As you might imagine, I spend a lot of time speaking with folks from Microsoft, both in person and on the phone. One subject that comes up again and again is whether the software giant would ever consider using security to sell product upgrades to customers. Although most Microsoft people are quick to point out that the company's newest products will always have a security element to them, I've been told, time and again, that Microsoft isn't interested in throwing customers the hard ball. It's a matter of corporate responsibility that the company will do what it can to protect its customers.
Sadly, it's also a pragmatic truth that retrofitting older OSs with newer security features is often impossible. Part of the reason is Microsoft's integration strategy: Rather than bundle Microsoft Internet Explorer (IE) into Windows, the company has chosen instead to deeply integrate various IE components into various versions of Windows in different ways, creating a multitude of similar, but largely incompatible, code bases. So, although Microsoft was able to tack on IE security features to Windows XP Service Pack 2 (SP2), it's not a straightforward task to retrofit those IE features on other Windows versions. In fact, it might be near impossible.
For Microsoft customers waiting to hear that the new IE features in XP SP2, including pop-up blocking, safer downloads, and add-on management, will soon be available to Windows 2000, Windows NT, or Windows 9x platforms, I have bad news. It's not going to happen. You need to be running XP to get the latest IE security updates.
That requirement is a huge problem. By Microsoft's own estimates, fully 50 percent of its user base runs a version of Windows that predates XP. Although the constant delays in Longhorn, the next major version of Windows, are sure to guarantee that many more customers will upgrade to XP over the next few years, I find it inconceivable that the software giant could ignore 50 percent of its customers today.
And the news gets even worse. Microsoft also isn't porting any of the other XP SP2 security improvements, codenamed "Springboard," to any legacy Windows versions. Only Windows Server 2003 SP1 will see the addition of relevant XP SP2 security fixes. I take that to mean that Windows 2003 already includes some of the security technologies Microsoft later shipped in XP SP2.
To be fair, the Springboard information has been public knowledge since May 2004, when Microsoft Senior Vice President Bob Muglia went on a cross-country road show to speak with technology press and analysts. In response to a question about Win2K SP5, Muglia said, "There's nothing like Springboard at this point for Windows 2000. We won't do the very broad pass that we did for XP … You have to understand that with Springboard, we made hundreds and hundreds of changes to the operating system. We've done a lot of clean-up-type work that no one's really done any exploits on \[in XP SP2\], and yet we want to make sure there's no chance of that happening, so we're doing a ton of that sort of work. That's not all going back to Windows 2000." In other words, Win2K SP5 will be more like a traditional service pack, assuming it ever ships. When was the last time anyone heard anything thing about SP5?
Last week, Microsoft made its intentions for securing customers clear, although it did so not through a public statement about its plans, but rather in response to questions from the press. "We do not have plans to deliver Windows XP SP2 enhancements for Windows 2000 or other older versions of Windows," the company said in a statement issued last week. "The most secure version of Windows today is Windows XP with SP2. We recommend that customers upgrade to XP and SP2 as quickly as possible."
So there you go. Microsoft recommends that you upgrade to XP SP2 as quickly as possible. One might have expected such a self-serving recommendation to be accompanied by some sort of carrot, such as a price reduction for XP or XP support, but instead, the company is simply offering what I consider to be the most Faustian of bargains instead: Upgrade or else. I can almost picture Darth Vader clenching his fist, proclaiming, "There'll be no escape this time." The only thing separating Microsoft from the Empire is a Death Star, and I'm pretty sure Microsoft is working on one. (Sorry, I just picked up the Star Wars trilogy on DVD.)
But seriously, it's time for a little grass roots uprising here. If Microsoft has promised to support its enterprise products for a specified time period--and it has with Win2K, promising mainstream support through June 2005--then the company needs to release relevant security fixes for all its supported products, not just the new ones it wants to sell to you now. Security shouldn't be a feature of only upcoming products--it should be integral to every Microsoft product that its customers still use in volume. Microsoft should honor its commitments, and not just recommend that customers upgrade to the latest version. After all, it's easy to make a promise. The hard part is following through on that promise. And Microsoft's customers shouldn't play the doormat every time the company decides to stiff them to make its own life easier. Where's the outrage?