It could have been so simple. Just ship the service pack that enables ICF and includes the post-SP1 fixes. Why in the world is it now being pushed back until Q2 of 2004? Why do we have to wait another 8 months for such a simple batch of fixes?
The reason why SP2 has been pushed back until Q2 of 2004 is because Microsoft is using it as a test run of a new project called “Springboard” that will slowly introduce new Longhorn security technologies into existing products. One of them is a new memory management feature that will help combat buffer overflow attacks, even zero-day attacks. Also, Microsoft decided to do a major enhancement to Internet Connection Firewall (ICF), which is the firewall built in to Windows XP and Windows 2003. They will be adding outbound filtering (ICF currently inspects inbound traffic only), as well as a few other features stolen from its full-featured firewall product, ISA Server.
In other words, SP2 is suffering from a major case of feature creep. And the prognosis is not good.
I want to say something to Microsoft about their plans to beef up ICF, and this is going to sound very strange coming from me: Microsoft, please don't beef up ICF!!
The absolute beauty of ICF is the fact that you turn it on by checking a box. There is no configuration necessary, no filters to configure, no ports to set up. You check a box and you have inbound firewall filtering that is sufficient for 99% of the home users out there.
Once you enable outbound filtering you start having trouble with home users. Suddenly games stop working. They have to respond to prompts about applications trying to reach out to the Internet on obscure ports that they don't have a clue about. Customer service reps for applications that rely on the Internet will become so swamped with tech support calls relating to firewall issues that the first thing they will do is document how to disable the damn thing so their application works again.
How do I know? Because this is exactly what happens with all the other host-based firewall products currently on the market that do outbound filtering by default. Consider these instructions from Sony on how to configure Sygate Personal Firewall to work with their game EverQuest:
- Right click on the Sygate Personal Firewall icon in the system tray and left click Sygate Personal Firewall Pro
- Click Security and then click Allow All
- Close the Window and run EverQuest
Compare this with the instructions for running ICF on your EverQuest system:
- Right click on My Network Places and click Properties
- Right click on LAN Connection (or whatever you might have named your broadband connection) and click Properties
- Click the Advanced Tab
- Click the check box that states "Protect my computer and network by limiting or preventing access to this computer from the internet"
- Click Apply
- Close the window and run EverQuest
The difference here, and it's so very subtle, is that in the first case (a third party host-based firewall product) the folks at Sony are instructing you to disable the firewall product (weakening your security). In the second case, the built-in firewall of XP, Sony is instructing you how to enable the firewall product (making your system more secure). ICF is so very unobtrusive that it can be turned on and not affect the applications people use on their computers. Yet it still is providing entirely adequate protection for the vast majority of people who would use it. I think that is ICF's biggest strength and it would be a shame if Microsoft threw that away.
If you force egress filtering onto the home users, the firewalls will get turned off entirely, and we will be worse off than we are now.
Make an enhanced version of ICF available via an optional download for those who want it, but leave the base inbound-only ICF intact. Don't overcomplicate a product that is perfectly adequate for the job which it was designed by adding complexity and features that the majority of people do not need.
Let me address the timing of SP2, while I am on the subject. If SP2 ships when MS says it will, in Q2 of 2004, it will have been close to 18 months between Service Pack 1 and Service Pack 2. Right now, on a new installation of Windows XP, there are 42 critical updates required on the first round of patching. Forty-freakin'-two! On new systems at work I get slammed with Welchia before I can even install the patch against it. Average infection time is under 5 minutes. I have to keep the system offline and apply Welchia from a homebrewed CD before it's safe to even put the box on the network and patch the other 41 things. By the time we get to Q2 of 2004, the number will probably be close to 70, and it will take an hour to patch, even over the T3 I have in the lab.
This feature creep on SP2 is unacceptable. Ship the dang service pack already, even if it's only the post-SP1 patches and the enabling of ICF. It is absolutely critical that we reduce the number of patches required on a new installation of XP. I also believe the Internet will be in a much safer place when we get around to enabling ICF on everyone's systems at home. Blaster would have been a non-event if the majority of home users had ICF enabled on their systems, and the same can be said for a large percentage of attacks seen on the Internet these days. These things can wait no longer.
So in summary, I am asking Microsoft to do these things with regards to Service Pack 2 for Windows XP:
- Leave ICF as an inbound-only firewall
- Enable it on installations that have it disabled
- Include all post-SP1 hotfixes (this is still a service pack, remember?)
- Freeze the bits now, give QA a month to hammer on it, and get it shipped THIS YEAR
Update (Nov 3rd): I just want to add one final thought with regards to ICF: Half a firewall (ICF) is better than none. None is what we will (and do) have on systems right now because they impact the user experience too much and get disabled, or the users are inundated with so many system prompts asking if traffic is “OK“ that they blindly say “Yes“, effectively disabling the protection. If consumers themselves do not disable the firewalls on their own, they are being instructed to do so by application developers who find it too difficult and time-consuming to instruct users on the proper use of another company's software product. Inbound firewalling is unobtrusive and in 99% of the cases will never impact a consumer. But think of all the problems that simply no longer affect home computers any longer if they are protected at least inbound: RDP issues? Gone. Messenger popups? Gone. Slammer? Gone (at least on home systems).
I'd wager that 90% of windows-based Internet attacks use a vector that would be entirely thwarted by an inbound-only firewall product like ICF (actually I am going to research this subject this week and come up with a real number, but it's very high). The rest of the attacks rely on either IE vulnerabilities, or on the end user doing something foolish like clicking on a malicious link or opening a hostile attachment. And a good antivirus package will catch 99% of those things.
Ship SP2 this year, and put all your Springboard goodness into SP3. That stuff can wait. Inbound firewalling and patch relief needs to be done NOW. And that can be accomplished by simply giving us a Service Pack that is a post-SP1 rollup and an ICF-enabler.