OPINION: It's a brilliant business move to break the upgrading logjam, but is it a risky security move? We don't know enough to say for sure, but it will change things in the security software business.
For business users who skipped Windows Vista, Windows 7's newly announced Windows XP Mode (XPM)
must be intriguing. Yes, you will have to cough up some serious money
for new hardware and software, but the really scary and disruptive
stuff-whether your old software will work-is far less of an issue than
it used to be.
XP Mode is a copy of Windows XP SP3 running in a special Virtual PC
VM within Windows 7. It's not just a VM; special integration allows you
to install programs inside XPM and have the icons show up on the
Windows 7 desktop, so that you can run them seemingly as first-class
Windows 7 apps. It is a free download for the Professional and Ultimate
editions of Windows 7; it will not be available for the cheap Home
The most important thing that we know about XPM at this point is
that we don't know enough to properly evaluate it. Microsoft has made
it available to very few people and little information is out there.
While, as a business matter, it does seem like a brilliant idea that
could break the logjam of upgrade reluctance Microsoft has been
fighting for the last could of years, it's also a sort of retreat. In a
way, they will be selling new Windows XP systems, and the decline of
that operating system is generally to be regarded as a positive thing
for security in the Internet community. For example, we know that malware is far more common on Windows XP than on Windows Vista
What of security and this new mode? XPM is Windows XP, so some
advances, such as ASLR (Address Space Layout Randomization) and IE
Protected Mode won't work there. It is XP SP3, which helps, and
Microsoft might be aggressive about some defaults, such as by turning
on DEP (Data Execution Prevention) and automatic updates. All of these
options would be manageable under group policies, so whatever the
default a business can make it do what they want.
This being a virtual machine, the Windows 7 environment should be
well-protected against any malicious activity running under XPM. This
is where I disagree with the analogies some are drawing to Mac OS X
"Classic Mode" which ran OS 9 as task and emulation environment under
OS X, not as VM. Of course, that was all many years ago and nowadays
Apple would also use a VM, both for performance and security reasons.
The desktop integration of XPM indicates that the file systems
aren't completely isolated; perhaps the icons on the Windows 7 desktop
are just aliases and any connections come through a network redirector.
Presumably they need to share local Documents folders as well, and that
could also appear to the user as a network connection from one to the
other. But if you have to give sufficient rights to XPM users to write
in areas where Windows 7 users are reading, the potential for crossover
attacks is there, especially if it's not hard for XP programs to
determine that they're running in XPM.
The job of security software, and other systems software, is also
somewhat clouded by this development. A security endpoint suite for
Windows 7 will not protect inside XPM by default. I think we can expect
security companies to create a new SKU that combines a Windows XP
version with the Windows 7 version. Somehow the installations and
management need to be integrated, but once again all the big companies
have network management of endpoint solutions that will be even more
appealing in the future for this reason. And it's not just the
software; management of licenses will likely be a lot more complicated
in this system. But it's probably all worth it.
As a business matter I have to admire XPM. As a security matter it
disappoints me. It's a shame it's necessary. I hope the crossover
problems never materialize and that XP users take the opportunity to
move on to modern software.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.