Service Pack 2 (SP2) for Windows XP changed or eliminated more than 400 significant features in the operating system, also eliminating two previously undiscovered classes of security flaws, Microsoft has revealed.
The software company revealed some of the work that went into SP2 at a Canadian security conference last week, with the aim of convincing reluctant organizations that SP2 really is worth installing, according to a report published by security firm SecurityFocus. While considered a significant improvement for Windows security, some companies have been reluctant to roll out the update because it requires thorough testing and breaks compatibility with some Windows XP applications.
Speaking at the CanSecWest conference in Vancouver, Microsoft security strategist Window Snyder [apparently his real name] said the company changed or removed 428 Windows XP features considered security loopholes. Fifty-one of them were in Internet Explorer and 107 were in Windows XP's networking functions.
The company also discovered two "entire classes of vulnerabilities" that have never been reported outside the company, Snyder said in the report. While declining to provide details, Snyder said the vulnerability types had been wiped out.
Prompted by a third-party security review that uncovered a large number of integer overflows, Microsoft launched a crackdown on this type of flaw, delaying the update by six weeks, the report said. It was just "the right thing to do", Snyder said.
Since launching its renewed focus on security - of which SP2 is the centerpiece - Microsoft has gone out of its way to portray itself as having changed its policy of putting product schedules ahead of security, and Snyder's comments reinforced this marketing message.
The company is in no danger of taking its schedule for Longhorn - the next version of Windows - too seriously, according to many industry observers, who wonder if the product will ship this decade. When it does ship, Microsoft at least has promised it will be very secure.