From: P. Jayant on


I have not been able to locate any list of the Internet security features
included in SP3 as against the previous versions of XP: SP1 and SP2. I
discovered a new feature in O E 8 after installing SP3. There is a Spam
Folder and it appears as if any message from a party who is not in my
Address Book is sent to the Spam Folder. I can look at the Sender�s name and
the subject and if I need to keep it, I can Move it to the Inbox Folder by
right clicking on the subject and selecting Move from the options; but the
Spam tag given to it remains there as a prefix to the Subject.

The second security measure I came across yesterday, involved quite a bit of
struggle. I receive various bills like the one from the Electricity Utility
Company by e-mail and pay it through Internet Banking Facility. I have
accounts in two banks and I have been paying the electricity bill for quite
a few years from one of these two banks when my system was under SP1 and
later under SP2. This bank asked me only to log in and confirm twice that I
approved paying the amount specified in the bill. But after the recent
installation of SP3 on my computer, XP refused yesterday to clear the
payment because of insufficient Merchant Data, giving Data Execution
Prevention requirement as the reason.

Since I did not know if I could resolve the problem, I decided to pay the
bill from the account in the second bank. This bank asks first for Log-in
username and password. Then it asks for the Username and Password for paying
by Internet transaction. And when that too is cleared, it displays three or
four English alphabets on the payment screen, one alphabet per box with
space for entering two digits in a box below. On the reverse of my ATM Card
from this bank are the two digits corresponding to the English alphabets.
When I read that table behind the ATM card and enter the two digits in each
box correctly, the payment is instantly made. Thus there are much stricter
security measures in the system of the second Bank: measures which
apparently fulfill the Data Execution Prevention requirement of XP3.



Could any knowledgeable user of XP3 indicate if XP3 really has introduced
this new feature for Internet transaction security? Or could there be any
other reason for the blockade?



P. Jayant


From: PA Bear [MS MVP] on
> I have not been able to locate any list of the Internet security features
> included in SP3...

List of fixes that are included in WinXP SP3
http://support.microsoft.com/kb/946480

> I discovered a new feature in O E 8 after installing SP3. There is a Spam
> Folder and it appears as if any message from a party who is not in my
> Address Book is sent to the Spam Folder.

You may be running a security suite that includes an anti-spam component but
the functionality's certainly not part of SP3.

PS: You may have installed IE8 but you're still running OE6.

PPS: The other "security measures" you're referring to are included in IE8,
not SP3.
--
IE-specific newsgroup:
news://msnews.microsoft.com/microsoft.public.internetexplorer.general

~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002


P. Jayant wrote:
> I have not been able to locate any list of the Internet security features
> included in SP3 as against the previous versions of XP: SP1 and SP2. I
> discovered a new feature in O E 8 after installing SP3. There is a Spam
> Folder and it appears as if any message from a party who is not in my
> Address Book is sent to the Spam Folder. I can look at the Sender�s name
> and
> the subject and if I need to keep it, I can Move it to the Inbox Folder by
> right clicking on the subject and selecting Move from the options; but the
> Spam tag given to it remains there as a prefix to the Subject.
>
> The second security measure I came across yesterday, involved quite a bit
> of
> struggle. I receive various bills like the one from the Electricity
> Utility
> Company by e-mail and pay it through Internet Banking Facility. I have
> accounts in two banks and I have been paying the electricity bill for
> quite
> a few years from one of these two banks when my system was under SP1 and
> later under SP2. This bank asked me only to log in and confirm twice that
> I
> approved paying the amount specified in the bill. But after the recent
> installation of SP3 on my computer, XP refused yesterday to clear the
> payment because of insufficient Merchant Data, giving Data Execution
> Prevention requirement as the reason.
>
> Since I did not know if I could resolve the problem, I decided to pay the
> bill from the account in the second bank. This bank asks first for Log-in
> username and password. Then it asks for the Username and Password for
> paying
> by Internet transaction. And when that too is cleared, it displays three
> or
> four English alphabets on the payment screen, one alphabet per box with
> space for entering two digits in a box below. On the reverse of my ATM
> Card
> from this bank are the two digits corresponding to the English alphabets.
> When I read that table behind the ATM card and enter the two digits in
> each
> box correctly, the payment is instantly made. Thus there are much stricter
> security measures in the system of the second Bank: measures which
> apparently fulfill the Data Execution Prevention requirement of XP3.
>
>
>
> Could any knowledgeable user of XP3 indicate if XP3 really has introduced
> this new feature for Internet transaction security? Or could there be any
> other reason for the blockade?
>
>
>
> P. Jayant

From: Anteaus on

DEP has nothing to do with online transaction security. Its role is to
(attempt to) prevent the execution of data in memory as if it were a program.
This typically arises when a buffer-overrun exploit is attempted by a
malicious site, or by badly-coded software.

Which begs the question, were you on the correct site, or did you mistype
the URL and land on a spoof/phishing page? A check of your browser's history
should tell you if that was the case. If so you should do a thorough malware
check and change your banking password.

It may of course be that the page was genuine, and the bank in question had
installed an activex control containing coding mistakes which went unnoticed
without DEP. Though, that is unusual and would soon be reported to the bank
if it were the case.

"P. Jayant" wrote:

>
>
> I have not been able to locate any list of the Internet security features
> included in SP3 as against the previous versions of XP: SP1 and SP2. I
> discovered a new feature in O E 8 after installing SP3. There is a Spam
> Folder and it appears as if any message from a party who is not in my
> Address Book is sent to the Spam Folder. I can look at the Sender's name and
> the subject and if I need to keep it, I can Move it to the Inbox Folder by
> right clicking on the subject and selecting Move from the options; but the
> Spam tag given to it remains there as a prefix to the Subject.
>
> The second security measure I came across yesterday, involved quite a bit of
> struggle. I receive various bills like the one from the Electricity Utility
> Company by e-mail and pay it through Internet Banking Facility. I have
> accounts in two banks and I have been paying the electricity bill for quite
> a few years from one of these two banks when my system was under SP1 and
> later under SP2. This bank asked me only to log in and confirm twice that I
> approved paying the amount specified in the bill. But after the recent
> installation of SP3 on my computer, XP refused yesterday to clear the
> payment because of insufficient Merchant Data, giving Data Execution
> Prevention requirement as the reason.
>
> Since I did not know if I could resolve the problem, I decided to pay the
> bill from the account in the second bank. This bank asks first for Log-in
> username and password. Then it asks for the Username and Password for paying
> by Internet transaction. And when that too is cleared, it displays three or
> four English alphabets on the payment screen, one alphabet per box with
> space for entering two digits in a box below. On the reverse of my ATM Card
> from this bank are the two digits corresponding to the English alphabets.
> When I read that table behind the ATM card and enter the two digits in each
> box correctly, the payment is instantly made. Thus there are much stricter
> security measures in the system of the second Bank: measures which
> apparently fulfill the Data Execution Prevention requirement of XP3.
>
>
>
> Could any knowledgeable user of XP3 indicate if XP3 really has introduced
> this new feature for Internet transaction security? Or could there be any
> other reason for the blockade?
>
>
>
> P. Jayant
>
>
> .
>
From: P. Jayant on
Thanks for your comments. I did mean I E 8 and yes indeed, I am on O E 6.
Sorry for the mistake. Your clarification about D E P was useful. I shall
check my browser history to find if I had done any mistake in entering a web
address.
But does it mean that the security checks in SP3 are the same as in the
previous two service packs?

P. Jayant


From: PA Bear [MS MVP] on
[To keep track of things, it helps immensely if you quote all of the
previous message(s) in your replies to the newsgroup. Thank you.]

"Windows� XP Service Pack 3 (SP3)...includes a small number of new
functionalities, which do not significantly change customers� experience
with the operating system. This white paper summarizes what is new in
Windows XP SP3..."
http://www.microsoft.com/downloads/details.aspx?FamilyID=68c48dad-bc34-40be-8d85-6bb4f56f5110

Also see...

IE8 Security Part I: DEP/NX Memory Protection:
http://blogs.msdn.com/ie/archive/2008/04/08/ie8-security-part-I_3A00_-dep-nx-memory-protection.aspx
--
IE-specific newsgroup:
news://msnews.microsoft.com/microsoft.public.internetexplorer.general

~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002


P. Jayant wrote:
> Thanks for your comments. I did mean I E 8 and yes indeed, I am on O E 6.
> Sorry for the mistake. Your clarification about D E P was useful. I shall
> check my browser history to find if I had done any mistake in entering a
> web
> address.
> But does it mean that the security checks in SP3 are the same as in the
> previous two service packs?
>
> P. Jayant