Windows 7's XP Mode and Security

By Larry Seltzer  |  Posted 2009-04-27 Print this article Print

OPINION: It's a brilliant business move to break the upgrading logjam, but is it a risky security move? We don't know enough to say for sure, but it will change things in the security software business.

For business users who skipped Windows Vista, Windows 7's newly announced Windows XP Mode (XPM) must be intriguing. Yes, you will have to cough up some serious money for new hardware and software, but the really scary and disruptive stuff-whether your old software will work-is far less of an issue than it used to be.

XP Mode is a copy of Windows XP SP3 running in a special Virtual PC VM within Windows 7. It's not just a VM; special integration allows you to install programs inside XPM and have the icons show up on the Windows 7 desktop, so that you can run them seemingly as first-class Windows 7 apps. It is a free download for the Professional and Ultimate editions of Windows 7; it will not be available for the cheap Home version.

The most important thing that we know about XPM at this point is that we don't know enough to properly evaluate it. Microsoft has made it available to very few people and little information is out there. While, as a business matter, it does seem like a brilliant idea that could break the logjam of upgrade reluctance Microsoft has been fighting for the last could of years, it's also a sort of retreat. In a way, they will be selling new Windows XP systems, and the decline of that operating system is generally to be regarded as a positive thing for security in the Internet community. For example, we know that malware is far more common on Windows XP than on Windows Vista.

What of security and this new mode? XPM is Windows XP, so some advances, such as ASLR (Address Space Layout Randomization) and IE Protected Mode won't work there. It is XP SP3, which helps, and Microsoft might be aggressive about some defaults, such as by turning on DEP (Data Execution Prevention) and automatic updates. All of these options would be manageable under group policies, so whatever the default a business can make it do what they want.

This being a virtual machine, the Windows 7 environment should be well-protected against any malicious activity running under XPM. This is where I disagree with the analogies some are drawing to Mac OS X "Classic Mode" which ran OS 9 as task and emulation environment under OS X, not as VM. Of course, that was all many years ago and nowadays Apple would also use a VM, both for performance and security reasons.

The desktop integration of XPM indicates that the file systems aren't completely isolated; perhaps the icons on the Windows 7 desktop are just aliases and any connections come through a network redirector. Presumably they need to share local Documents folders as well, and that could also appear to the user as a network connection from one to the other. But if you have to give sufficient rights to XPM users to write in areas where Windows 7 users are reading, the potential for crossover attacks is there, especially if it's not hard for XP programs to determine that they're running in XPM.

The job of security software, and other systems software, is also somewhat clouded by this development. A security endpoint suite for Windows 7 will not protect inside XPM by default. I think we can expect security companies to create a new SKU that combines a Windows XP version with the Windows 7 version. Somehow the installations and management need to be integrated, but once again all the big companies have network management of endpoint solutions that will be even more appealing in the future for this reason. And it's not just the software; management of licenses will likely be a lot more complicated in this system. But it's probably all worth it.

As a business matter I have to admire XPM. As a security matter it disappoints me. It's a shame it's necessary. I hope the crossover problems never materialize and that XP users take the opportunity to move on to modern software.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel