Data Cube Systems

Microsoft late last week said it won’t patch Windows XP for a pair of bugs it quashed Sept. 8 in Vista, Windows Server 2003 and Windows Server 2008.

The news adds Windows XP Service Pack 2 (SP2) and SP3 to the no-patch list that previously included only Windows 2000 Server SP4.

“We’re talking about code that is 12 to 15 years old in its origin, so backporting that level of code is essentially not feasible,” said security program manager Adrian Stone during Microsoft’s monthly post-patch Webcast, referring to Windows 2000 and XP.

“An update for Windows XP will not be made available,” Stone and fellow program manager Jerry Bryant said during the Q&A portion of the Webcast.

Last Tuesday, Microsoft said that it wasn’t patching Windows 2000 because creating a fix was “infeasible.”

The bugs in question are in Windows’ implementation of TCP/IP, the Web’s default suite of connection protocols. All three of the vulnerabilities highlighted in the MS09-048 update were patched in Vista and Server 2008. Only two of the trio affect Windows Server 2000 and Windows XP, Microsoft said in the accompanying advisory, which was refreshed on Thursday.

In the revised advisory, Microsoft explained why it won’t patch Windows XP, the world’s most popular operating system. “By default, Windows XP SP2, Windows XP SP3 and Windows XP Professional x64 Edition SP2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability,” the company said. “Windows XP SP2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network.”

Although the two bugs can be exploited on Windows 2000 and XP, Microsoft downplayed their impact. “A system would become unresponsive due to memory consumption … [but] a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases.”

Microsoft rated the vulnerabilities on Windows 2000 and XP as “important” on Windows 2000, and as “low” on XP. The company uses a four-step scoring system, where “low” is the least-dangerous threat, followed in ascending order by “moderate,” “important” and “critical.”

The same two bugs were ranked “moderate” for Vista and Server 2008, while a third — which doesn’t affect the older operating systems — was rated “critical.”

During the Q&A, however, Windows users repeatedly asked Microsoft’s security team to explain why it wasn’t patching XP, or if, in certain scenarios, their machines might be at risk. “We still use Windows XP and we do not use Windows Firewall,” read one of the user questions. “We use a third-party vendor firewall product. Even assuming that we use the Windows Firewall, if there are services listening, such as remote desktop, wouldn’t then Windows XP be vulnerable to this?”

“Servers are a more likely target for this attack, and your firewall should provide additional protections against external exploits,” replied Stone and Bryant.

Another user asked them to spell out the conditions under which Microsoft won’t offer up patches for still-supported operating systems. Windows Server 2000 SP4, for example, is to receive security updates until July 2010; Windows XP’s support doesn’t expire until April 2014.

Stone’s and Bryant’s answer: “We will continue to provide updates for Windows 2000 while it is in support unless it is not technically feasible to do so.”

Skipping patches is very unusual for Microsoft. According to a Stone and Bryant, the last time it declined to patch a vulnerability in a support edition of Windows was in March 2003, when it said it wouldn’t fix a bug in Windows NT 4.0. Then, it explained the omission with language very similar to what it used when it said it wouldn’t update Windows 2000.

“Due to these fundamental differences between Windows NT 4.0 and Windows 2000 and its successors, it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability,” Microsoft said at the time.

Despite the fact that Windows 7 is almost cooked, a leaked Microsoft memo suggests that XP may live on past its May 30, 2009 retirement date.

The leaked internal memo outlines how Microsoft will grant HP the right to continue to downgrading Vista systems to XP.  The memo does however goes on too suggest that HP should be clear with customers about support:

It’s important to remind customers that Microsoft are still planning to retire XP Pro Mainstream support on April 14, 2009 and will only provide OS security updates beyond that date unless the customer has an Extended Hotfix Support contract. MS Extended Support for XP Pro ends on April 8th, 2014.

 

Unconfirmed rumors go further and suggest that Microsoft will allow HP to ship XP until April 30, 2010. If this XP extension has being granted to HP, it will almost certainly be extended to other OEMs too.

It is worth bearing in mind that the EULA for both Vista Business and Ultimate allow users to downgrade, so this will remain in effect for the entire lifetime of the OS.

With Windows XP still commanding a 63% market share, netbook popularity continuing to rise, and Windows 7 still several months away, Microsoft needs an OS to cater for those who won’t touch Vista with a 20 foot pole. Rather than give those folks an excuse to look at Linux, it’s in Microsoft’s interests to continue to make XP seem relevant. That said, since downgrade rights exist for Business and Ultimate, as well as volume licensing customers, I think that all this leaked memo is about is making sure that OEMs remind customers of the support implications of choosing to downgrade from Vista, so they know what they are getting into upfront.

I’ve spoken to a lot of people who have made the conscious decision to skip Vista. Some base these decisions on good judgment, others on more shaky judgments. It doesn’t really matter what the reason is. However, as I’ve pointed out many times before, anyone who is still using XP needs to have an escape route planned. The problem isn’t so much related to XP itself, but that vendors, in particular security vendors, are going to start dropping XP support in products as soon as they are having to support both Vista and 7.

My guess is that most of of those who are currently anti-Vista will move to Windows 7. While many have told me that they will be looking to Mac or Linux, I really don’t see this being realistically taken up by many.

A US woman who is suing Microsoft for allegedly charging her extra to downgrade from Windows Vista to XP had the lawsuit revised late last week.

Emma Alvarado of Los Angeles, California amended her complaint at the Seattle federal court last Thursday

However, according to Computer World, the revised lawsuit goes into much greater detail about how Microsoft allegedly profits from its Vista downgrade practices.

“Microsoft has used its market power to take advantage of consumer demand for the Windows XP operating system by requiring consumers to purchase a PC that includes a licence for the use of the Vista operating system and to pay money (as part of the overall purchase price of the PC) to downgrade to the Windows XP Professional operating system,” reads the suit.

Her complaint hinges on allegations that Microsoft forced individuals running Vista Basic to first upgrade to Vista Business or Vista Ultimate and then pay for a download licence fee for XP Professional.

The suit also points out that XP Professional - Microsoft’s most expensive edition of the operating system - was the only version users were allowed to downgrade to from Vista.

Alvarado, who is seeking class action status in the lawsuit, claimed that Microsoft adjusted its rules to “inflate its sales figures for Vista”.

She also cited a $130 fee incurred by a customer wishing to go through the downgrade process.

Microsoft once again dismissed the claims and repeated the statement it issued last month when the lawsuit landed at its door.

“Microsoft does not charge or receive any additional royalty if a customer exercises those [downgrade from Vista to XP] rights. Some customers may choose or need to obtain media or installation services from third parties to install the downgrade version.”

On Friday, Microsoft gave computer makers a six-month extension for offering Windows XP on newly-shipped PCs. While this doesn’t impact enterprise IT — because volume licensing agreements will allow IT to keep installing Windows XP for many years to come — the move is another symbolic nail in Vista’s coffin.

The public reputation of Windows Vista is in shambles, as Microsoft itself tacitly acknowledged in its Mojave ad campaign.

IT departments are largely ignoring Vista. In June (18 months after Vista’s launch), Forrester Research reported that just 8.8% of enterprise PCs worldwide were running Vista. Meanwhile, Microsoft appears to have put Windows 7 on an accelerated schedule that could see it released in 2010. That will provide IT departments with all the justification they need to simply skip Vista and wait to eventually standardize on Windows 7 as the next OS for business.

So how did Vista get left holding the bag? Let’s look at the five most important reasons why Vista failed.

5. Apple successfully demonized Vista

Apple’s clever I’m a Mac ads have successfully driven home the perception that Windows Vista is buggy, boring, and difficult to use. After taking two years of merciless pummeling from Apple, Microsoft recently responded with it’s I’m a PC campaign in order to defend the honor of Windows. This will likely restore some mojo to the PC and Windows brands overall, but it’s too late to save Vista’s perception as a dud.

4. Windows XP is too entrenched

In 2001, when Windows XP was released, there were about 600 million computers in use worldwide. Over 80% of them were running Windows but it was split between two code bases: Windows 95/98 (65%) and Windows NT/2000 (26%), according to IDC. One of the big goals of Windows XP was to unite the Windows 9x and Windows NT code bases, and it eventually accomplished that.

In 2008, there are now over 1.1 billion PCs in use worldwide and over 70% of them are running Windows XP. That means almost 800 million computers are running XP, which makes it the most widely installed operating system of all time. That’s a lot of inertia to overcome, especially for IT departments that have consolidated their deployments and applications around Windows XP.

And, believe it or not, Windows XP could actually increase its market share over the next couple years. How? Low-cost netbooks and nettops are going to be flooding the market. While these inexpensive machines are powerful enough to provide a solid Internet experience for most users, they don’t have enough resources to run Windows Vista, so they all run either Windows XP or Linux. Intel expects this market to explode in the years ahead.

3. Vista is too slow

For years Microsoft has been criticized by developers and IT professionals for “software bloat” — adding so many changes and features to its programs that the code gets huge and unwieldy. However, this never seemed to have enough of an effect to impact software sales. With Windows Vista, software bloat appears to have finally caught up with Microsoft.

Vista has over 50 million lines of code. XP had 35 million when it was released, and since then it has grown to about 40 million.  This software bloat has had the effect of slowing down Windows Vista, especially when it’s running on anything but the latest and fastest hardware. Even then, the latest version of Windows XP soundly outperforms the latest version of Microsoft Vista. No one wants to use a new computer that is slower than their old one.

2. There wasn’t supposed to be a Vista

It’s easy to forget that when Microsoft launched Windows XP it was actually trying to change its OS business model to move away from shrink-wrapped software and convert customers to software subscribers. That’s why it abandoned the naming convention of Windows 95, Windows 98, and Windows 2000, and instead chose Windows XP.

The XP stood for “experience” and was part of Microsoft’s .NET Web services strategy at the time. The master plan was to get users and businesses to pay a yearly subscription fee for the Windows experience — XP would essentially be the on-going product name but would include all software upgrades and updates, as long as you paid for your subscription. Of course, it would disable Windows on your PC if you didn’t pay. That’s why product activation was coupled with Windows XP.

Microsoft released Windows XP and Office XP simultaneously in 2001 and both included product activation and the plan to eventually migrate to subscription products. However, by the end of 2001 Microsoft had already abandoned the subscription concept with Office, and quickly returned to the shrink-wrapped business model and the old product development model with both products.

The idea of doing incremental releases and upgrades of its software — rather than a major shrink-wrapped release every 3-5 years — was a good concept. Microsoft just couldn’t figure out how to make the business model work, but instead of figuring out how to get it right, it took the easy route and went back to an old model that was simply not very well suited to the economic and technical realities of today’s IT world.

1. It broke too much stuff

One of the big reasons that Windows XP caught on was because it had the hardware, software, and driver compatibility of the Windows 9x line plus the stability and industrial strength of the Windows NT line. The compatibility issue was huge. Having a single, highly-compatible Windows platform simplified the computing experience for users, IT departments, and software and hardware vendors.

Microsoft either forgot or disregarded that fact when it released Windows Vista, because, despite a long beta period, a lot of existing software and hardware were not compatible with Vista when it was released in January 2007. Since many important programs and peripherals were unusable in Vista, that made it impossible for a lot of IT departments to adopt it. Many of the incompatibilities were the result of tighter security.

After Windows was targeted by a nasty string of viruses, worms, and malware in the early 2000s, Microsoft embarked on the Trustworthy Computing initiative to make its products more secure. One of the results was Windows XP Service Pack 2 (SP2), which won over IT and paved the way for XP to become the world’s mostly widely deployed OS.

The other big piece of Trustworthy Computing was the even-further-locked-down version of Windows that Microsoft released in Vista. This was definitely the most secure OS that Microsoft had ever released but the price was user-hostile features such as UAC, a far more complicated set of security prompts that accompanied many basic tasks, and a host of software incompatibility issues. In order words, Vista broke a lot of the things that users were used to doing in XP.

Bottom line

There are some who argue that Vista is actually more widely adopted than XP was at this stage after its release, and that it’s highly likely that Vista will eventually replace XP in the enterprise. I don’t agree. With XP, there were clear motivations to migrate: bring Windows 9x machines to a more stable and secure OS and bring Windows NT/2000 machines to an OS with much better hardware and software compatibility. And, you also had the advantage of consolidating all of those machines on a single OS in order to simplify support.

With Vista, there are simply no major incentives for IT to use it over XP. Security isn’t even that big of an issue because XP SP2 (and above) are solid and most IT departments have it locked down quite well. As I wrote in the article Prediction: Microsoft will leapfrog Vista, release Windows 7 early, and change its OS business, Microsoft needs to abandon the strategy of releasing a new OS every 3-5 years and simply stick with a single version of Windows and release updates, patches, and new features on a regular basis. Most IT departments are essentially already on a subscription model with Microsoft so the business strategy is already in place there.

As far as the subscription model goes for small businesses and consumers, instead of disabling Windows on a user’s PC if they don’t renew their subscription, just don’t allow that machine to get any more updates until they renew. Microsoft could also work with OEMs to sell something like a three-year subscription to Windows with every a new PC. Then users would have the choice of renewing on their own after that.