Windows 7's XP Mode and Security

OPINION: It's a brilliant business move to break the upgrading logjam, but is it a risky security move? We don't know enough to say for sure, but it will change things in the security software business.

For business users who skipped Windows Vista, Windows 7's newly announced Windows XP Mode (XPM) must be intriguing. Yes, you will have to cough up some serious money for new hardware and software, but the really scary and disruptive stuff-whether your old software will work-is far less of an issue than it used to be.

XP Mode is a copy of Windows XP SP3 running in a special Virtual PC VM within Windows 7. It's not just a VM; special integration allows you to install programs inside XPM and have the icons show up on the Windows 7 desktop, so that you can run them seemingly as first-class Windows 7 apps. It is a free download for the Professional and Ultimate editions of Windows 7; it will not be available for the cheap Home version.

The most important thing that we know about XPM at this point is that we don't know enough to properly evaluate it. Microsoft has made it available to very few people and little information is out there. While, as a business matter, it does seem like a brilliant idea that could break the logjam of upgrade reluctance Microsoft has been fighting for the last could of years, it's also a sort of retreat. In a way, they will be selling new Windows XP systems, and the decline of that operating system is generally to be regarded as a positive thing for security in the Internet community. For example, we know that malware is far more common on Windows XP than on Windows Vista.

What of security and this new mode? XPM is Windows XP, so some advances, such as ASLR (Address Space Layout Randomization) and IE Protected Mode won't work there. It is XP SP3, which helps, and Microsoft might be aggressive about some defaults, such as by turning on DEP (Data Execution Prevention) and automatic updates. All of these options would be manageable under group policies, so whatever the default a business can make it do what they want.

This being a virtual machine, the Windows 7 environment should be well-protected against any malicious activity running under XPM. This is where I disagree with the analogies some are drawing to Mac OS X "Classic Mode" which ran OS 9 as task and emulation environment under OS X, not as VM. Of course, that was all many years ago and nowadays Apple would also use a VM, both for performance and security reasons.

The desktop integration of XPM indicates that the file systems aren't completely isolated; perhaps the icons on the Windows 7 desktop are just aliases and any connections come through a network redirector. Presumably they need to share local Documents folders as well, and that could also appear to the user as a network connection from one to the other. But if you have to give sufficient rights to XPM users to write in areas where Windows 7 users are reading, the potential for crossover attacks is there, especially if it's not hard for XP programs to determine that they're running in XPM.

The job of security software, and other systems software, is also somewhat clouded by this development. A security endpoint suite for Windows 7 will not protect inside XPM by default. I think we can expect security companies to create a new SKU that combines a Windows XP version with the Windows 7 version. Somehow the installations and management need to be integrated, but once again all the big companies have network management of endpoint solutions that will be even more appealing in the future for this reason. And it's not just the software; management of licenses will likely be a lot more complicated in this system. But it's probably all worth it.

As a business matter I have to admire XPM. As a security matter it disappoints me. It's a shame it's necessary. I hope the crossover problems never materialize and that XP users take the opportunity to move on to modern software.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.