Will Windows XP Mode Put Compatibility Before Security?

OPINION: Microsoft needs to start answering questions about Windows XP Mode security. Earlier today Larry Seltzer asked smart questions about XPM security. Microsoft needs to answer them.

Colleague Larry Seltzer raises some interesting questions about Windows XP Mode, which Microsoft plans to make available in beta sometime in the near future. XPM uses virtualization to let users run Windows XP under Windows 7. The idea: to provide a compatibility mode for older applications. The virtualized Windows XP (with Service Pack 3) integrates into the Windows 7 environment. End users will be able to install applications and access, copy or move files across the two operating systems.

Larry asks: "What of security and this new mode? XPM is Windows XP, so some advances, like ASLR (Address Space Layout Randomization) and IE Protected Mode won't work there. It is XP SP3, which helps, and Microsoft might be aggressive about some defaults, such as by turning on DEP (Data Execution Prevention) and automatic updates. All of these options would be manageable under group policies, so whatever the default a business can make it do what they want."

He rightly wonders about file system integration and the risks that might create. Biggie: security software. "A security endpoint suite for Windows 7 will not protect inside XPM by default," Larry asserts. Microsoft has released scant details about XPM, which makes any security evaluation difficult. But it's absolutely reasonable to assume that some kind of security software would be necessary, whether it comes from Microsoft or from third parties.

There are several issues that Larry and I discussed in an e-mail exchange, including licenses. For example, would vendors have to provide two separate security software licenses for two Windows versions? What about software licensing costs or installation? Perhaps Microsoft will provide a mechanism-maybe API or file system hook-that would let security software easily install across the virtualized and non-virtualized environments. What about mixed 32-bit and 64-bit environs, where 32-bit Windows XP is virtualized running on 64-bit Windows 7?

Microsoft could offer its own security software, free, for XPM. The company has canceled Windows Live OneCare, which was available for desktops and servers. Live OneCare officially goes dark on June 30. Microsoft hasn't revealed must about replacement code-named "Morro," which is expected to be a full security solution including anti-virus. Security software partners/competitors like McAfee or Symantec might raise holy hell about Morro bundled with Windows 7. But Windows XP virtualized for compatibility purposes would be a tougher complaint to make. For Microsoft, bundling someplace would create precedent for the future, perhaps including anti-virus with Windows 8.

Security software is but one consideration. User Account Control is built into Windows Vista and 7 but not XP. Will policies from Windows 7 fully apply across the virtualized environment? Larry says that Microsoft could extend DEP, but easily to Internet Explorer 6?

Interestingly, most enterprises care a lot more about application compatibility than they do about security. XPM's big appeal is Windows XP app compatibility. Two weeks ago Dimensional Research released a KACE commissioned survey about enterprise Windows 7 adoption plans. Among the majority of IT decision makers concerned about Windows 7, application compatibility ranked first (88 percent) and security ranked last (37 percent). From that perspective, XPM's application compatibility benefits could easily outweigh security concerns for many enterprises. Presumably, Microsoft will rightly address security when more information about XPM is revealed.

Apple loves to poke fun at Windows in its advertising. There's a great Apple "Get a Mac" ad somewhere with XPM-perhaps one where Windows 7 people need two operating systems to do the job of one Mac OS X. The ad could feature mirror images of the PC character talking out of sync with each other.

Joe Wilcox is editor of Microsoft Watch.