POWER USER

XP products look good, but the OS could create security holes

John McCormick

With software, it's sometimes difficult to tell the difference between muscle and bloat.

You might be surprised by my opinion that the new Microsoft Office XP Professional suite isn't bloated.

It comes on a single CD-ROM, a trick accomplished by leaving out clip art, separating Publisher and PhotoDraw, and placing more publishing tools inside Word. Office XP Pro is so slim that there's an 'Install from the Web' option for network distribution.

It also has speech recognition capability, not surprising in light of Microsoft's investment in Lernout & Hauspie, the financially troubled Belgian company that has bought up most other desktop speech recognition technology.

Office XP can do optical character and handwriting recognition, and it has native ability to continuously update Excel 2002 spreadsheet data from compatible servers via the Extensible Markup Language.

If you need stronger collaboration tools or alternative input options, say for Section 508 compliance, Office XP Pro deserves an early look.

Although the other new XP won't be unleashed until the end of the year, there is a widely distributed beta version of Windows XP now.

Why should you upgrade your operating system so soon after Windows 2000 and Windows Millennium Edition? One good reason might be Win XP's support for digital imaging applications, including a better digital video editor than the one introduced in Win ME.

An even better reason is that Win XP's powerful new instant messaging tools extend to videoconferencing, telephony and collaboration.

The consumer and office versions of XP are both based on Win 2000. Win ME didn't thrill users, whereas a home-priced version of Win 2000 with better reliability should be more attractive. And Win XP will probably come preinstalled on most new PCs sold next year, so there will be a large installed base whether or not the OS is superior to its predecessors.

Although government offices won't rush to upgrade, I'm speculating that Win XP nevertheless could have a large, indirect impact on them. Reports from testers indicate that the beta Win XP gives a power boost to so-called script kiddies, or crackers who exploit known vulnerabilities through scripts.

Earlier versions of Windows lack a complete implementation of Unix Sockets, so crackers aiming to launch denial-of-service attacks must run Unix or Linux to get Sockets' powerful tools.

A distributed denial-of-service attack requires access to many poorly defended systems that stay online all the time.

Because PCs running Windows OSes prior to Win 2000 lack the full Sockets implementation, they can be co-opted only to launch weak distributed attacks, generally via User Datagram Protocol and ping packet traffic.

A distributed attack overwhelms the target server with floods of messages from separate PCs. It's something like the e-mail inbox of a busy worker who feels so overwhelmed by junk messages that legitimate ones get ignored.

With XP, such attacks will be much more destructive than those we've seen so far because they can carry traffic more important than pings, which a server can at least temporarily ignore.

A grassroots movement on the Internet is working to convince Microsoft that a full implementation of Unix Sockets on weakly secured consumer machines is not a good idea.
If the Win XP consumer version ships with the new tools, agencies will have to rethink their site security and the firewalls protecting all their connected servers.

John McCormick is a free-lance writer and computer consultant. E-mail him at poweruser@mail.usa.com.

inside gcn

  • Congressman sees broader role for DHS in state and local cyber efforts

    Automating the ATO

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group