In a world where computer security and internet privacy are critical issues, one of the biggest problems we have is the continued use of Windows XP. Fortunately there is progress in replacing Windows XP, with it being used on less than a third of PCs here in the United States. The story is not as good worldwide, where Windows XP is still used on almost half of all PCs. So let’s explore why Windows XP should aggressively be abandoned.
Windows XP was a well received operating system, and it seems that both users and organizations love it. Not with passion, but with a reverence for doing exactly what they needed it to do. Unfortunately, Windows XP was not designed for the modern Internet threat environment. The design for a merged desktop operating system (combining the full consumer experience and compatibility of Windows 95 with the modern underpinnings of Windows NT) started in 1996 under the banner NT 5. Microsoft couldn’t quite get all the compatibility work done in a single release, so NT 5 was released as Windows 2000 with the Professional edition targeting business desktops. Microsoft then did a quick turnaround release, internally NT 5.1, to finish the compatibility work and bring NT technology to the mainstream. NT 5.1 was released as Windows XP..
It is hard to imagine it, but 1996 is just one year after the Internet was fully transitioned to a commercial endeavor. In 1996 the Internet is a fairly safe place, and it isn’t until 1999 that we start to see the use of the Internet to spread malware. And it isn’t until 2001, after Windows XP is completed, that we start to see the explosion in malware that exploits flaws in the operating system. And so Windows XP was unprepared for the threat environment into which it was introduced. As the attacks mounted Microsoft was forced to pause development of the next version of Windows (“Longhorn”, which would eventually ship as Vista) while it revised its development processes to focus on security (what is now known as the Security Development Lifecycle) and undergo a complete security review of Windows XP. This resulted in Microsoft fixing hundreds of potential Windows XP security issues with Windows XP Service Pack 2 (SP2). But what Microsoft couldn’t do in SP2 was alter the basic design of Windows XP, so those security changes deferred for Windows Vista.
The single biggest problem with security in Windows XP is the result of its work to maintain compatibility with the Windows 95 family and earlier operating systems. Because those operating systems were built as single user systems there was never a notion of separating normal use from administrative use, and many applications took advantage of this. Windows NT did have the notion of giving users different permissions, but if you tried to use this feature then you found many applications wouldn’t run. For example, from personal experience I know that some Intuit products still needed administrative permission as late as 2006. So when Windows XP was released in 2001 it was necessary for Microsoft to give all users full administrative permissions by default in order to retain the highest level of compatibility with Windows 95/98/98SE/ME. This means any application you run on Windows XP can modify the system as though it was the system administrator. Malware takes advantage of this to modify system files, the registry, etc.
In Windows Vista Microsoft came up with a solution to the problem of always running as an administrator. It would run all applications without administrative privileges, and then if the application needed to run as an administrator it would ask the user to give the ok. The idea behind this design was that if the user was running a well-known application then they would ok the use of administrative privileges whereas if they didn’t really trust the application (such as something they just downloaded over the Internet, or was contained as an attachment in an email) they would say no to giving the privileges. This is the feature known as User Account Control (UAC). Sadly in its first incarnation UAC would result in far too many prompts and was one of the reasons that Windows Vista was poorly accepted. However, in Windows 7 UAC was refined so that users now find it to not be a burden. (And if the rumors about Windows 8 use of Reputation are true then a UAC prompt would only occur when the safety of the application is suspect.)
UAC, by itself, is a reason to dump Windows XP and move to Windows 7. There is a vast amount of malware out there that requires administrative privileges and thus will cause damage on a Windows XP machine but do no harm on Windows Vista or Windows 7.
The list of security design changes introduced in Windows Vista, and further refined in Windows 7, is long (and I’m not going to go over them all). Application Isolation features let browsers such as Internet Explorer 7 (and later) and Google Chrome implement a “protected mode” where browser windows operate in a sandbox that limits the damage they can do. This is likely one of the key reasons that the new Internet Explorer 9 won’t run on Windows XP. The more Internet Explorer tries to take advantage of the secure environment provided by Windows 7 (and Windows Vista) the harder it is to keep Internet Explorer running on Windows XP. I think the team finally said “hey, if we really want to focus on security then lets only run on secure operating systems”.
Other features such as DEP, ASLR, and a host of hardening features in the 64-bit version of Windows (which everyone should be using when they install on a new machine) make it very difficult for malware to infect systems. Some of these, for example DEP, have their roots all the way back to Windows XP SP2. But while DEP was first introduced in SP2 its use has been ramped up over time so that in a Windows 7 64-bit environment it is always on whereas in Windows XP SP2 it rarely turned on due to compatibility issues.
The results of Microsoft’s focus on security in Windows Vista and Windows 7 shows. Consider this quote from SIRv9, “Windows 7 has consistently had a lower infection rate over the past four quarters than versions of Windows Vista, which have consistently had lower infection rates than versions of Windows XP since the original release of Windows Vista in 2006.”
Of course in addition to all these design improvements that enhance security the newer Windows versions introduce many new security features. Many of these are targeted at enterprise users, and others are used under the covers. For example, if you run the latest version of Microsoft’s Security Essentials on Windows 7 then it uses the new Windows Filtering Platform to let it block malware at the network level.
The key takeaway here is that Windows XP was not designed for, and is inappropriate for, today’s Internet threat environment. Moving away from Windows XP makes you and the entire Internet a safer place. Newer Microsoft offerings, particularly Windows 7, are designed for the modern threat environment. So is the latest version of Mac OS X. What are you waiting for?