Some software developers may find their applications no longer work on machines using Microsoft Service Pack 2 for Windows XP, which will be released later this year.
Microsoft has made something of a trade-off with the update, focusing on security improvements at the expense of backward compatibility. The company has called on all software developers to test their code against the beta version of Service Pack 2, or face the possibility that the update will break their handiwork.
Windows XP Service Pack 2 (SP2) is more than the usual roll-up of bug fixes and updates. It is also being used to make significant changes to the software with the aim of improving security. Microsoft has warned these changes could render applications inoperable.
"It may surprise some of the developers that we are changing some defaults, and that may affect the way some of the older applications run," said Tony Goodhew, a product manager in Microsoft's developer group.
"Developers should absolutely be checking their applications against Windows XP SP2."
To help developers, Microsoft has created an online training course that details the implications of installing SP2 on Windows XP machines. The course covers the impact on existing applications and includes code samples. Microsoft has never before offered such a course with a service pack release. ( https://technet.microsoft.com/en-us/security/)
Large suppliers of software are getting help from Microsoft to make sure their applications are compatible with SP2, and smaller suppliers and others, such as enterprise software developers, need to do their own testing.
"It is really up to developers to do the due diligence," said Goodhew.
If developers do find that SP2 breaks their applications, it most likely means that they were not following best practices in terms of security when writing their applications, according to Goodhew.
"SP2 will break some applications because they are insecure. Security is important, and it is not just a Microsoft problem but a developer community problem. We all need to work together to create a more secure computing environment."
He added, "it doesn't really matter how long it is going to take you to do the work; security is an important issue and developers need to start doing that work now."
Although Microsoft said it has been informing developers about the implications of SP2, not all were aware of what the changes will mean for them.
"I'm afraid now, I have somehow missed this message," said a Windows developer who asked not to be named. "Was it buried in too many marketing messages? Was it dependent on me searching it out?"
But Patrick Hynds, chief technology officer at CriticalSites, software development and integration provider, said Microsoft is not leaving any developers flat-footed. "I think Microsoft is doing enough, we're still months in advance and they are actively informing people," he said.
One place Microsoft is informing developers are the Developer Days, or DevDays, events it is hosting around the world. The first such event was held last month and many more are on the agenda.
Changes to Windows XP made by SP2 fall into four main areas: network protection, memory protection, e-mail security and browsing security. The most affected parts of Windows are RPCs (Remote Procedure Calls), DCOM (Distributed Component Object Model), Windows Firewall, and memory execution protection, according to Microsoft.
Many of the changes can disrupt functions of Windows and other applications, said Thor Larholm, a senior security researcher at PivX Solutions. "By design, many of the new security improvements will break functions for a wide range of applications," he said.
However, Larholm believed the trade-off is a good thing. "Microsoft is finally starting to favour security over functionality to such an extent that it is impacting its own development tools and other products," he said.
Microsoft's Visual Studio .net is one of the applications affected by Windows XP SP2. The developer tool's debugging feature will not work because of the improved Windows Firewall, previously called Internet Connection Firewall, which will be turned on by default and will close all ports, Goodhew said.
Another product that Microsoft needs to update is the .net Framework. The new memory protection features in SP2 require developers of certain applications to mark their code with memory execution permissions. If they do not, the protection features could interfere with the application.
"The great bulk of applications will not be affected by memory protection. The number one that leaps to mind is execution environments with just-in-time code generation. The .net Framework is one," Goodhew said.
Microsoft will update its Visual Studio products and the .Net Framework at around the same time it releases Windows XP SP2 to address the compatibility issues.
SP2 went into beta last year and Microsoft will release the update in mid-2004. Compatibility issues should not hold back its release, Goodhew said. "We're aiming to release SP2 midyear. As far as we stand, we're still on track to do that."
Joris Evers writes for IDG News Service