OPINION: It's a brilliant business move to break the upgrading logjam, but is it a risky security move? We don't know enough to say for sure, but it will change things in the security software business.
For business users who skipped Windows Vista, Windows 7's newly announced Windows XP Mode (XPM)
must be intriguing. Yes, you will have to cough up some serious money
for new hardware and software, but the really scary and disruptive
stuff-whether your old software will work-is far less of an issue than
it used to be.
XP Mode is a copy of Windows XP SP3 running in a special Virtual PC
VM within Windows 7. It's not just a VM; special integration allows you
to install programs inside XPM and have the icons show up on the
Windows 7 desktop, so that you can run them seemingly as first-class
Windows 7 apps. It is a free download for the Professional and Ultimate
editions of Windows 7; it will not be available for the cheap Home
The most important thing that we know about XPM at this point is
that we don't know enough to properly evaluate it. Microsoft has made
it available to very few people and little information is out there.
While, as a business matter, it does seem like a brilliant idea that
could break the logjam of upgrade reluctance Microsoft has been
fighting for the last could of years, it's also a sort of retreat. In a
way, they will be selling new Windows XP systems, and the decline of
that operating system is generally to be regarded as a positive thing
for security in the Internet community. For example, we know that malware is far more common on Windows XP than on Windows Vista.
What of security and this new mode? XPM is Windows XP, so some
advances, such as ASLR (Address Space Layout Randomization) and IE
Protected Mode won't work there. It is XP SP3, which helps, and
Microsoft might be aggressive about some defaults, such as by turning
on DEP (Data Execution Prevention) and automatic updates. All of these
options would be manageable under group policies, so whatever the
default a business can make it do what they want.
This being a virtual machine, the Windows 7 environment should be
well-protected against any malicious activity running under XPM. This
is where I disagree with the analogies some are drawing to Mac OS X
"Classic Mode" which ran OS 9 as task and emulation environment under
OS X, not as VM. Of course, that was all many years ago and nowadays
Apple would also use a VM, both for performance and security reasons.
The desktop integration of XPM indicates that the file systems
aren't completely isolated; perhaps the icons on the Windows 7 desktop
are just aliases and any connections come through a network redirector.
Presumably they need to share local Documents folders as well, and that
could also appear to the user as a network connection from one to the
other. But if you have to give sufficient rights to XPM users to write
in areas where Windows 7 users are reading, the potential for crossover
attacks is there, especially if it's not hard for XP programs to
determine that they're running in XPM.
The job of security software, and other systems software, is also
somewhat clouded by this development. A security endpoint suite for
Windows 7 will not protect inside XPM by default. I think we can expect
security companies to create a new SKU that combines a Windows XP
version with the Windows 7 version. Somehow the installations and
management need to be integrated, but once again all the big companies
have network management of endpoint solutions that will be even more
appealing in the future for this reason. And it's not just the
software; management of licenses will likely be a lot more complicated
in this system. But it's probably all worth it.
As a business matter I have to admire XPM. As a security matter it
disappoints me. It's a shame it's necessary. I hope the crossover
problems never materialize and that XP users take the opportunity to
move on to modern software.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Larry Seltzer has been writing software for and English about computers ever since,much to his own amazement,he graduated from the University of Pennsylvania in 1983.
He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.
For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.
In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.
Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.