OPINION: Microsoft needs to start answering questions about Windows XP Mode security. Earlier today Larry Seltzer asked smart questions about XPM security. Microsoft needs to answer them.
Colleague Larry Seltzer raises some interesting
questions about Windows XP Mode, which Microsoft plans to make available in
beta sometime in the near future. XPM uses virtualization to let users run
Windows XP under Windows 7. The idea: to provide a compatibility mode for older
applications. The virtualized Windows XP (with Service Pack 3) integrates into
the Windows 7 environment. End users will be able to install applications and
access, copy or move files across the two operating systems.
Larry asks: "What of security and this new mode? XPM is Windows XP, so some
advances, like ASLR (Address Space Layout Randomization) and IE Protected Mode
won't work there. It is XP SP3, which helps, and Microsoft might be aggressive
about some defaults, such as by turning on DEP (Data Execution Prevention) and
automatic updates. All of these options would be manageable under group
policies, so whatever the default a business can make it do what they want."
He rightly wonders about file system integration and the risks that might
create. Biggie: security software. "A security endpoint suite for Windows
7 will not protect inside XPM by default," Larry asserts. Microsoft has
released scant details about XPM, which makes any security evaluation
difficult. But it's absolutely reasonable to assume that some kind of security
software would be necessary, whether it comes from Microsoft or from third parties.
There are several issues that Larry and I discussed in an e-mail exchange,
including licenses. For example, would vendors have to provide two separate
security software licenses for two Windows versions? What about software
licensing costs or installation? Perhaps Microsoft will provide a mechanism-maybe
API or file system hook-that would let
security software easily install across the virtualized and non-virtualized
environments. What about mixed 32-bit and 64-bit environs, where 32-bit Windows
XP is virtualized running on 64-bit Windows 7?
Microsoft could offer its own security software, free, for XPM. The company
has canceled Windows Live OneCare, which was available for desktops and
servers. Live OneCare officially goes dark on June 30. Microsoft hasn't
revealed must about replacement code-named "Morro,"
which is expected to be a full security solution including anti-virus. Security
software partners/competitors like McAfee or Symantec might raise holy hell
about Morro bundled with Windows 7. But Windows XP virtualized for
compatibility purposes would be a tougher complaint to make. For Microsoft,
bundling someplace would create precedent for the future, perhaps including
anti-virus with Windows 8.
Security software is but one consideration. User Account Control is built
into Windows Vista and 7 but not XP. Will policies from Windows 7 fully apply
across the virtualized environment? Larry says that Microsoft could extend DEP,
but easily to Internet Explorer 6?
Interestingly, most enterprises care a lot more about application
compatibility than they do about security. XPM's big appeal is Windows XP app
compatibility. Two weeks ago Dimensional Research released a KACE commissioned survey
about enterprise Windows 7 adoption plans. Among the majority of IT
decision makers concerned about Windows 7, application compatibility ranked
first (88 percent) and security ranked last (37 percent). From that
perspective, XPM's application compatibility benefits could easily outweigh
security concerns for many enterprises. Presumably, Microsoft will rightly
address security when more information about XPM is revealed.
Apple loves to poke fun at Windows in its advertising. There's a great Apple
"Get a Mac" ad somewhere with XPM-perhaps one where Windows 7 people need two
operating systems to do the job of one Mac OS X. The ad could feature mirror
images of the PC character talking out of sync with each other.
Joe Wilcox is editor of Microsoft