With the release of Service Pack 2 for Windows XP, Microsoft has taken a significant step toward removing the security holes and insecure configurations that have made Windows such an easy target for malicious hackers and scammers—but only for 10 percent of Windows users.
For the 90 percent of Windows users who dont run Windows XP, there is no improved default configuration ridding the system of unnecessary services that are tempting targets for attackers. There is no greatly improved firewall protection. And, worst of all, there is no new version of Internet Explorer, one of the main causes of security problems in Windows (and there likely never will be).
Microsoft officials say those who want these improvements should upgrade to Windows XP. But there are many companies that have only recently completed their migrations to Windows 2000 and dont have the stomach (or budget) to start a wholesale move to XP.
And, really, the improvements in XP SP2 are fixes, not new features. Theyre more analogous to the faulty tires Ford replaced on its Explorer SUVs than to a new drive train.
And, come to think of it, imagine if Ford tried to get away with Microsofts business model. If Ford rolled out a vehicle whose doors wouldnt lock and whose engine was susceptible to remote takeover, the company would have to recall and fix every affected model, not just the most recent one.
Of course, when it comes to software, vendors are never responsible for any of the problems they cause (thanks to the one-way "contracts" known as EULAs). So, basically, Microsoft gets applauded for doing something instead of nothing.
I certainly wont give Microsoft a hand for leaving 90 percent of its user base out in the cold. I dont think thats a good way to do business or earn customer loyalty.
If Microsoft wants to address Windows security problems effectively and keep the majority of its customers happy, it should release a service pack for Windows 2000 similar to XP SP2. This would greatly improve the security of a big chunk of the Windows user base, especially on the corporate side. And because the underlying architectures of Windows 2000 and Windows XP are nearly identical, this shouldnt be tough to do.
Such a service pack would improve Windows security and reliability for many more Windows systems than XP SP2 will. In addition, it might actually serve Microsofts goal of getting companies to upgrade from Windows 2000—that is, companies would be more apt to upgrade if they saw that Microsoft isnt giving users of previous-generation operating systems the short end of the support stick.
By far, however, the most significant thing Microsoft can do to improve security is to start offering new versions of IE for all Windows systems, not just in new Windows versions.
Some suspect Microsoft is already taking this step. There has been evidence that IE development is being ramped up within Microsoft, such as some personnel reorganization into IE groups and the starting of blogs by key IE developers.
But if Microsoft does plan to release a new stand-alone version of IE, it sure is doing a good job of hiding it. In fact, on his blog, IE developer Dave Massy said, "There are currently no plans to release a new version of Internet Explorer prior to Longhorn, when it will be delivered as part of the new OS."
Lets hope that the word "currently" is the loophole here and that there will be a new IE for all Windows users. Im glad IEs problems are causing it to lose market share—greater browser diversity will mean developers will write to standards instead of to a single platform.
But IE is still the most widely used browser out there, and an insecure version of IE on that many systems is scary.
If Microsoft really wants to show the world that security is its highest priority for all its products, the company should take care of a lot more of its users.
Labs Director Jim Rapoza can be reached at firstname.lastname@example.org.