CD, as well as dole out the updates piece by piece through its automatic system already familiar to many home PC users and presumably all network administrators. The improvements center on helping to block the Internet attacks so often targeted at the biggest target of all. For instance, the existing Internet Connection Firewall feature has been re-named Windows Firewall, activates by default and loads as part of startup before other applications or services. “This fixes the small delay that prior versions of Windows XP exhibited in which the computer booted and the firewall initialized. The Blaster worm, for instance, used this small delay to infect computers that were running Internet Connection Firewall,” says Forrest Rae, a security analyst with Digital Defense, an Internet security services firm based in San Antonio whose client list is heavy with credit unions. Other improvements include making the automatic update utility more user-friendly, such as adding an “express” or “custom” option, the former installing only critical updates automatically. Automatic updates have attracted far more attention than before, after the exploits of the Slammer and SoBig.F worms, and Microsoft is hoping to get more users to take that route. Rae thinks perhaps the most significant upgrade is the non-executable memory pages, or NX, aimed at easing the problems with buffer overruns, in which “poorly coded software receives input from an external source and copies it in to the computer’s internal memory,” Rae says. “Buffer overruns are extremely common attacks and this protection can dramatically improve Windows XP’s resistance to them.” Ken Kinloch, meanwhile, points to the changes “designed to protect users from accidentally downloading or executing dangerous files due to misleading MIME or file name extensions.” The network and security analyst at Boeing Employees Credit Union in Seattle also makes note of “the new Internet Explorer Windows Restrictions which seek to ensure that the title bar, status bar, address bar or the window itself is not hidden from the user.” (Successful phishing attacks often occur when users don’t realize that a Web site is bogus.) Kinloch says the $4.8 billion CU has only about 25 machines running on XP right now, all by IT staffers. The rest of BECU’s desktops will get the operating system in the fall and it will include the upgrades in the service pack, he says. “Due to the significant changes to core functionality, SP2 will require extensive testing,” he adds, comparing it to complete version migrations such as moving from Windows 98 to Windows 2000. Forrester Research, in fact, also makes that comparison and had this to say about the new XP upgrade: “For consumers, enabling Automatic Updates will schedule the automatic download, or customers can call Microsoft to get a CD. But for enterprises, mass deployment of SP2 isn’t a practical reality, and firms should treat SP2 as an operating system upgrade and not just a service pack update. During the rollout, firms need to use the same procedures and tools as a full-scale OS upgrade.” Speaking of new versions of Windows, that’s next. The service pack is intended to keep XP users safe and satisfied as possible until the next complete version, called Longhorn, is released. It’s expected to go out for beta testing sometime next year. “Essentially what is happening here is that some of the simpler security improvements within the Longhorn release are being put in SP2 in order to get them out quickly,” says Josh Daymont, director of Internet security research at Atlanta-based SecureWorks. “Microsoft should be applauded for putting these improvements out,” Daymont says. “However, there is a lot of concern around compatibility with existing applications. “These improvements essentially create a stricter execution environment for every running application, which will foil a hacker’s attempts to exploit flaws, but at the same time these restrictions can kill programs that attempt to take shortcuts for performance reasons, causing previously good programs to fault and shut down,” he says. He says SecureWorks is advising its clients, many of them large credit unions, “to take some time in order to test it for compatibility with all in-house applications before deploying.” That’s also the advice from Chris Kroll, an analyst with credit union Internet banking and security specialist PM Systems Corp./CUDefense in Chapin, S.C. “We typically advise clients to apply patches ASAP, and credit unions should have a patch management program that includes requiring testing of all patches before deployment,” he says. “And in a major release like this, testing should be done on at least critical systems,” Kroll says. He says he hasn’t had a chance to “really look in depth at the new service pack, but best practices and common sense leads me to believe it will better the overall product in functionality and security.” Core processors often are the first place credit unions turn for advice on technical matters, and one leading vendor there, too, says it’s not yet offering advice on SP2. David Turner, CIO of IntegraSys, says his staff will be testing SP2 internally to make sure it works with the Fiserv unit’s applications. “The service pack obviously tackles some pressing issues, and its description sounds like Microsoft has addressed them well,” he says. “Our testing will also show how intrusive pop-up blockers and its other new features that will require more interaction with users will be. We also want to see how the new firewall and other security features interact with existing firewalls.” Of course, at many credit unions, it’s not even an issue. For instance, “we decided last year that because of all the issues that were in XP, not to mention compatibility with our host system software, we would stay with Windows 2000,” says Kelley Ferguson, director of network and security services at $500 million Numerica Credit Union in Spokane, Wash. “We know it works and we know we can manage it,” he says. “That was the deciding factor for us.” -