Perspective: Microsoft risks security reputation ruin by retiring XP
- 10 March, 2014 13:47
A decade ago, Microsoft kicked off SDL, or Security Development Lifecycle, a now-widely-adopted process designed to bake security into software, and began building what has become an unmatched reputation in how a vendor writes more secure code, keeps customers informed about security issues, and backs that up with regular patches.
But the company, which just touted SDL's 10-year history with a flashy, anecdote-filled online presentation, seems willing to risk torching that hard-won reputation by pulling the plug on Windows XP.
Microsoft plans to ship the final public patches for Windows XP on April 8. After that, it will not deliver fixes for security vulnerabilities it and others find in the 13-year-old operating system.
The result, even Microsoft has said, could be devastating. Last October, the company said that after April 8, Windows XP would face a future where machines are infected at a rate 66% higher than before patches stopped.
"After April , when we release monthly security updates for supported versions of Windows, attackers will try and reverse engineer them to identify any vulnerabilities that also exist in Windows XP," said Tim Rains, director of Microsoft's Trustworthy Computing group. "If they succeed, attackers will have the capability to develop exploit code to take advantage of them."
Microsoft has justified its stoppage of Windows XP patches by reminding everyone that it has supported the OS longer than any others, which is true: Its normal practice is to patch an operating system for 10 years. And it has argued that Windows XP is old, outdated software that is less secure than its newer operating systems: Windows 7, Windows 8 and Windows 8.1.
The problem that Microsoft has only occasionally touched on is that Windows XP powers a massive number of personal computers around the world. According to Internet measurement company Net Applications, 29.5% of the globe's PCs ran XP in February. Using estimates of the number of Windows PCs now in operation, that "user share" translates into approximately 488 million systems.
Four hundred and eighty-eight million.
If every PC sold in the next 12 months was one destined to replace an existing Windows XP system, it would take more than a year and a half -- about 20 months -- to eradicate XP. Windows XP isn't going anywhere.
Even if one discounts the 70% of the approximately 300 million XP machines in China that are not regularly updated with existing patches -- the 70% statistic comes from Microsoft -- that still leaves 278 million machines.
Microsoft has never faced this situation before, with a soon-to-be-retired OS running a third of all the Windows PCs worldwide. So on one hand it's not surprising that it has stuck to its guns, and is pushing XP into the sunset and forgetting it.
But by doing that, it could hurt itself as much as the customers who end up with an infected XP system.
There's the real possibility that large-scale infections of Windows XP will paint the Windows brand as insecure, fulfilling the implicit prophecy the company made late last year. To most people, Windows is Windows is Windows, with no distinction between XP and the newest, locked-down 8.1. And for those people, Windows is Microsoft because it's the best known of the company's software.
So if post-April headlines appear that shout, "Windows under massive attack," Microsoft's reassurances that the bug can be exploited only on XP, that newer editions of Windows are safe to use, will be lost amidst the noise.
Outside its own software, Microsoft has other reasons for worry. As the company has often said, it's not just Windows that it must keep secure, it's the entire Windows ecosystem, the gamut of software that runs on the platform. A bug in a third-party program, such as Adobe's like-a-sieve Flash Player, which has had to be patched 18 times in the face of ongoing attacks since 2010, reflects poorly not just on Adobe but also on Microsoft. That's because Windows powers 90% of the world's PCs.
That's one reason why Microsoft has reached out to third-party developers -- Adobe being just one -- to help them craft their own SDL-like processes, a fact last week's retrospective trumpeted when it said its SDL guidance had been downloaded more than 1 million times since 2008.
Co-founder and former CEO Bill Gates made the connection in an all-company email he sent in January 2002, the call to action memorandum that ultimately led to SDL. "Our new design approaches need to dramatically reduce the number of such issues that come up in the software that Microsoft, its partners and its customers create," Gates said. "Trustworthiness is a much broader concept than security, and winning our customers' trust involves more than just fixing bugs and achieving 'five-nines' availability. It's a fundamental challenge that spans the entire computing ecosystem, from individual chips all the way to global Internet services (emphasis added)."
Gates stepped down from his role as chairman of the board last month, and will spend more time at Microsoft advising new CEO Satya Nadella on product and technology issues.
By letting XP slide into retirement while it still powers so many PCs, Microsoft risks tainting the Windows brand as insecure and the Windows ecosystem as infection-prone. And if Windows XP becomes an ongoing cesspool of malware, it could ruin a decade of efforts to beef up the security of that brand and ecosystem.
The work has paid off. Most security professionals consider Microsoft the bar every other vendor should strive to meet. They have applauded the company's SDL processes, the fact it issues advisories of new threats accompanied by quick-and-dirty workarounds, its once-monthly patching schedule, and the informative -- nay, sometimes exhaustive -- descriptions of the those fixed flaws and how customers can defend against them.
Microsoft has good business reasons for retiring Windows XP from support: Most of its Windows revenue comes from licensing new copies of the operating system to OEMs (original equipment manufacturers), like Lenovo, Hewlett-Packard, Dell and dozens of others, for the approximately 300 million new PCs that factories will ship this year.
If it continued to support XP, Microsoft must think, its partners would sell fewer new computers -- in the main, that's how old operating systems are replaced, not by in-place upgrades -- and it would sell fewer copies of Windows. Microsoft doesn't make money off existing computers; it makes money off new computers. (Although there are signs that that is changing as the company strives for more services revenue.)
And Microsoft not only can call those business shots, it has the right to do so. Few argue otherwise.
But it could also be argued that by quitting XP, Microsoft risks an intangible: the company's reputation, and that of Windows, in the face of large-scale malware outbreaks that infect those unprotected machines. In turn, those PCs could -- as has happened in the past -- infect others, including any running newer editions that for one reason or another have not been patched in time.
If that happens, few -- even those running Windows 7 or Windows 8.1 who have argued that users are responsible for running the most up-to-date software -- will blame those still running XP. They'll blame Microsoft, as customers always do when stuff goes south.
Microsoft must have calculated that the risk to its reputation is warranted, that the damage would be less than the reduction of revenue if it continued to support XP, and the reduction of future revenue that would mean by setting a precedent.
Yet it has already set that precedent. When it extended XP's lifespan from the normal 10 years to almost 13, it established a policy that may need to be repeated years from now, as Windows 7, the standard edition for businesses, approaches its end of support in 2020. If Windows 8.1 and its successors don't change corporate opinion, Microsoft may be forced into acknowledging Windows 7's importance with a similar extension. It has already hinted as much by postponing the deadline by which OEMs must stop selling new business PCs with Windows 7 Professional pre-installed.
So far, Microsoft has done little but repeatedly tell customers that the end of XP is near and that they should move to Windows 8.1, either by upgrading the OS or by purchasing a new device with Windows 8.1 already installed. Both have been met with incredulity and derision by users stuck on XP.
Microsoft's one-beat drum -- Windows 8.1, Windows 8.1, only Windows 8.1 -- seems as tone-deaf as its initial refusal to recognize customer beefs about Windows 8 were more than the usual griping. When Julie Larson-Green, then the co-lead for Windows, said last May, "We're not stubborn" about changing Windows 8, she could have been talking about the company's kill-XP strategy.
If Microsoft did decide to change direction, it has several options that have been proposed by customers, analysts and other observers.
Do a 180-degree turn and continue to patch XP. This would be the easiest to implement, but not to stomach, for Microsoft. The company could let natural replacement take its course, and keep patching XP until it reaches a lower share of all Windows PCs, that share set and publicized by Microsoft. The company could bolster its position by revealing the percentage of PCs running XP that access Windows Update, a telemetric mark it has declined to disclose, to show how prevalent XP really is, rather than make the media and customers rely on estimates from the likes of Net Applications.
Continue to support XP, but only with patches for critical vulnerabilities. Microsoft's security team has already committed to crafting patches for critical and important vulnerabilities in Windows XP, as those will be provided to enterprises that have paid $200 per PC for the first year of extra-extended support. (Those companies automatically receive all updates rated critical, but must pay extra, above and beyond the $200 per machine fee, for those pegged important.) If it did this, it would probably have to refund those moneys, or perhaps automatically ship the important updates free of charge to companies that ponied up for the additional support.
Offer the extra-extended support to everyone for a fee. Microsoft could offer a subscription to the uber-extended support to everyone, including the consumers and small- and mid-sized businesses (SMBs) not eligible for the corporate plan. Pricing the subscription would be the most difficult part of this decision: Low enough to entice a sizable number, high enough to be materially important as a replacement for the revenue Microsoft assumes it would lose in new licenses to OEMs. Customers have suggested numbers like $50 or $60 a year.
Revive Windows 7 and discount an XP-to-Windows 7 upgrade. Microsoft has already removed Windows 7 Home Premium and Windows 7 Professional from its own sales outlets, and stopped selling copies to middlemen like Newegg and Amazon. (Those retailers continue to sell the edition because they, or the distributors they rely on, have stockpiled copies.) By reviving Windows 7, and offering that as an upgrade from XP -- few XP PC owners seem interested in making the jump to the radically-redesigned Windows 8 -- Microsoft sells a license to Windows, if not to the newest Windows. A steep discount, perhaps to the $39.99 it charged customers for the Windows 7-to-Windows 8 upgrade in late 2012 and early 2013, might entice a measurable number to ditch XP. Reducing the price even further -- to the $19.99 Apple charged in 2012 for OS X 10.8, aka Mountain Lion -- should shake loose even more customers from XP, according to studies of upgrade pricing and user share changes.
Kick off a Windows XP PC trade-in program in cooperation with one or more OEMs. If Microsoft is really serious about getting XP out of circulation, one approach would be to have customers turn in their old XP-powered PCs for a new device. Microsoft has run buyback programs before -- last year it tried to goose sales of Surface tablets and Windows smartphones by paying customers for their used iOS and Android mobile devices -- and could do much the same for aged XP PCs. The deal would probably have to be limited to its own retail stores, or possibly the stores-inside-stores it's created within the Best Buy chain, because of the need to verify eligibility and assist users in moving data, settings, even applications, from the old to the new systems. But the reach of Best Buy and its Geek Squad technical assistance could make a plan like this realistic.
Such a program could advance several goals Microsoft has set. It would promote Windows 8.1 devices, and be seen as a way to boost that edition's profile as much as to eradicate XP. If the devices, after a trade-in, were in the lowest-priced category -- Microsoft's reportedly cut Windows 8.1's license fee for sub-$250 notebooks -- it might quiet the complaints from some current XP-forever users that they can't afford to upgrade and simultaneously attack Chrome OS-based Chromebooks, the cheap laptops that Microsoft seems to be very concerned about. Additionally, a trade-in or trade-up program would bring some XP users into the Microsoft Account fold, the single sign-on used to connect to the company's services, and so into the customer pool for those services.
But because it's the most radical of moves, it's also the one least likely for Microsoft, conservative by nature, to make.
Undoubtedly, Microsoft has thought of those options, and likely many more: The company doesn't lack for brainy people, even though some of its marketing messaging has been off-key. But by the evidence -- silence most of all -- it rejected them and decided to continue the march to XP patch cut-off.
That's a shame. Because once Windows's reputation and that of the ecosystem starts taking hits because unpatched XP systems become infected, it will be too late to do much more than watch that reputation swirl toward the drain.
None of the above suggestions are guaranteed to hasten the elimination of Windows XP from the rolls of active operating systems; ultimately, only time will do that. But by taking one or more of those steps, Microsoft could point to what it has done to help customers get off XP, rather than have others point out what it has not done. That could mean the difference between a tainted reputation and one still credible.
Microsoft cannot afford a stumble like the one which that result from XP turning on its owners and the company that made it, not when the PC business has stagnated, when its tablet strategy has yet to pay off and when that same strategy relies on an operating system named "Windows."