How to avoid Service Pack 2 - safely
Service Pack 2 for Windows XP sacrifices everything to Microsoft’s new god, Security.
This is an about face on the company’s former policy for operating system updates. The old approach was to twiddle and tweak while maintaining backwards compatibility, an attempt to “fix” systems while allowing people to continue using their favourite programs and hardware.
Service Pack 2 sticks the boot into backwards compatibility. It’s an app-breaker of an update...and that’s not all bad.
The somewhat draconian nature of SP2 is welcome because the average user is either ignorant or slack or both when it comes to computer security. And that, in a way, is how it should be. Unless you are into computers for their own sake, you shouldn’t have to bother with constant updates, downloads and adjustments to ensure you’re safe while you surf or read e-mail. That should all happen, if not automatically, then at least with minimal intervention on your part. For the average user, a computer should be a tool for accomplishing specific tasks, not a hotrod which needs coddling and close attention to function smoothly.
And so Microsoft’s ditching of backwards compatibility in favour of strict and automated security is a good move. For most people, Service Pack 2 is a must-have upgrade. It maximises security on your behalf, it automates Windows Updates, and it becomes your security watchdog for the future. Yes, it may break a few applications when you first install it, but that should be easily fixed with updates from the third-party software developers, and the payoff is undoubtedly worth the one-time effort to make the upgrade.
But what if you’re not “most people”? What if you have a critical application that SP2 will break and break hard? What if you have a custom-written piece of software – the original programmer long-since vanished – which is stymied by SP2’s new security features? What if you prefer to manage your own security, thank you very much? What if you just don’t trust Microsoft to do the job properly? “Trustworthy computing,” after all, is a nice catch cry, but Microsoft has yet to prove the phrase applies to any of its products.
If you fall into any of these categories, is it possible to live safely without SP2?
The answer is a qualified yes. You can continue SP2-less provided:
* You’re prepared to take responsibility for managing your computer’s security;
* You dump the security sieve known as Internet Explorer (see my article Five reasons to ditch Internet Explorer);
* You avoid risky behaviour.
The risks
Before you decide to go down this road, you need to be aware of what you’ll miss out on by not installing SP2:
* Rewritten core code, designed to prevent common Windows vulnerabilities such as buffer overflows.
* Better wireless networking support.
* A more efficient and configurable Windows Update procedure.
* A much improved Windows Firewall.
* A centralised Security Center for monitoring your anti-virus and firewall readiness and checking the status of your Windows Updates.
* Much improved Internet Explorer security, including pop-up blocking and automatic download protection.
* Attachment security for Windows Messenger and Outlook Express.
The first two are the real gems in the upgrade. If you don’t use wireless networking, that short list of essentials is whittled down to a solitary item: the rewritten core code. That code rewrite is an added layer of protection you’re not going to get any other way.
Still, it is yet to be seen whether the new code is any more secure than the old. Given the recent spate of particularly nasty XP and IE security flaws, one wonders whether the code, as it stands, is in fact fixable, or whether we’ll have to wait for the release of Longhorn (Windows 2006? Windows 2007?) to see a secure version of the operating system.
All the other items in that list are nice enough, but unnecessary if you already manage your own security and you’re prepared to abandon Internet Explorer and opt for a more secure browser (which means almost any other browser). You’ll also find many better firewalls than the Windows Firewall and the Security Center is nothing more than pretty fluff if you regularly update your anti-virus software and keep your system patched.
The real problem with not upgrading to SP2 is that Microsoft may, at any time, cease to support XP systems which have not been SP2ed. For instance, new patches may require you first install SP2, or Microsoft technical support may insist you install the upgrade before offering you assistance. At some point, you may find yourself forced to make the upgrade.
Still, if you have good reasons for not wishing to upgrade, it’s quite possible to put it off, if not avoid it completely.
Going it alone
By not installing SP2, you’re doing without several major security advances at a time when the online computing environment is becoming increasingly malicious, so you’ll need to be prepared to secure your system yourself. None of the following should be startlingly new to you – if it is, perhaps you really should install SP2 after all – but you need to be particularly assiduous in your precautions:
* Make sure your anti-virus software is up to date and you have it set to monitor your system continuously. Check your anti-virus monitor each time you reboot your system – some spyware and viruses deliberately disable automatic monitoring. Adjust updating options, such as Norton Antivirus’s LiveUpdate, to update your system automatically. Make sure your anti-virus software includes both e-mail and instant messaging scanning.
* Use anti-spyware tools such as Ad-Aware, Spybot Search & Destroy and Microsoft Windows AntiSpyware, and update their reference files frequently. Run the background monitoring tools provided in the software to block attempted hijacks and infections.
* Use a reputable firewall and take the time to configure it for your system so you can maintain maximum protection while allowing legitimate apps free access to the Net.
* Use Windows Update regularly to ensure your system is patched. Manually download and configure updates for XP – don’t use automatic settings.
* Use Internet Explorer only if you must. It’s one of the biggest security holes in your system. Don’t use IE ‘wraparound’ browsers, like CrazyBrowser, either. Instead, use a standalone browsing alternative such as Firefox or Opera. If you currently use Outlook Express for e-mail (another big vulnerability), consider getting Mozilla or Opera, which both contain excellent e-mail clients, or Thunderbird, the e-mail companion to Firefox.
* Even if you don’t use Internet Explorer, never assume your browser is safe. Keep security settings as high as you comfortably can and use safe surfing practices. Read before you click; don’t click links in spam or e-mail from unknown sources; use anti-phishing aids such as Spoofstick.
* Be careful using e-mail. Install good anti-spam software such as Ella or MailWasher. Turn auto-preview off in all folders except your inbox (you may even wish to turn it off there as well); don’t open attachments from unknown sources or which appear unexpectedly from someone you do know; don’t connect to any financial institution from a link in an e-mail – visit the site directly by typing its address in your browser.
* Establish a multi-level backup routine, preferably with three cycles: daily, weekly and monthly or, if your data doesn’t change very often, weekly, monthly and quarterly. This way, if your computer is infected and it takes you a week or longer to notice, you won’t discover that all your backups, too, are infected. Invest in drive imaging software and an external drive – nothing beats it for backup security.
* Keep abreast of security issues on the Net. Visit PC Hell for the latest news on browser hijackings and other security issues. Use Steve Gibson’s Shields Up and Leak Test sites to check for soft spots in your firewall. Check out the latest security alerts at the Internet Storm Center, Security News Portal, CERT and Secunia.
Is there a problem?
If your main concern about SP2 is that it will break a crucial application or piece of hardware, before you decide to do without the service pack you may wish to check to see if there really is a problem.
Here are two ways to do that:
1. If you have a second XP-capable PC sitting around, use it as a test machine:
* Do a clean install of Windows XP.
* Install the software and hardware you wish to test. Make sure everything’s working correctly before you proceed.
* Download and install SP2.
Note that unless the two machines’ specs and setup are identical, what works/fails on one computer will not necessarily work or fail on the other, but provided the two configurations are near enough it’s still a pretty good indication.
2. If you don’t have a spare machine, but you do have drive imaging software and a second (preferably external) hard drive, test SP2 on your work machine:
* Do a complete system drive image and check that you can restore from it successfully.
* Install SP2 and test your applications and hardware.
* If things don’t work out, restore the drive image.
The advantage of this approach is you can see exactly how SP2 runs on your work machine; the disadvantage is – even with a backup – you’re testing new software on a machine you can’t do without.
Your no SP2 kit
Here’s a list of tools you’ll need to keep your system operating smoothly without Service Pack 2.
Browsers
* Mozilla Suite
* Firefox
* Opera
E-mail
* Thunderbird
Anti-spyware
No anti-spyware program does a complete job of preventing spyware infestations. The best defence is to use a combination of tools. My preference is to use Ad Aware Professional, Spybot Search & Destroy and Microsoft Windows AntiSpyware (the latter two are free) for general anti-spyware sweeping and disinfection, plus some specialist tools such as CWShredder.
* Ad-Aware Standard (it’s free, but Ad Aware Professional does a much better job)
* Spybot Search & Destroy
* Microsoft Windows AntiSpyware
* CWShredder
* Hijack This
* About:Buster
Anti-phishing
* Spoofstick
Anti-spam
* Ella
* MailWasher
Firewall
* ZoneAlarm Free
_________________