Some software developers may find their applications no
longer work on machines using Microsoft Service Pack 2 for Windows
XP, which will be released later this year.
Microsoft has made something of a trade-off with the update,
focusing on security improvements at the expense of backward
compatibility. The company has called on all software developers to
test their code against the beta version of Service Pack 2, or face
the possibility that the update will break their handiwork.
Windows XP Service Pack 2 (SP2) is more than the usual roll-up
of bug fixes and updates. It is also being used to make significant
changes to the software with the aim of improving security.
Microsoft has warned these changes could render applications
inoperable.
"It may surprise some of the developers that we are changing
some defaults, and that may affect the way some of the older
applications run," said Tony Goodhew, a product manager in
Microsoft's developer group.
"Developers should absolutely be checking their applications
against Windows XP SP2."
To help developers, Microsoft has created an online training
course that details the implications of installing SP2 on Windows
XP machines. The course covers the impact on existing applications
and includes code samples. Microsoft has never before offered such
a course with a service pack release. (
http://msdn.microsoft.com/security/productinfo/XPSP2/default.aspx)
Large suppliers of software are getting help from Microsoft to
make sure their applications are compatible with SP2, and smaller
suppliers and others, such as enterprise software developers, need
to do their own testing.
"It is really up to developers to do the due diligence," said
Goodhew.
If developers do find that SP2 breaks their applications, it
most likely means that they were not following best practices in
terms of security when writing their applications, according to
Goodhew.
"SP2 will break some applications because they are insecure.
Security is important, and it is not just a Microsoft problem but a
developer community problem. We all need to work together to create
a more secure computing environment."
He added, "it doesn't really matter how long it is going to take
you to do the work; security is an important issue and developers
need to start doing that work now."
Although Microsoft said it has been informing developers about
the implications of SP2, not all were aware of what the changes
will mean for them.
"I'm afraid now, I have somehow missed this message," said a
Windows developer who asked not to be named. "Was it buried in too
many marketing messages? Was it dependent on me searching it
out?"
But Patrick Hynds, chief technology officer at CriticalSites,
software development and integration provider, said Microsoft is
not leaving any developers flat-footed. "I think Microsoft is doing
enough, we're still months in advance and they are actively
informing people," he said.
One place Microsoft is informing developers are the Developer
Days, or DevDays, events it is hosting around the world. The first
such event was held last month and many more are on the agenda.
Changes to Windows XP made by SP2 fall into four main areas:
network protection, memory protection, e-mail security and browsing
security. The most affected parts of Windows are RPCs (Remote
Procedure Calls), DCOM (Distributed Component Object Model),
Windows Firewall, and memory execution protection, according to
Microsoft.
Many of the changes can disrupt functions of Windows and other
applications, said Thor Larholm, a senior security researcher at
PivX Solutions. "By design, many of the new security improvements
will break functions for a wide range of applications," he
said.
However, Larholm believed the trade-off is a good thing.
"Microsoft is finally starting to favour security over
functionality to such an extent that it is impacting its own
development tools and other products," he said.
Microsoft's Visual Studio .net is one of the applications
affected by Windows XP SP2. The developer tool's debugging
feature will not work because of the improved Windows Firewall,
previously called Internet Connection Firewall, which will be
turned on by default and will close all ports, Goodhew said.
Another product that Microsoft needs to update is the .net
Framework. The new memory protection features in SP2 require
developers of certain applications to mark their code with memory
execution permissions. If they do not, the protection features
could interfere with the application.
"The great bulk of applications will not be affected by memory
protection. The number one that leaps to mind is execution
environments with just-in-time code generation. The .net Framework
is one," Goodhew said.
Microsoft will update its Visual Studio products and the .Net
Framework at around the same time it releases Windows XP SP2 to
address the compatibility issues.
SP2 went into beta last year and Microsoft will release the
update in mid-2004. Compatibility issues should not hold back its
release, Goodhew said. "We're aiming to release SP2 midyear. As far
as we stand, we're still on track to do that."
Joris Evers writes for IDG News Service