Windows XP SP3 boasts speed boost, testers claim

Same outfit that dissed Vista SP1 say XP's 'must-have update' 10% faster than SP2

Windows XP Service Pack 3 (SP3), the update scheduled to release next year, runs Microsoft Corp.'s Office suite 10% faster than XP SP2, a performance testing software developer reported Friday.

Devil Mountain Software, which earlier in the week claimed Windows Vista SP1 was no faster than the original, repeated some of the same tests on the release candidate of Windows XP SP3, the service pack recently issued to about 15,000 testers.

"We were pleasantly surprised to discover that Windows XP SP3 delivers a measurable performance boost to this aging desktop OS," said Craig Barth, Devil Mountain's chief technology officer, in a post to a company blog Friday.

Devil Mountain ran its OfficeBench suite of performance benchmarks on a laptop equipped with Office 2007, Microsoft's latest application suite. The notebook -- the same unit used in the Vista/Vista SP1 tests earlier -- featured a 2.0GHz Intel Core 2 Duo processor and 1GB of memory. The results reported a 10% speed increase under XP SP3 when compared to SP2, the service pack released in 2004.

"Since SP3 was supposed to be mostly a bug-fix/patch consolidation release, the unexpected speed boost comes as a nice bonus," Barth said. "In fact, XP SP3 is shaping up to be a 'must-have' update for the majority of users who are still running Redmond's not-so-latest and greatest desktop OS."

According to the Office performance benchmarks, Windows XP SP3 is also considerably faster than Vista SP1. "None of this bodes well for Vista, which is now more than two times slower than the most current builds of its older sibling," said Barth.

While Microsoft was not available for comment over the weekend about XP's performance, it defended Vista SP1 after Devil Mountain's first round of tests. "We appreciate the excitement to evaluate Windows Vista SP1 as soon as possible. However, the service pack is still in the development phase and will undergo several changes before being released," a spokeswoman said in an e-mail.

Microsoft has at times struggled to wean users from the six-year-old Windows XP and get them to migrate to Vista. During 2007, for example, it made several XP concessions, including adding five years to the support lifespan of the Home edition and extending OEM and retail sales of XP through June 2008, as it recognized that customers wanted to hold on to the older OS.

Recently, Forrester Research said that XP remained Vista's biggest rival, and cited survey data that showed American and European businesses would delay Vista deployment, in part because of application incompatibility issues with the new OS. "That's causing a lot of XP shops to take a wait-and-see approach to Vista," said Forrester analyst Benjamin Gray two weeks ago.

New QuickTime bug opens XP, Vista to attack

Security researchers warn that attack code targeting an unpatched bug in Apple Inc.'s QuickTime has gone public, and added that in-the-wild attacks against systems running Windows XP and Vista are probably not far behind.

There was no word as of Sunday whether the Mac OS X versions of the media player are also vulnerable.

The critical bug in QuickTime 7.2 and 7.3 (and perhaps earlier editions as well) is in the player's handling of the Real Time Streaming Protocol (RTSP), a audio/video streaming standard. According to alerts posted by Symantec Corp. and the U.S. Computer Emergency Readiness Team (US-CERT), attackers can exploit the flaw by duping users into visiting malicious or compromised Web sites hosting specially-crafted streaming content, or by convincing them to open a rigged QTL file attached to an e-mail message.

Symantec credited Polish research Krystian Kloskowski with first reporting the zero-day vulnerability on the milw0rm.com Web site Friday. By Saturday, Kloskowski and an unnamed researcher identified as "InTeL" had followed up with separate proof-of-concept examples that executed on Windows XP SP2 and Windows Vista machines running QuickTime 7.2 or 7.3.

A successful exploit would let the attacker install additional malware -- spyware or a spambot, say -- or cull the system for information like passwords. An attack that failed would likely only crash QuickTime.

A gaffe by Apple's developers, however, makes attack easier on Vista, said InTeL, who claimed that the QuickTimePlayer binary does not have Address Space Layout Randomization (ASLR) enabled. ASLR is a Vista security feature that randomly assigns data and application components, such as .exe and .dll files, to memory to make it tougher for attackers to determine the location of critical functions or vulnerable code.

Apple's forgetfulness prompted Symantec analyst Anthony Roe to note: "This makes reliable exploitation of the vulnerability a lot easier."

Another Symantec researcher, Patrick Jungles, added that QuickTime vulnerabilities usually draw attackers quickly. "In the past, we have seen a very short period of time between the release of proof-of-concept exploits for QuickTime vulnerabilities and the development of working exploits by attackers," said Jungles in a note to customers of his company's DeepSight threat network. "Popular applications such as QuickTime are strong candidates for exploitation in the wild."

Apple last patched QuickTime less than three weeks ago when it released version 7.3 to fix a number of critical image-rendering and Java-related vulnerabilities. So far in 2007, Apple has issued six QuickTime security-related updates that have fixed a total of 31 flaws.