Logged In

Upcoming Changes in Microsoft Windows XP Service Pack 2

On Friday, August 6, Microsoft announced the release of a significant update to the Windows XP operating system: Microsoft Windows XP Service Pack 2 (SP2). This security-focused update includes numerous changes, many of them transparent to end users, which aim to reduce the operating system's exposure to attacks from the Internet and protect users from predatory software like adware, spyware, and malware. The Windows XP operating system is installed on nearly 50% of net-connected computers worldwide—almost 250 million PCs, according to the Flash Player survey Macromedia conducts quarterly through NPD.

While targeted at abusers of the current Windows security model, the changes in SP2 also peripherally affect many safe and useful technologies, including, in some instances, Macromedia software. Microsoft and Macromedia have worked closely throughout the development of SP2 to ensure the best possible experience for customers of Macromedia Flash Player.

In this article I'll talk about areas of the service pack that web designers and developers, website owners, IT and MIS personnel, and Flash Player users might be concerned about, with the goal of outlining the impact SP2 will have on the user experience and the development process.

To get the most comprehensive and detailed information about the service pack, visit the Microsoft website, which includes the following:

• Windows XP Service Pack 2 (SP2) Support Center (all users)
• Changes to Functionality in Microsoft Windows XP Service Pack 2 (all users)
• Windows XP Service Pack 2 Resources for IT Professionals (IT professionals)
• Windows XP Service Pack 2 (SP2) for Developers (designers and developers)
• Fine-Tune Your Web Site for Windows XP Service Pack 2 (designers and developers)

What's New in Windows XP Service Pack 2

Microsoft Windows Service Pack 2 users will experience some changes in the way software behaves, including some minor changes when launching some Macromedia products. The most visible change is the presence of a new security warning dialog box, which asks users to confirm that they want to install or launch software.

Many of the new security dialog boxes appear if a particular piece of software does not have a digital signature. Digital signatures verify the authenticity of the software download. As software publishers get busy creating and filing their digital signatures, there will be a transitional period in which many reliable software applications will not yet have them. Even without a digital signature, users are able to click to confirm that they want to install their software and proceed with the installation. To find out more about the digital signatures, see the Enhanced Browser Security section of the Microsoft TechNet article, Changes to Functionality in Microsoft Windows XP Service Pack 2.

Overview of User Experience Changes

Windows XP Service Pack 2 can be broken down into feature changes users encounter as they interact with software in the following ways:

While browsing the web with Internet Explorer:

• ActiveX upgrade: A new user interface and security model for upgrading ActiveX controls in SP2 launches new security confirmation dialog boxes (for ActiveX controls that do not have digital signatures).
  
  Note: As SP2 ships with a digitally signed version of Flash 6, users upgrading Macromedia Flash Player will not experience these dialog boxes while using the current builds of SP2. This will also be true for users who already have Flash Player 7 installed on their machines.
  
• Pop-up blocking: New SP2 pop-up–blocking mechanisms prevent some browser windows from launching.
  
• Local Machine zone lockdown: An improved security perimeter around local content may generate new security confirmation dialog boxes when users launch some locally stored applications and programs, such as ActiveX controls that do not have digital signatures.

When working locally:

• Installer and executable security: Similar to the Local Machine zone restrictions, users may see security confirmation dialog boxes when attempting to run local executables like product installers and Flash or Shockwave projectors.

When working with applications that communicate over a network:

• Windows Firewall security: Users of applications that communicate over certain ports may need to grant them permission to talk with their machines.

In the following sections, I provide more details on what SP2 users experience in each of these situations.

What's New in Internet Explorer

ActiveX Upgrade Experience

The Windows XP Service Pack 2 update changes the user interface for installing or upgrading ActiveX controls like Macromedia Flash Player, Shockwave Player, and Authorware Player. This comes as part of newly introduced capabilities for end users to manage browser add-ins like ActiveX controls and toolbars. Today when users browse to content on the web that requires a later version of an ActiveX control and prompts an update, they see a Security Warning dialog box, which prompts them to verify that they want to install the ActiveX control on their computers.

Figure 1. Existing Security Warning dialog box for users of Internet Explorer on all Windows operating systems

Going forward, some users may see a new UI element called the Information Bar as they are prompted to download ActiveX controls. The gold Information Bar appears at the top of the screen and is a consistent messaging device for any security-related information between the browser and the user. Messages that appear here also have associated cursor changes and sounds.

Figure 2. The new Information Bar prompts users with security-related messages before they download ActiveX controls and other related content.

To get technical for a moment, when upgrading an ActiveX control, IE now uses the digital signature to check the authenticity of the existing control on the machine and the control being downloaded from the server, and verifies that they both match. The Information Bar appears when Windows cannot find that information on one or both controls. Since May of this year Macromedia has provided this signature on all of our ActiveX controls.

Users can click either the bar or text in the main page and then click Install ActiveX control to begin installation. Macromedia has already updated our signature mechanism to ensure that in the future this new UI will not appear when you download and install Macromedia products and players. After choosing Install ActiveX control, in the Information Bar menu, users encounter the ActiveX install dialog box, which is part of the existing installation workflow.

Figure 3. The Security Warning dialog box users see when downloading Macromedia Shockwave Player.

Here's how the SP2 changes to Internet Explorer will affect current Macromedia player users:

• Impact to Macromedia Flash Player users: Macromedia Flash Player users will not notice anything different in their day-to-day browsing experience after upgrading to SP2. Microsoft will begin shipping Flash Player 6 with SP2. Flash Player 6 includes Macromedia's signature on all included components, which ensures a smooth installation experience without the Information Bar. This will not downgrade users who have already installed Flash Player 7— those users may see the Information Bar appear when upgrading to future Flash Player versions.
• Impact to Shockwave and Authorware player users: Macromedia Shockwave Player users will encounter the Information Bar when upgrading to the latest ActiveX control. Neither Macromedia Shockwave Player nor Authorware Player ships with SP2, so the next time users upgrade to new player versions, they will encounter the Information Bar. They simply need to click through the prompts to upgrade their players.

Pop-Up Blocking

Also new to Internet Explorer is the pop-up–blocking feature found today in many non-IE browsers and in other popular software packages.

As a default, Internet Explorer sets its pop-up blocking at the Medium level. The Medium setting suppresses pop-ups that aren't invoked by the user—like many advertisements. The Low setting allows most pop-ups to come through, even if they aren't user-invoked, while the High setting suppresses most pop-ups, even ones that are user-invoked, unless they are delivered through a secure connection (HTTPS) to the server.

When it blocks pop-ups, Internet Explorer broadcasts a sound effect and flashes the cursor. The Information Bar also appears with a message that pop-ups were blocked and offers options to show pop-ups once or always.

Figure 4. The Information Bar appears when pop-ups are blocked. In addition, an icon appears in the Internet Explorer status bar.

Impact to users browsing the web: More ads may be suppressed due to the large install base of the Internet Explorer browser. Also at risk are some Macromedia Flash sites that, due to design considerations, pop up new windows for their main site content. Read Microsoft's article for website designers and developers, Fine Tune Your Website for Service Pack 2, for recommendations on how to work with this new behavior.

Local Machine Zone Lockdown

One of the largest entry points for recording security breaches with the Windows operating system has been the Local Machine zone—inside which, until SP2, applications have enjoyed largely unrestricted privileges. In SP2, Internet Explorer prompts users before rendering HTML pages that use client-side scripting and ActiveX controls.

In SP2, before Internet Explorer runs local Macromedia Flash, Shockwave, or Authorware content, the Information Bar appears, informing users about the potential security risk of running active content. Macromedia has gone to great lengths to ensure security within Macromedia Flash, Shockwave, and Authorware Players, so users can acknowledge the warning and run content by clicking through the Information Bar prompts.

Figure 5. The Information Bar appears, prompting users to confirm their intention to view local files that contain Macromedia Flash, Shockwave, or Authorware content.

Impact to users browsing the web: The lockdown of the Local Machine zone only affects files that are running locally—not content that runs in the browser. Because this local content is typically distributed as projectors on CDs and DVDs and not through the browser, this problem is small in scope. As a content creator, one way to work around this experience is documented on MSDN. It involves a mechanism called the Mark of the Web, which content uses to associate itself with a domain on the Internet. Read more about Mark of the Web in this article for developers, Changes to Functionality in Service Pack 2, in the Local Machine zone topic described in Part 5.

What's New with Local File System Security

There are also security enhancements to how the file system treats potentially dangerous file types, which are related to the changes in Internet Explorer regarding locking down the Local Machine zone. Windows automatically keeps track of files of certain types and where they come from, for example, whether they are downloaded from the Internet or saved from e-mail attachments, and prompts users before they undertake potentially risky activities.

Most relevant are executables (EXE files), which users commonly download as product installers and trials. Stand-alone projectors are a type of executable, which Macromedia customers create and distribute over the Internet—many Shockwave applications are delivered this way. If Windows can't verify the publisher of a given executable or projector, its execution is interrupted by a dialog box requiring user confirmation to run the file.

Figure 6. Files whose publishing authority can't be verified can't execute until users confirm and grant permission.

Attaching a certificate that meets Microsoft's Authenticode guidelines, commonly obtained from security vendors like VeriSign, Inc., satisfactorily establishes the publisher's identity. We at Macromedia have begun attaching our digital signature to the installers that we provide for download. While we make this transition, customers may encounter some installers on our website to which we have yet to attach our digital signature. Rest assured that we check our installers thoroughly before they get to our website to ensure that they are error-free and safe to run.

Impact on users downloading and running applications: Microsoft Windows XP users will be prompted to think twice about certain activities that pose risk, such as running executable files downloaded from the Internet. Most people are in the habit of being cautious about what they download and from whom—this new user experience gives users information that they can use to make an informed decision.

What's New with Windows Firewall Security

On a broader scope, enhancements to Windows Firewall provide more security vigilance out of the box. Turned on by default, the Internet Connection Firewall blocks inbound connections and applications that attempt to listen to the network. Microsoft designed this feature to work on home or business computers that are not servers – these client machines usually connect to a server rather than listening to the network.

For some users, this will result in more messaging to the user regarding commonly used applications—instant messaging (including Microsoft's own Messenger), file transfer, and peer-to-peer software—are some examples of software that behave similarly to a server program. Some Macromedia applications that also might prompt the dialog box during usage include Dreamweaver, Contribute, and Flex Builder, whose site management features regularly use non-HTTP protocols. The dialog box options, shown below, ask the user whether the application should be placed on a system-wide list of unblocked applications.

Figure 7. Windows Firewall prompts users to grant applications their permission to communicate with their machines over the Internet.

Impact on network users: Initially, Windows XP users may see more dialog boxes and may be prompted to take a closer look at what applications are communicating over the network, but with use these dialog boxes will diminish in frequency.

Timeline and Impact

Microsoft will distribute Windows XP Service Pack 2 primarily through the Windows Update mechanism, with the download trickling in over time before installation. Because of the size of the download and related traffic, Microsoft will not prompt all users to install the service pack right away but will spread the wide-scale installation over the next couple of months. During this time Microsoft expects around 100 million users to install the service pack. In the near future all new machines will also come with Windows XP Service Pack 2 preinstalled.

In the short term, for most users, the browsing experience will likely not change much. Macromedia has already been working with Microsoft to prepare for this change, and we have also been doing more work on our own to make sure that upgrade experiences are smooth.

In the future, once the web community, sites and browsers alike, has adjusted to the change, any disruption that users have experienced initially will fade. Their software upgrade experiences will become smoother, with the one additional bonus: the potential for the web to truly be a safer place for communication and exploration.

Where To Go for More Information

In addition to the resources mentioned at the beginning of this article, you can find more information at these locations:

• Microsoft Help and Support
• MSDN Security Developer Center: Windows XP Service Pack 2—Security Information for Developers

About the author