Cebit: Microsoft aims to save users from themselves

Most security issues and virus outbreaks happen because people don’t know how to protect themselves or don’t bother to do what they know they should. In the latest update to Windows XP, Microsoft has focused on helping people become more aware of what they need to do, and encouraging them to actually do it, Lead Program Manager for Service Pack 2 Ryan Burkhardt said Thursday.

A new test version of Service Pack 2 (SP2), called Release Candidate 1 (RC1), was made available to beta testers on Wednesday, and the completed update will be released in mid-2004, Burkhardt said.

In RC1, if someone receives an e-mail with an .exe attachment, or other file type that’s regularly used to spread so-called malware, it will be identified and either blocked or the receiver will confirm that he wants to open it, Burkhardt said at the Cebit trade show in Hanover, Germany. The Attachment Execution Services (AES) API is a public API that lets developers add attachment security to their e-mail client and browser applications. In Outlook Express, Burkhardt said, file types known to be dangerous will be blocked and an explanation given to the user. The user will be given a choice of whether to open suspicious but less-dangerous file types.

Developers of other software, such as Qualcomm’s Eudora e-mail software, may decide to block different file types, or to block none but prompt users with a warning for each, Burkhardt said.

Outlook Express will also no longer download graphics and other external content in HTML by default as these can be used to validate e-mail addresses. “If the sender is not in the user’s contact list, it will be treated as potentially unsafe,” and will not be displayed, Burkhardt said.

Many of the security aspects now being released have been included in XP ever since it was first launched, but were turned off by default, Burkhardt said. “The climate was different then; there were fewer attacks, and fewer people had broadband,” he said.

Users often make halfhearted attempts to ensure security, but don’t follow through, Burkhardt said. Many users, for example, have chosen to automatically download updates, but not to automatically install them, he said. “And then they don’t install them themselves, that’s what happened with Sobig – a lot of people had downloaded the updates but hadn’t installed them,” he said. To try to solve this, users will see a new prompt when setting up their PC that will explain the benefits of automatic downloads and installation, to encourage them to use it, he said.

The background download service has also been adapted to help users on slower connections. The download speed will be scaled to suit what the user is doing, speeding up and using the available bandwidth when the user is doing something like reading e-mail, and slowing down when they are more actively using the bandwidth, such as when they surf the Internet, Burkhardt said.

Windows Firewall will now be turned on by default, and Windows Messenger will be turned off.

In another move that will cheer Web surfers, RC1 will also include a pop-up advertisement blocker, turned on by default. This was already included in the first beta version of SP2 but was turned off by default, Microsoft said.