Service Pack 2: Patching the unpatchable

By Rupert Goodwins
Posted on ZDNet News: Jul 15, 2004 12:02:00 PM

COMMENTARY--Two and a half years after promising a secure Windows, Microsoft is within a month--maybe--of releasing Windows XP Service Pack 2. It will do a lot to fix viruses and Trojans, but like a tired old general always fighting the last war it won't do much for the current and most lethal security threats we face.

Spyware is more malicious, more dangerous and ultimately more threatening than any other hazard facing us online. Over the past six months, it's come to take up more of my time than any other problem--friends' computers are riddled with the stuff, it's behind most corporate firewalls, often in force, and it doesn't give up without a fight. The potential for serious damage to the way we like to work is considerable: if things carry on as they are, we will lose the ability to run personal computers as we know them.

Spyware is more dangerous than viruses primarily because its success depends on it remaining hidden: if it attracts attention to itself, it risks removal. And unlike viruses, there's a lot of money being invested. Virus writers are over-talented misfit loners, engaged in online contests with their peers. Spyware writers are paid professionals operating to commercial standards, often as part of a sophisticated and multi-layer marketing effort.

The result is a series of exceptionally precise parasites, each building on the lessons of the last. The most tenacious know enough about Windows to survive detection and deletion, hiding copies of themselves away to regenerate after excision. Windows, being of baroque construction with some elements dating back to the Neolithic, offers many dark nooks and damp crannies to hide this stuff: a quick check on a laptop fresh out of the box this afternoon revealed 17,773 files. Nobody on this or any other planet knows what they all do.

Designers of spyware have an embarrassment of choice when it comes to ways to hide their cleverness. Between the time you turn your computer on and the time the hard disk light goes off, the computer goes through six different phases. Each corresponds in some sense to a historical step in the operating system's evolution from its distant single-user, single-tasking ancestor--and each loads information from many different sources. (If you want to see the full horror, check Microsoft's own description of the process http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prmc_str_reii.asp but be sure to take a native guide and a full canteen of water.) The security stuff, of course, goes in last, well after various other services have woken up and long after the more advanced spyware has dug its tendrils deep into the system.

It is this rich, confusing mess of twists that allows spyware to thrive, and there is no reason to think SP2 will solve this problem. It does add some new tools to manage Internet Explorer--one of spyware's primary routes into the system--which will help clear out some of the beasties, and it takes a more intelligent approach to start-up management by not starting many services until the security stuff is ready. Many existing examples of spyware will be caught and defanged: many others will not. And all future spyware products will be designed to operate in a SP2 environment, safe among the many Windows intricacies that remain.

We can do something to minimize the threat. Any company, government department or organization that insists on Explorer and Active X to provide an online service should be publicly laughed to shame. It's not necessary: it's like denying access to a shopping mall to anyone who isn't driving a Ford SUV equipped with Firestone tires. With things as they are, any attempt to use Windows browser controls to filter out the bad stuff will be swamped by 'legitimate' controls requesting installation: users will just give in and take the lot, as is their right when asked to micromanage the technicalities of a complex operating system.

In the end, Windows must evolve in a different direction. Its biggest lack is applications management. Stuff that's installed must remain detectable and removable or not be allowed in at all. All we have now is the Control Panel's Add or Remove Programs applet, which a program must choose to register with when it installs. Clearly, spyware isn't going to do any such thing: registering with the system must be non-optional before execution rights are granted and what the software can then do has to be properly monitored and restricted.

.Net, C# et al have some of this, but while Windows drags around its unprotected past there's really not much point. It's like Lockheed designing a fighter where only the cockpit has stealth protection: the wings and engine remain flapping in the breeze, liable to any old whoosh-bang-nasty.

And if Windows can't so evolve, then we must change our operating system. It could be Longhorn, if Longhorn is fierce enough, it could be Linux: even the Mac OS could be ported to the PC and be presented as a fair competitor to the mess we've inherited. What we cannot do is accept the status quo or any variant thereof: Service Pack 2 is no answer.

biography
Rupert Goodwins is the technology editor for ZDNetUK.