Microsoft should make SP2 available to all users and backport the changes to older operating systems, or they risk putting profits ahead of security yet again.
The problem is that they can't have it both ways -- either Microsoft is honestly committed to improving its abysmal security record, [...] or it is honestly committed to profits above all else and continues on the path it seems to have chosen.
Now, that's bravery and patriotism. However, even in the midst of human nobility, there's always a weasel. All of the members of the States-General signed the Oath, sure, but one of them - Martin Dauch, a lawyer and representative of Castelnaudary - signed, but then wrote after his name one word: "opposed". Way to play both sides, Monsieur Dauch!
As most of you probably know, Microsoft is launching a major improvement to its Windows XP operating system sometime later this summer. Service Pack 2 is, according to Microsoft, particularly focused on security:
"In Windows XP Service Pack 2, Microsoft is introducing a set of security technologies that will help to improve the ability of Windows XP-based computers to withstand malicious attacks from viruses and worms. ... Together, these security technologies will help to make it more difficult to attack Windows XP, even if the latest updates are not applied. ... The goal for Service Pack 2 is to build on the Trustworthy Computing efforts of Microsoft ...."
This sounds really great. Making XP more secure would be wonderful - for Windows XP users, certainly, but also for everyone else, who has to suffer daily from the viruses, worms, spam and other flotsam and jetsam cast about the ocean of the Net. Unfortunately, it seems that the company has hired the descendents of M. Dauch as spokespersons.
On 5 May, Microsoft manager Barry Goffe was quoted in Computer Times stating that "We haven't explicitly done anything to SP2 to exclude it from pirated copies." A few days later, Microsoft issued a denial of Goffe's statement, explaining that SP2 in fact would not install on pirated copies of XP. Then, on 17 May, it was reported that Microsoft had adopted the "sign, but write 'opposed'" strategy. Some pirates could download and install SP2, but not the pirates using the twenty most widely copied serial numbers. And that's where we are now, to the best of my knowledge.
Microsoft has also made it very clear that the security enhancements in SP2 will only be available to users running Windows XP. One of the big planned beneficiaries for SP2 is going to be Internet Explorer, which, as I wrote about in my last column, has lately been as full of holes as Blackburn, Lancashire (c'mon, Beatles fans - help out the others who don't get that one). If you use Windows 2000, NT, or anything earlier, though, you have no assurance that your copy of IE will receive the same fixes. And of course, your operating system will also suffer from the same vulnerabilities as it did before. Microsoft's attitude here seems to be summed up in the words of a consultant quoted in an eWeek article: "If customers want more secure systems, then upgrade."
I can understand Microsoft's desire to protect its profits -- to a point. And I can also understand the company's desire not to appear to legitimize piracy - to a point. But Microsoft is also touting its commitment to security, as it should, since its products, never paragons of security, are lately suffering ever more serious vulnerabilities.
The problem is that they can't have it both ways -- either Microsoft is honestly committed to improving its abysmal security record, it makes SP2 available to all users of XP and then backports as much as possible the security fixes to older operating systems, or it is honestly committed to profits above all else and continues on the path it seems to have chosen. The fact is that insecure Windows operating systems and Web browsers have caused, are causing, and will continue to cause massive disruptions all over the world. Millions and millions of dollars are spent guarding against and cleaning up these messes. Untold hours of labor are involved fixing problems. And criminals and other lowlifes continue to use the holes in Microsoft's products to further their nefarious ends.
Forget for a moment about piracy. That fact is that many organizations still rely daily upon Windows 2000. If those companies, non-profits, and users are left unsecured, all of their Internet traffic potentially threatens the rest of us. Microsoft has an obligation to its users, and, in fact, to all Internet users, to ensure that its security fixes and updates are available to as many users of its software as possible. The company's size, breadth of reach, and security record necessitate such a move. If Microsoft is serious about security, then it needs to act like it.
Microsoft may hope that withholding SP2 from users it deems "undesirable" will force them to either upgrade from older systems to the latest and greatest, or abandon pirated copies and buy the genuine article. But I have my doubts. When word got out into the streets about Martin Dauch's vacillation, the president of the States-General allowed Dauch to escape through the back of the tennis court in order to avoid a hostile mob. As security pros, it's our job to make sure that Microsoft, when it comes to its latest Service Pack, doesn't sneak out through the back door.