Charles Arthur On Technology

Windows solves the security bug
Click to follow
The Independent Online

The past couple of weeks on these pages have been about alternatives to Windows, with the experiences of users who've moved away because they finally got tired of fighting off viruses, spyware and adware. But of course for most people, such an idea is (a) far too much hassle, and (b) technically, far too demanding. Let's face it: for most of us, our computers are tools or appliances rather than pets. And for most people, that tool or appliance runs Windows.

The good news is that Microsoft has come up with an update to Windows XP called Service Pack 2, which is almost entirely focused on security. It's free (you can get it by calling the company, or applying online); it's quick to install; and it will render your machine far less vulnerable to online attack than before.

I've installed it on a Windows laptop I run, and the experience was all positive. For the average home or small-business user, there is no reason for delaying: get SP2 and install it right away. (More details about how to obtain it are at the end of this article.)

SP2 rolls up dozens of security upgrades to the Windows operating system, and also to the Internet Explorer browser and Outlook Express, in one chunky 200-megabyte dollop. But this is more than just a simple update, the sort of thing that runs and leaves you none the wiser about what's happened.

On a three-year-old laptop, running a version of XP that's probably more than a year behind on its security updates, installation from CD took around 20 minutes, after which the machine has to be restarted. It seemed slower booting up than before, but this was clearly an information-gathering phase.

The first difference comes before the user login screen: you're asked to turn on "Automatic Updating" (you can defer this, but it's a good idea, and can work well even over dial-up connections). Next, and still before you log in, you're shown the security centre, a new control panel which pulls together information about the status of your firewall, updates and virus protection.

By default, SP2 turns on the firewall in XP - something I think should have been done in XP originally in October 2001. Even then, plenty of virus- and Trojan-writers were exploiting the lack of firewall protection. The Windows XP firewall is a good one, and can be used instead of free alternatives.

If you haven't got antivirus software, or if it's out of date, you're advised to find a supplier and get up to date. Generally, your safety level is given via new, coloured "shield" icons: green for "more secure", yellow for "warning: potentially harmful" and red for "not recommended".

There's even a tiny advance to Internet Explorer: it can now block pop-up windows, that bane of online life, which pretty much every other browser has done for about two years. The only ones who will cry at this are pop-up advertisers, and I'm not going to join them.

SP2 also introduces new checks on ActiveX, which was originally Microsoft's "answer" to Sun's Java, but instead became a source of more flaws in Internet Explorer than anything else, allowing websites to download programs that would silently take over your machine.

SP2, however, rejects ActiveX programs by default. It's a start; the finish would be to phase out ActiveX altogether, since it's insecure.

The Outlook Express e-mail program, meanwhile, has finally been told to stop letting attachments have free rein, which was the source of many viruses in the past. Programs sent as an Outlook attachment won't run. At all. Bad news for all those dancing hamster e-mail greeting cards; good news for everyone plagued by zillions of e-mail-borne viruses. And even "document" attachments, such as MP3s or Word files, will require a second click to open them. And finally, you can block the display of images in e-mail, foiling spammers (and, which I wrote about a couple of weeks ago) who use tiny images to verify that you've seen an e-mail.

So it's all good. And, I have to say, overdue. SP2 is the first outward manifestation of Bill Gates's proclamation in a company-wide e-mail of 15 January 2002 that Microsoft should focus on creating systems that provided "Trustworthy Computing" (his capitals): "computing that is as available, reliable and secure as electricity, water services and telephony".

Depending on your electricity, water or telephone provider, you may feel that's actually not such a high target, but what mattered about Gates's e-mail was that after years of urging the Microsofties to produce software with more and more gee-whiz features, he heard the increasingly angry complaints from his corporate and even home users: Windows was not built with security in mind. Online, it was like a trusting small-town teenager abruptly dumped in the middle of a metropolis.

That's the real problem Windows has had all these years. It was built in the belief that people were essentially nice. One thing I've always felt after hearing Gates speak is that he's not good at understanding the motivations and behaviour of the people who grub for money at the fringes of society. And the trusting nature of Windows has reflected that lack of comprehension.

The outcome: lots of people have exploited Windows' well-meaning ease to nastier ends. There are now so many unpatched Windows machines around the world harbouring virus and worm infestations of one sort or another, each trying to infect new machines by randomly trying to connect to internet addresses, that the Internet Storm Center found in mid-August that a Windows XP machine connected by a dial-up modem to the net without any security updates will get infected by something like Blaster or Sasser within 20 minutes - down from 40 minutes a year ago. Worse, if it's on a broadband connection, the time is more like five minutes.

SP2 won't prevent every future attack, but it will stop those ones affecting your machine (which, if it's running strangely slowly, might already be harbouring an infection).

So, embrace SP2. It's surely the best thing to happen to Windows in years - perhaps a decade. Because ease of use is one thing. But inbuilt protection is far more important.

To get SP2 (for Windows XP only):

* visit

* turn on Automatic Updating in XP: the required files can be downloaded

* SP2 will be free with many PC magazines from September onwards

* PC World and other high street retail chains will offer SP2 free from Friday