Worried that the full release of its Windows XP Service Pack 2 (SP2) will break and disrupt existing applications, Microsoft has created an online training course for developers to explain the intricacies of the security-centric OS update.
The launch of a training course is an unusual move for the software giant, which has changed many Windows XP defaults to tighten security and to simplify the software update process. “[SP2] is more than a normal roll-up of bug fixes. It is also being used to deliver a significant upgrade to enhance Windows XP security,” the company said on its Microsoft Software Developer Network (MSDN) portal.
The service pack, now in beta, will make significant changes to deal with increased network protection,
memory protection, improved e-mail security and enhanced browsing security;
but these changes will lead to major disruption unless developers tweak
their applications, the company explained.
Enterprise developers are urged to pay attention to the changes in
network protection. Specifically, Windows Firewall, the RPC Interface and
DCOM Security enhancements have been modified in SP2. Unless developers
prepare for these changes, there will be disruptions.
For instance, the Internet Connection Firewall (ICF) will be turned on by
default to reject unsolicited inbound connections through TCP/IP version 4
(IPv4). In a detailed explanation, Microsoft made it clear
that IT administrators and users must make specific changes to allow
applications to open certain ports.
“Windows Firewall includes an explicit setting in the firewall to enable
the automatic opening and closing of ports for RPC for each profile. Thus,
applications and services do not have to open specific ports in order to use
RPC for inbound connections. By default, however, RPC will be blocked by
Windows Firewall. This means that an application or service needs to allow
the RPC ports in Windows Firewall during the installation process,” the
company explained, noting that some older applications may need to be
manually configured.
With SP2, Microsoft is also introducing Execution Protection to protect
memory space from misuse. The company explained that Execution Protection
would prevent code execution from data pages such as the default heap,
various stacks, and memory pools. But, Microsoft warns, some application
behaviors are expected to be “incompatible with execution protection.”
“Applications which perform dynamic code generation (such as Just-In-Time
code generation) that do not explicitly mark generated code with Execute
permission might have compatibility issues with execution protection.” The
company is supplying specific instructions and code samples to explain the
implications of the changes for application developers.
Developer implications for changes in e-mail security and enhanced browsing have also been posted as part of the course
manual.
As previously
reported, the enhanced browsing changes includes a major overhaul to the
Internet Explorer browser. Specific changes include a new add-on management
and crash detection tool and several modifications to the browser’s default
security settings.