RealTime IT News

Microsoft XP SP2 Blog Watch

Microsoft watchers turn to the ranks of the software company's employee bloggers for info that never makes it into the notoriously tight-lipped company's official communications. But they'd better hurry: Posts can disappear as quickly as they spread across the Web.

In one item posted and removed in Tuesday, a Norwegian Microsoft manager published an e-mail from Redmond to partners detailing its distribution plans for the service pack. In a separate blog, a Microsoft developer explains how the team honed its vision for what XPSP2 should encompass.

In his blog, Jan O. Kiese, partner group manager for Microsoft Norway, posts concrete details about the rollout for the service pack, released to manufacturing on Monday.

"This is a partner-ready mail, distributed internally in Microsoft to partner-managers so we can communicate with our partners," Kiese told internetnews.com.

On Monday, according to the e-mail, the Network Install Package was posted to the Microsoft.com Download Center and the main technical subscription programs. "This SP2 package is intended for IT Professionals Developers and will not be broadly publicized," the e-mail states.

According to the blog, Redmond will begin a low-volume release in English via Automatic Update, initially limited to those who have downloaded installed pre-release versions.

Mid-August, business customers who use Software Update Services will begin to be prompted to do the download. By the end of August, Microsoft expects to make its downloads available to all, with a limit of 2.5 million downloads a day.

A Microsoft spokesperson couldn't confirm whether the low-volume release would begin today, but he said that the end of August target for full distribution is correct.

In a Microsoft corporate blog, Tony Chor, group program manager for the Internet Explorer team, provided insight into the development process, from spec to gold master.

"After setting goals and defining the scope of the project," Chor wrote, "the team realized that time was too short to do everything it wanted to. That's when the security orientation of this service pack took shape. The specific goal was preventing users from having their machines taken over by malicious code. "There were a bunch of other good things that happened," Chor writes, "but security was clearly the focus."

For Internet Explorer, the team realized it needed to make architectural changes to beef up the machine's defenses and improve the UI to help users make better security decisions for themselves by giving them clearer messages and more control.

IE divides the world into five trust zones: restricted, Internet, intranet, trusted, and local machine zone (LMZ). Attacks that allow malicious sites to move from zones of lower privilege to one of higher privilege are known as zone elevation attacks. It also walls off different domains accessed by the computer, so that the script and controls from one site cannot access the information on another site, in order to prevent what are known as cross-domain attacks.

"In XP SP2, we strengthened the barriers between zones and between domains," Chor writes. "We give the user an opportunity to stop the attack by blocking active behaviors in the LMZ and thereby stop the attackers from really utilizing the capabilities of the LMZ.

"We have improved the fences and doors that separate your yard from the street and your yard to your house," Chor explained in the blog. "If someone manages to get through the barriers, s/he will find your valuables locked in a safe inside the house. We have made it harder to break in and less interesting if you do."

But the SP2 team needed to make users more involved in their own security, and that involved improving the interface and automatic alerts and messages from the software.

SP2 provides clearer dialogs for activities, such as installing software, and adds some tricks to prevent spoofing. For example, to prevent scamsters from covering an address window or dialog box with deceiving text, in XP SP2 IE windows cannot cover IE UI.

Users now have to actively take action for downloading, opening new browser windows or changing the home page.

"IE in XP SP2 stops all currently known critical exploits," Chor writes, "so its a heck of a lot more secure than pretty much any other browser.