Microsoft Needs to Secure All Users—Period

Microsoft would do well to heed customer upgrade plans.

In my Aug. 23 column, I stated that Windows XP Service Pack 2 was improving security for only 10 percent of Windows users while leaving the vast majority out in the cold. I urged Microsoft to step up and serve the majority of its users, as well as improve overall Internet security, by offering a similar service pack for Windows 2000 users.

I received responses from many readers. The majority were from IT managers who said they were not in the process of moving to Windows XP and would love to see the security fixes in SP2 ported to Windows 2000.

But I also received quite a few responses questioning parts of the column. By far, the biggest disagreement was on the claim that Windows XP users represent only 10 percent of the Windows installed base.

One such response came from a reader named Bruce, who said, "Jim, according to Googles Zeitgeist, 51 percent of its users use Windows XP. A year ago, OneStat said XP was at 38 percent. You do know that XP has been out for three years and is on basically every consumer machine sold in the last three years?"

In retrospect, I definitely should have made clearer where I got the 10 percent number. During the research for eWEEK Labs review of Windows XP SP2, in the stats that we gathered were numbers stating that 20 million people have Windows XP installed while the total installed Windows user base is 200 million.

Im not discounting what Bruce is saying, nor am I saying the numbers we used are exactly correct. (However, note that Google itself has stated that Zeitgeist is only a fun search inquiry resource and should not be used to generate statistical information.) What I am saying is that the percentages I gave in the Aug. 23 column seem more correct to me.

According to a Dell press release, 85 percent of the companys sales are corporate sales. And almost all of the corporate IT people I talk to, including some from organizations that are very Microsoft-centric, are still running mostly Windows 2000-based systems. In fact, many companies only started ordering systems with Windows XP late last year.

In addition, one needs to take into account that companies have drastically cut back on PC orders in recent years. Walk into almost any office and youll see plenty of Pentium IIIs. These systems represent a large number of the corporate desktops out there, and most of these are not running Windows XP.

And besides, does the exact percentage matter that much? If it were closer to 50 percent, would it then be OK for 100 million Windows users to be less secure than those who had access to SP2?

Another reader, Lloyd, wondered where the resources for this Windows 2000 service pack would come from. "Who might fund this?" asked Lloyd in an e-mail message. "Microsoft or, ultimately, customers who buy commercial software? Didnt Microsoft already invest over $300 million in XP SP2?"

To Lloyd, and others who ask the same questions, I respond, How does Microsoft fund every service pack it releases? How has it been able to release versions of Internet Explorer for every version of Windows, from IE 1.x to IE 6.x? To me, taking care of your customers is a cost of doing business—and one that most companies find well worth it.

The majority of responses received were more like the one from Don, who said, "I couldnt agree with you more. Microsoft should be fixing the security bugs in all its software, not just XP. Despite its official corporate position on the security issue, Microsoft is very short [emphasis is Dons] in the delivery department."

/zimages/2/28571.gifClick here to find out whats next on Microsofts security agenda.

Clearly, a large number of companies out there dont plan to move to XP soon but would like some of the security benefits of Service Pack 2. Microsoft doesnt need to port everything—for example, the firewall neednt be created for Windows 2000—but the improved default security and service settings would be simple to add to a Windows 2000 service pack. By far the biggest help would be a new, more secure version of IE for Windows 2000, and theres no reason, despite what Microsoft says, not to release one.

But customers who arent happy with what they have now dont often upgrade. Taking care of these customers, and letting them upgrade on their own schedule, is the best way to keep them happy—and loyal.

Labs Director Jim Rapoza can be reached at

To read more Jim Rapoza, subscribe to eWEEK magazine.

/zimages/2/28571.gifCheck out eWEEK.coms Windows Center at for Microsoft and Windows news, views and analysis.


Be sure to add our Windows news feed to your RSS newsreader or My Yahoo page