Microsoft has extended the SP2 blocker to April. So now Automatic Updates won’t install SP2 until a whopping 8 months after the patch became available. Great :-/ .
A lot of companies are claiming that SP2 is a big update and that they need time to test their systems and ensure that their existing software works – and acquire patches or replacements for software that doesn’t work. Which is fair enough.
Except that there’s been a publicly available release candidate of SP2 available for 5 months now. Now, okay, it wasn’t the final release, but it was a release candidate and there haven’t been any huge changes since. Any company that really cares about security (which should be all of them) would have set aside some test machines with setups identical to those used within the organisation and then deployed the release candidates on it when they were available and then tried to work around them. Then, when the final patch came out, they could install that, ensure that any of the minor changes in it didn’t affect anything, and then deploy it.
Of course, you’ve got the problem of software houses that haven’t released SP2-compatible patches for software yet, and so holding back for them is advisable. But then surely the software houses should have been keeping an eye on SP2 as well.
Despite what has been put forward in the media, SP2 is not just Windows with a better firewall and popup blocker. There have been some major architectural changes to considerable parts of the operating system to ensure that any security flaws discovered in future won’t adversely affect systems in the way that CodeRed, Nimda, Blaster and Sasser have. Things like prevention of Buffer Overflows and the locking down of DCOM – backend stuff that means nothing to many users but ultimately will make Windows less exploitable in future.
We’re now hitting a time where “0-day vunerabilities” like Download.ject, where code for exploiting flaws is found in the wild before the flaws have been reported, are getting more common. We can’t rely on patches and hotfixes for ever – we need to stop these problems form happening in the first place. And SP2 goes a long way towards that.
Microsoft will have extended the grace period for SP2 because of pressure from its consumers but had those customers and the other software providers been better prepared this wouldn’t have been necessary. By all means test patches out, but you’re already 4 months behind. By the time April comes around, there will have been a publicly-available version of SP2 available for a whole year, and resources for dealing with the changes in SP2 freely available for almost as long.
If you think I’m living in some fantasy world then you may be surprised to hear that some companies have done exactly what I have suggested, and they’re now running SP2 across the enterprise. The company that and Cobaltfish work for . Okay, so they’re not exactly Novell or IBM but if they can do it then so can many others.