Security

Microsoft Ends Support For Windows XP SP2

Graphic: Diego Aguirre
Microsoft on Tuesday officially retired Windows XP Service Pack 2 (SP2), the company's most significant service pack, several security experts said.

"Windows XP SP2 was a game changer," said Wolfgang Kandek, chief technology officer of Qualys, a California-based security risk and compliance management provider.

"SP2 was a major, major course correction by Microsoft," added John Pescatore, an analyst who covers security for Gartner Research. "It was the first time that Microsoft could tout Windows as being secure."

Microsoft set Tuesday as the end of support for Windows XP SP2 , and used the day to deliver its final security patch . To receive any further fixes, security or otherwise, users must run XP SP3 or upgrade to a newer operating system, such as Vista or Windows 7 .

"Customers who have not migrated from [SP2] are encouraged to upgrade immediately, either to Service Pack 3 or to Windows 7," said Jerry Bryant, a general manager with the Microsoft Security Response Center (MSRC), in an e-mail today.

The end of support for XP SP2 also marks the end of an era, security experts said today as they gave, if not eulogies, then best wishes and a retirement gold watch to the service pack.

"Compared to SP2, every other service pack has been just housekeeping," said Kandek. "Windows 7 SP1, which just went into beta, is just another SP."

When it launched in August 2004, XP SP2 was characterized by almost everyone as a departure from the norm because it wasn't only a collection of previous-released patches and hotfixes -- the precedent -- but also included new features, most notably in the security arena.

"It was the first service pack where Microsoft flat out said, 'There's a whole bunch of improvements here, and we're mixing them in with fixes," said Pescatore. "It's taken a lot of attention away from the [succeeding] service packs. Compared to XP SP2, recent service packs are not that big of deal."

XP SP2 received kudos for deploying Windows' first on-by-default firewall, a security-status dashboard, and the first-ever attempt at blocking attacks using DEP, or Data Execution Prevention.

It was also the first operating system released after Microsoft declared it would beef up Windows security, a reaction to just-as-public massive attacks by network worms, especially 2003's SQL Slammer .

"It is huge in my mind," said Richie Lai, Qualys' director of vulnerability research. "Turning on the firewall by default was huge at the time. SP2 essentially forced attackers to move up the stack to target client applications, not operating systems."

Jason Miller, the data and security team manager for Shavlik Technologies, agreed. "SP2 was the first time you got a true firewall embedded in Windows," he said. "Before that, firewalls were always considered strictly a perimeter defense. You were geeky if had a firewall on your machine."

The fact that XP SP2's Windows Firewall could be managed by network administrators was also a big deal, Miller added. "Before SP2, you had to pay money for a local firewall, and they weren't easily managed," he said. That meant individual PCs were rarely protected by on-board firewalls as a back stop, leaving them unprotected to attack if malware, such as a worm, somehow snuck through a company's perimeter defenses.

"The firewall largely took away that kind of attack," Miller said.

Lai traced a direct connection between XP SP2 and the decrease in network-targeted attacks like SQL Slammer, and the resulting increase in exploits of desktop software, such as Microsoft's Office, or third-party programs, like Adobe's Reader.

Windows XP SP2 was hardly perfect. During its nearly-six-year run Microsoft patched it with over 250 security updates, issuing the largest number (52) in 2006. Even early on, it had problems: Just days after its launch, security researchers spotted two flaws that could let attackers sidestep its new defenses.

Bottom line, however, XP SP2 will be remembered by security professionals more for its successes than for its failings.

"It's an end of an era," said Oliver Lavery, the director of security and research and development for nCircle, of XP SP2's retirement. "It was definitely a big move toward better security, and I think it's legacy has proven successful."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about windows in Computerworld's Windows Topic Center.

Subscribe to the Security Watch Newsletter

Comments