Windows' popularity is partly what makes it so vulnerable to attack. With more than 90 percent of all desktop PCs running Microsoft's operating system, hackers and crackers virtually ignore other platforms.
But Windows XP, as delivered on a new PC or through a software upgrade, is unnecessarily vulnerable to attack from the Internet, a fact that has enabled worms like last year's Blaster and this year's Sasser to disable hundreds of thousands of PCs.
It's not too difficult to lock down Windows XP against viruses, worms, spam, spyware, browser hijacking, and attacks that take advantage of flaws in the OS and Internet Explorer browser (see the PC World article "Lock Down Your PC"). The key elements to success are downloading updates regularly; using antivirus, firewall, and antispyware utilities; and avoiding dangerous e-mail attachments and browser plug-ins. Nevertheless, even these basic steps are difficult enough to manage that vast numbers of Windows users aren't doing them.
Microsoft aims to change that by releasing the free Windows XP Service Pack 2 update this summer. Service Pack 2's improvements and additions are mostly security related, starting with a new Windows Security Center Control Panel applet that pulls together status reports and settings for Windows' own firewall, its Automatic Update feature, and some third-party antivirus programs.
Although two key security features will receive small improvements in Service Pack 2, the biggest change for these features is that you no longer have to switch them on. Windows' firewall is enabled by default for all network connections, and Microsoft strongly encourages you to enable the Automatic Update feature immediately after installing the Service Pack.
Several of Service Pack 2's other main security fixes affect the Internet Explorer browser. Most competing browsers include tools that prevent Web sites from opening pop-up windows, which usually contain advertising. With SP2, IE gets a pop-up stopper that is enabled by default. IE will also do a better job of blocking unwanted executable code (i.e., malicious programs), and make it harder for users to lower IE's security settings to permit those downloads.
Despite these and other fixes, Service Pack 2 doesn't close every security loophole. Although it will block the likes of Blaster and Sasser, the Windows firewall still blocks incoming attacks only, making it useless against Trojan horse, backdoor, and spyware threats that may already be on the PC itself. Because of this glaring omission, Internet-connected Windows users should still use a third-party bidirectional firewall such as the free downloads Sygate Personal Firewall or ZoneLabs ZoneAlarm.
And though Internet Explorer will now be somewhat less prone to hijacking and other malicious plug-ins, other browsers that don't support Microsoft's executable ActiveX control code (such as Mozilla) are even safer.
The bottom line: Windows XP users should install Service Pack 2 when it becomes available, but shouldn't let their security efforts stop there.