• August 10, 2004 •
Microsoft Windows XP Service Pack 2 Review
By: Arie Slob
Another great addition is the Internet Explorer Add-on Management in combination with Crash Detection.
Internet Explorer Add-on Management allows users to view and control the list of add-ons that can be loaded by Internet Explorer with more detailed control than before. You can easily enable/disable add-ons, and check for updates to the add-on.
If you have allowed an ActiveX control to be installed, but later decide you don't want it, you can set it to "Disabled" using Internet Explorer's Manage Add-ons function (available from the Internet Explorer menu under Tools > Manage Add-ons). If you visit a Web site that requires the use of a disabled ActiveX control, Internet Explorer will pop-up a balloon in the status bar (Figure), advising you about it, and giving you a shortcut to enable the ActiveX control.
Internet Explorer Add-on Crash Detection attempts to detect crashes in Internet Explorer that are related to an add-on. When the add-on is successfully identified, this information is presented to the user. The user has the option of disabling add-ons to diagnose crashes and improve the overall stability of Internet Explorer.
Internet Explorer also prevents so-called "drive-by downloads" where a Web site could download executable files to your system without any user action. When a Web site attempts to download/install ActiveX controls or other downloads, a warning will pop in the new "Information Bar", and users can choose to install these components (Figure). There's also a menu item for What's the Risk? which opens the Internet Explorer help file with additional information about the item that is blocked.
These are only the obvious changes users will notice in Internet Explorer. But internally the browser has also been strengthened with changes to its Binary Behaviors Security, changes to the Security Zones Settings, the lockdown of the Local Machine Zone, and other enhancements.
In speaking with engineers from the Internet Explorer team it is clear that all these enhancements come from the point of securing the browser. There doesn't seem to be any intention within Microsoft management to add new functionality to Internet Explorer, such as the tabbed browsing that you'll see with most other browsers these days. There's no indication that tabbed browsing will be added to Internet Explorer's functionality any time soon. That's a shame, because it makes the browser relatively weak if you do a lot of work using a Web browser. Privately Microsoft employees will admit that lots of them are using other Internet browsers that do offer this functionality (Mozilla Firefox and Opera to name just two).
All in all, the changes to Internet Explorer are welcome, and were long overdue.
Unsafe Attachment Blocking
Service Pack 2 introduces new attachment blocking features, used by Internet Explorer, Outlook Express and Windows Messenger.
The prompts that are used for file downloads, mail attachments, shell process execution, and program installation have been modified to be both more consistent and clearer than they were in the past. In addition, Windows XP displays the publisher of an executable file to the user when executable files are selected in either Internet Explorer or Outlook Express (Figure).
Outlook Express
By default, Outlook Express blocks attachments that could potentially be a virus. Another enhancement is that Outlook Express now also blocks the automatic download of images or other online content in HTML email (Figure). This is useful in fighting SPAM, as images are often used in combination with other techniques to confirm that a specific user (email address) has viewed the message. It further reduces the possibilities of "hostile" code being run after/when viewing HTML email containing malicious content.
Outlook Express now also includes an option that lets you read ALL messages as plain text messages; this further reduces the security risks of viewing HTML email. Previously if an HTML email contained scripts, these would be executed by the MSHTML control. The rich edit control that is used when a message is displayed as plain text does not execute HTML scripts, so the thread of executing scripts is mitigated.