Microsoft's upcoming Service Pack 2 release for Windows XP could break existing applications, the company has warned.
Microsoft has made something of a trade-off with the update, focusing on security improvements at the expense of backward compatibility. As a result, the software giant is calling on all software developers to test their code against the beta version of Service Pack 2, or face the possibility that the update will break their products.
Windows XP SP2 is more than the usual roll-up of bug fixes and updates. It will make significant changes to the software in an attempt to improve security - something that has become a major headache for the company in recent weeks. These changes can render applications inoperable, Microsoft warns.
"It may surprise some of the developers that we are changing some defaults and that may affect the way some of the older applications run," said Tony Goodhew, a product manager in Microsoft's developer group. "Developers should absolutely be checking their applications against Windows XP SP2."
To smooth transition, Microsoft has created an online training course that details the implications of installing SP2, covering the impact on existing applications and including code samples - the first time the company has ever produced such a course.
Large vendors are getting help from Microsoft to make sure their applications are compatible, Goodhew said. But smaller vendors will have to do their own testing. "It is really up to developers to do the due diligence," he said.
If developers do find that SP2 breaks their applications, it most likely means that they were not following best practices in terms of security when writing their applications, Goodhew claims. "SP2 will break some applications because they are insecure," he said. "Security is important and it is not just a Microsoft problem but a developer community problem. We all need to work together to create a more secure computing environment."
"It doesn't really matter how long it is going to take you to do the work; security is an important issue and developers need to start doing that work now," Goodhew said.
Although Microsoft said it has been informing developers about the implications of SP2, not all were aware of what the changes will mean for them. "I'm afraid now, I have somehow missed this message," said a Windows developer who asked not to be named. "Was it buried in too many marketing messages? Was it dependent on me searching it out?"
But Patrick Hynds, chief technology officer at CriticalSites said Microsoft is not leaving any developers flat-footed. "I think Microsoft is doing enough, we're still months in advance and they are actively informing people," he said. "Microsoft is getting the message out on something that had to be done. I would be a big critic of Microsoft if they weren't doing this kind of update," Hynds said.
Changes to Windows XP made by SP2 fall into four main areas: network protection, memory protection, e-mail security and browsing security. The most affected parts of Windows are RPCs (Remote Procedure Calls), DCOM (Distributed Component Object Model), Windows Firewall and memory execution protection.
Many of the changes can disrupt functions of Windows and other applications, said Thor Larholm, a senior security researcher at PivX Solutions. "By design, many of the new security improvements will break functions for a wide range of applications," he said.
However, the trade-off is a good thing, according to Larholm. "Microsoft is finally starting to favour security over functionality to such an extent that it is impacting its own development tools and other products," he said.
Microsoft's Visual Studio .Net is one of the applications affected by Windows XP SP2. The developer tool's remote debugging feature won't work because of the improved Windows Firewall, previously called Internet Connection Firewall, which will be turned on by default and will close all ports, Goodhew said.
Another product that Microsoft needs to update is the .Net Framework. The new memory protection features in SP2 require developers of certain applications to mark their code with memory execution permissions. If they don't, the protection features could interfere with the application, according to Microsoft.
"The great bulk of applications will not be affected by memory protection. The number one that leaps to mind is execution environments with just-in-time code generation. The .Net Framework is one," Goodhew said.
Microsoft plans to come out with updates to its Visual Studio products and the .Net Framework at around the same time it releases Windows XP SP2 to address the compatibility issues, Goodhew said.
SP2 went into beta last year and Microsoft plans to release the update in mid-2004. Compatibility issues should not hold back its release, Goodhew said. "We're aiming to release SP2 mid-year. As far as we stand, we're still on track to do that," he said.