Security threats Toolkit

Want secure IE? Then upgrade to XP...

Tags:
Windows XP,
IE,
Internet Explorer

Paul Festa CNET News

Published: 23 Sep 2004 15:05 BST

If you're one of about 200 million people using older versions of Windows and you want the latest security enhancements to Internet Explorer, get your credit card ready.

Microsoft this week reiterated that it would keep the new version of Microsoft's IE Web browser available only as part of the recently released Windows XP operating system, Service Pack 2. The upgrade to XP from any previous Windows versions is $99 when ordered from Microsoft. Starting from scratch, the OS costs $199.

That, say analysts, is a steep price to pay to secure a browser that swept the market as a free, standalone product.

"It's a problem that people should have to pay for a whole OS upgrade to get a safe browser," said Michael Cherry, analyst with Directions on Microsoft. "It does look like a certain amount of this is to encourage upgrade to XP."

Microsoft affirmed that its recent security improvements to IE would be made available only to XP users.

"We do not have plans to deliver Windows XP SP2 enhancements for Windows 2000 or other older versions of Windows," the company said in a statement. "The most secure version of Windows today is Windows XP with SP2. We recommend that customers upgrade to XP and SP2 as quickly as possible."

The Internet's security mess has proved profitable for many companies, particularly antivirus firms. Microsoft has declared security job number one.

By refusing to offer IE's security upgrades to users of older OSes except through paid upgrades to XP, Microsoft may be turning the lemons of its browser's security reputation into the lemonade of a powerful upgrade selling point.

That lemonade comes in the midst of a painfully dry spell for the company's operating system business.

Three years have passed since Microsoft introduced its last new OS, and its upcoming release, code-named Longhorn, has been plagued by delays. Microsoft last month scaled back technical ambitions for Longhorn in order to meet a 2006 deadline.

While Wall Street anxiously awaits an operating system release that can produce revenues until Longhorn appears, Microsoft is eyeing the nearly half of the world's 390 million Windows users who have opted to stick with older OSes than XP, including Windows 2000, Windows ME, Windows 98 and Windows 95.

Microsoft denied it was deliberately capitalising on the Internet's security woes to stimulate demand for XP.

"Microsoft is not using security issues or any security situation to try to drive upgrades," said a company representative. "But it only makes sense that the latest products are the most secure."

Microsoft has maintained that the browser is part of the operating system, a point of contention in its antitrust battle with the US government.

Last year, the company ruled out future releases of IE as a standalone product. This week, the company reiterated that stance.

"IE has been a part of the operating system since its release," said the Microsoft representative. "IE is a feature of Windows."

When asked about IE's origin as a free, standalone product, the representative said, "You're talking in software terms that might be considered ancient history."

Microsoft promised "ongoing security updates" for all supported versions of Windows and IE.

Those ongoing security updates do not, as Microsoft points out, include the latest security fixes with Service Pack 2, released last month. Those include a new pop-up blocker and a new system of handling ActiveX controls and downloaded content.

And it's those more substantial changes, rather than the bug fixes that come with routine upgrades for supported products, that security organisations have lauded for addressing IE's graver security concerns.

Now it's unclear whether even half the Windows world will have access to the shored up IE.

"It's particularly bothersome if a product is in mainstream support, because what does mainstream support mean then?" said Directions on Microsoft's Cherry.

Microsoft currently commands about 94 percent of the worldwide OS market measured by software shipments, according to IDC. (That number factors in revenue-producing copies of the open-source Linux OS, but not free ones).

Of Microsoft's approximately 390 million operating system installations around the world, Windows XP Pro constitutes 26.1 percent, Windows XP Home 24.7 percent, IDC said.

The remaining 49.2 percent is composed of Windows 2000 Professional (17.5 percent), Windows 98 (14.9 percent), Windows Me (6.5 percent), Windows 95 (5.4 percent), and Windows NT Workstation (4.9 percent).

Those 49.2 percent of Windows users are left out in the cold when it comes to significant updates to IE and other software.

People running IE without SP2 face an array of security scenarios, many of them linked to lax security associated with the ActiveX API, or application programming interface.

SP2 also brought IE up to date with its competitors with a robust pop-up blocker.

"Although I can understand the reasons why Microsoft would like to simplify its internal processes, I'm not in favour of bundling security patches, bug fixes and new features into one package," said IDC Vice President Dan Kusnetsky. "Organisations wanting only security-related updates or just a specific new feature are forced to make an all-or-nothing choice."