Tuesday, September 07, 2004
Are you scared by news reports about SP2?
There have been some scare headlines lately about "security holes".
The first question to ask about XP Service Pack 2 is, "Am I better off with it or without it?". If you're in my audience of home and small business users the answer is yes. You can figure that out on your own by noticing that SP2 solves more problems than it causes.
The second question to ask about the press reports is "How much do the reported problems really matter?". You need to ask somebody technical (like me) to get a good answer. The answer is "Well, not really".
I'm not the only person thinking this way. Columnist Tim Mullen has some colorful commentss about the press coverage. He gets the technical issues right! Some good quotes from his column:
He's talking about one of the "holes", which is that bad software can turn off the firewall and make you think the firewall is still on. A detailed analysis of this "vulnerability", in technical terms, is Well Duh. A program running on your computer can do what you can. Operating systems that can defend you against software running on your own machine are rare and specialized.
That quote, by the way, is the same thought as Microsoft's First Immutable Law of Security: if you let a bad guy run a program on your computer, from then on it's his computer instead.
Another Mullen quote, about the problem where picking up an image and moving could secretly install a program:
There's plenty of real stuff to be, not scared, but aware about. SP2 isn't one of the things to be concerned about -- just install it. There's too many people willing to scare you into handing over your money. One service I'm proud to provide is sorting out significant threats from the exaggerated ones.
|
The first question to ask about XP Service Pack 2 is, "Am I better off with it or without it?". If you're in my audience of home and small business users the answer is yes. You can figure that out on your own by noticing that SP2 solves more problems than it causes.
The second question to ask about the press reports is "How much do the reported problems really matter?". You need to ask somebody technical (like me) to get a good answer. The answer is "Well, not really".
I'm not the only person thinking this way. Columnist Tim Mullen has some colorful commentss about the press coverage. He gets the technical issues right! Some good quotes from his column:
If arbitrary code has been run on your computer, then it's not your computer anymore.
He's talking about one of the "holes", which is that bad software can turn off the firewall and make you think the firewall is still on. A detailed analysis of this "vulnerability", in technical terms, is Well Duh. A program running on your computer can do what you can. Operating systems that can defend you against software running on your own machine are rare and specialized.
That quote, by the way, is the same thought as Microsoft's First Immutable Law of Security: if you let a bad guy run a program on your computer, from then on it's his computer instead.
Another Mullen quote, about the problem where picking up an image and moving could secretly install a program:
Even "http-equiv," the one who released proof of concept code for the "drag-and-drop" vulnerability in IE, still recommended that people install XP SP2, even as he described one of the few real issues that were found in the service pack (it was actually an IE problem that worked with SP1 as well).
There's plenty of real stuff to be, not scared, but aware about. SP2 isn't one of the things to be concerned about -- just install it. There's too many people willing to scare you into handing over your money. One service I'm proud to provide is sorting out significant threats from the exaggerated ones.
# posted by Frederick @ 2:05 PM Email to a friend:
Haloscan: they provide trackback