|
|
ONLINE FEATURES
Book Reviews
BW Video
Columnists
Interactive Gallery
Newsletters
Past Covers
Philanthropy
Podcasts
Special Reports
BLOGS
Auto Beat
Bangalore Tigers
Blogspotting
Brand New Day
Byte of the Apple
Economics Unbound
Eye on Asia
Fine On Media
Green Biz
Hot Property
Investing Insights
Management IQ
NEXT: Innovation
NussbaumOnDesign
Tech Beat
Working Parents
TECHNOLOGY
J.D. Power Ratings
Product Reviews
Tech Stats
Wildstrom: Tech Maven
AUTOS
Home Page
Auto Reviews
Classic Cars
Car Care & Safety
Hybrids
INNOVATION
& DESIGN Home Page Architecture Brand Equity Auto Design Game Room SMALLBIZ Smart Answers Success Stories Today's Tip INVESTING Investing: Europe Annual Reports BW 50 S&P Picks & Pans Stock Screeners Free S&P Stock Report SCOREBOARDS Hot Growth 100 Mutual Funds Info Tech 100 S&P 500 B-SCHOOLS Undergrad Programs MBA Blogs MBA Profiles MBA Rankings Who's Hiring Grads | |
AUGUST 10, 2004
By Stephen H. Wildstrom Windows of Vulnerability No More? Microsoft's Windows XP Service Pack 2 is a major retooling. This makes the operating system safer -- but less convenient to use Every once in a while, Microsoft (MSFT ) sweeps up all the bug fixes and patches that have accumulated for Windows or major software such as Office or Exchange Server and packages them as a service pack. But Windows XP Service Pack 2, released on Aug. 5 after many delays, is a very different animal. It's a major rewrite of the operating system focused almost entirely on enhanced security. And it makes some aspects of Windows use significantly less convenient -- but a lot safer. Microsoft will begin making SP2 available for manual download within a few days and start delivering it automatically to English-language users of the Windows Update service before the end of August and in other languages as they become available. But the 80 megabyte download is a challenge to anyone without broadband Internet access, so Microsoft will also offer free CDs. Many of the most significant changes in SP2 affect the Internet Explorer Web browser, which has emerged as the source of Windows' most serious vulnerabilities. IE was designed to make it very simple and convenient for Web sites to download programs to Windows PCs. But the mechanisms designed to keep such downloads safe have proved hopelessly inadequate, and the bad guys have found all sorts of ways to take advantage of the vulnerabilities to deposit spyware, Trojan horses, and assorted other nastiness onto PCs, sometimes without requiring any action by the user. WARNING SIGNS. The new browser, which is only available for Windows XP and only as part of SP2, behaves very differently. It starts by blocking any attempt by a Web site to download to a PC any file other than an image or a sound that's part of the Web page itself unless the user has explicitly requested the data. Instead of delivering the file, IE beeps and puts up a notification just below the toolbar saying "To help protect your security, Windows Explorer has blocked this site from downloading software to your computer. Click here for options." When you click, you can tell IE to proceed with the download. If the file is a program, you will then be asked if you want to run it or, in some cases, whether you want to save it to disk. You will face a third level of challenge if Windows cannot determine that the software was digitally signed using a valid digital certificate (see "How a Digital Signature Works" for an explanation of how this technology works). If there's no valid signature, Windows will warn you against installation, though you can still override the advice. This system, which Microsoft calls AuthentiCode, has been around since Internet Explorer 3.0 and is based on Internet standards. Until now, however, Microsoft's efforts to push the use of AuthentiCode have been half-hearted -- Windows raised only the mildest objections to installing unsigned programs. WHAT'S IN A SIGNATURE. Many software publishers, including some who deal in security applications, haven't bothered signing their downloadable programs. For example, the Firefox browser from the Mozilla Foundation, a clean and very fast alternative to even a safety-enhanced Internet Explorer, isn't signed, so the new version of Windows will balk at installing it. Ad-aware software from Lavasoft and Spybot Search&Destroy, two leading anti-spyware programs, also lack proper signatures. On the other hand, Apple's (AAPL ) iTunes for Windows and the Google Toolbar were properly signed and installed without a hitch. Code signing serves two important purposes. First, it creates accountability by telling consumers who the actual source of programs is. Second, it protects against valid programs being hijacked and replaced with malicious substitutes (yes, this has happened, but fortunately not with widely used programs). Fortunately, Service Pack 2 gives publishers a big incentive to sign their programs since consumers will properly balk at overriding Windows' objections to installing programs without valid signatures. Obtaining a digital certificate and signing code isn't very difficult and costs as little as $400. It's long past time for all software publishers to get with the program.  Wildstrom is Technology & You columnist for BusinessWeek. Follow his Flash Product Reviews, only on BusinessWeek Online
BW MALL
SPONSORED LINKS
Buy a link now!Get BusinessWeek directly on your desktop with our RSS feeds.  Add BusinessWeek news to your Web site with our headline feed. Click to buy an e-print or reprint of a BusinessWeek or BusinessWeek Online story or video. To subscribe online to BusinessWeek magazine, please click here. Learn more, go to the BusinessWeekOnline home page  | | |
 Copyright 2004, by The McGraw-Hill Companies Inc. All rights reserved.Terms of Use | Privacy Notice |
Printer-Friendly Version
