[ISN] Microsoft: To secure IE, upgrade to XP

[InfoSec News]

http://news.com.com/Microsoft+To+secure+IE%2C+upgrade+to+XP/2100-1032_3-5378366.html

By Paul Festa 
Staff Writer, CNET News.com
September 23, 2004

If you're one of about 200 million people using older versions of
Windows and you want the latest security enhancements to Internet
Explorer, get your credit card ready.

Microsoft this week reiterated that it would keep the new version of
Microsoft's IE Web browser available only as part of the recently
released Windows XP operating system, Service Pack 2. The upgrade to
XP from any previous Windows versions is $99 when ordered from
Microsoft. Starting from scratch, the operating system costs $199.

That, analysts say, is a steep price to pay to secure a browser that
swept the market as a free, standalone product.

"It's a problem that people should have to pay for a whole OS upgrade
to get a safe browser," said Michael Cherry, analyst with Directions
on Microsoft in Redmond, Wash. "It does look like a certain amount of
this is to encourage upgrade to XP."

Microsoft affirmed that its recent security improvements to IE would
be made available only to XP users.

"We do not have plans to deliver Windows XP SP2 enhancements for
Windows 2000 or other older versions of Windows," the company said in
a statement. "The most secure version of Windows today is Windows XP
with SP2. We recommend that customers upgrade to XP and SP2 as quickly
as possible."

The Internet's security mess has proved profitable for many companies,
particularly antivirus firms. Microsoft has declared security job No.  
1.

By refusing to offer IE's security upgrades to users of older
operating systems except through paid upgrades to XP, Microsoft may be
turning the lemons of its browser's security reputation into the
lemonade of a powerful upgrade selling point.

That lemonade comes in the midst of a painfully dry spell for the
company's operating system business.

Three years have passed since Microsoft introduced its last new
operating system, and its upcoming release, code-named Longhorn, has
been plagued by delays. Microsoft last month scaled back technical
ambitions for Longhorn in order to meet a 2006 deadline.

While Wall Street anxiously awaits an operating system release that
can produce revenues until Longhorn appears, Microsoft is eyeing the
nearly half of the world's 390 million Windows users who have opted to
stick with operating systems older than XP, including Windows versions
2000, ME, 98 and 95.


"Ancient history"

Microsoft denied it was deliberately capitalizing on the Internet's
security woes to stimulate demand for XP.

"Microsoft is not using security issues or any security situation to
try to drive upgrades," said a company representative. "But it only
makes sense that the latest products are the most secure."

Microsoft has maintained that the browser is part of the operating
system, a point of contention in its antitrust battle with the U.S.  
government.

Last year, the company ruled out future releases of IE as a standalone
product. This week, the company reiterated that stance.

"IE has been a part of the operating system since its release," said
the Microsoft representative. "IE is a feature of Windows."

When asked about IE's origin as a free, standalone product, the
representative said, "You're talking in software terms that might be
considered ancient history."

Microsoft promised "ongoing security updates" for all supported
versions of Windows and IE.

The ongoing security updates do not, as Microsoft points out, include
the latest security fixes with Service Pack 2, released last month.  
Those include a new pop-up blocker and a new system of handling
ActiveX controls and downloaded content.

And it's those more substantial changes, rather than the bug fixes
that come with routine upgrades for supported products, that security
organizations have lauded for addressing IE's graver security
concerns.

Now it's unclear whether even half the Windows world will have access
to the shored up IE.

"It's particularly bothersome if a product is in mainstream support,
because what does mainstream support mean then?" said Directions on
Microsoft's Cherry.

Microsoft currently commands about 94 percent of the worldwide
operating system market measured by software shipments, according to
IDC. (That number factors in revenue-producing copies of the
open-source Linux operating system, but not free ones).

Of Microsoft's approximately 390 million operating system
installations around the world, Windows XP Pro constitutes 26.1
percent, Windows XP Home 24.7 percent, IDC said.

The remaining 49.2 percent is composed of Windows 2000 Professional
(17.5 percent), Windows 98 (14.9 percent), Windows ME (6.5 percent),
Windows 95 (5.4 percent), and Windows NT Workstation (4.9 percent).

That 49.2 percent of Windows users are left out in the cold when it
comes to significant updates to IE and other software.

People running Internet Explorer without SP2 face an array of security
scenarios, many of them linked to lax security associated with the
ActiveX API, or application programming interface.

SP2 also brought IE up to date with its competitors with a robust
pop-up blocker.

"Although I can understand the reasons why Microsoft would like to
simplify its internal processes, I'm not in favor of bundling security
patches, bug fixes and new features into one package," said IDC Vice
President Dan Kusnetsky. "Organizations wanting only security-related
updates or just a specific new feature are forced to make an
all-or-nothing choice."


Firefox in the hunt

While organizations and individuals weigh the merits of all and
nothing with respect to Windows and IE, a competing open-source
browser may benefit from Microsoft's decision to reserve SP2's browser
upgrades for XP users.

The Mozilla Foundation's Firefox browser is potentially eroding
Microsoft's overwhelming market share even prior to its final version
1.0 release. Last week's release of the first preview release of
Firefox 1.0 blew past its 10-day goal of 1 million downloads in just
more than 4 days.

Firefox, Apple Computer's Safari browser and Opera Software's desktop
browser together command a mere sliver of market share. But features
such as tabbed browsing and earlier adoption of pop-up controls have
won them adherents among potentially influential early adopters and
technology buffs.

Even some Microsoft bloggers have admitted to liking Firefox.

With Longhorn still years away, Microsoft is feeling the heat to
produce a browser.

That heat has come in many forms, from grassroots campaigns by Web
developers urging people to switch from IE to Firefox and other
alternatives, to Mozilla's own marketing push, to a steady drumbeat of
lacerating Web log and newsgroup posts decrying IE's years of
stagnation.

"I've always wondered what the problem is with the IE team," one
respondent wrote in a feedback thread on IE evangelist Dave Massy's
blog. "I mean, it's just a browser. You need to render a page based on
well-documented standards...and that's it! You've opted to not have
tabbed browsing or any other personalization. It's just a window shell
and the browser content...I wonder if there are only like four people
who work on IE or something? I seriously don't get it."

Massy and others have defended the company by explaining that recent
development efforts have been geared at security improvements.

A representative for Firefox, which will face security scrutiny of its
own should it make good on its competitive threat to IE, said any
pressure it was exerting on Microsoft to update IE was evidence of its
success.

"IE users need all the help they can get," said Mozilla Foundation
spokesman Bart Decrem. "And we're trying to help them. If Microsoft
will help them, all the better. At the end of the day, the mission of
the Mozilla Foundation is to provide meaningful choice, and the reason
there hasn't been a lot of innovation from the dominant provider is
because of their monopoly position. So if they are forced to innovate
and respond to the success of Firefox, we are achieving our mission."

Some analysts say Microsoft's reluctance to issue SP2's browser
security features to non-XP users has as much to do with being
shorthanded as wanting to drive XP adoption.

"Their main focus now is on Longhorn IE," said Matt Rosoff, another
analyst with Directions on Microsoft. "It's a staffing and a cost
issue."

Rosoff agreed that Firefox and other second-tier browsers might
benefit from Microsoft's IE distribution policies, but he noted that
the vast majority of consumers are far less likely to download a
browser than the typical Firefox early adopter.

"From a consumer standpoint, I think evaluating other browsers makes
sense," Rosoff said. "And Microsoft is going to face more and more
users who are on dual platforms, who won't see any reason to upgrade
once they see that Firefox offers the pop-up blocker and other
features they'd have to pay for in IE. But most consumers don't
download anything if they can avoid it."