Microsoft: low XP uptake means more security risks

8 Dec 2005

Many businesses and home users still aren’t using the latest version of Windows that Microsoft claims would protect them better from security threats such as worms, viruses and other malicious code, the software company has said.

To date there have been an estimated 220 million downloads of Windows XP Service Pack 2, an version of the company’s desktop operating system that was upgraded to offer improved security. However, Microsoft had expected this figure to be higher.

In Europe, there has been an upgrade rate of 60pc from earlier versions of Windows. “We’re a bit disappointed with the overall uptake of Windows XP Service Pack 2,” Ronny Bjones, security strategist for Microsoft EMEA told

The service pack, which is designed to prevent rogue code such as that found in executable attachments or website popup windows from changing a PC’s settings without the user’s knowledge or consent, was released in August of last year.

Bjones said the goal was to get as many organisations and individuals to upgrade to Windows XP Service Pack 2 as it was more secure than previous version of the operating system. To show how much Microsoft had emphasised security, he said that the work on strengthening XP had taken precedence over other high-profile projects within the company. “We stopped development of Vista [the next version of Windows] because we wanted to bring out a new client product that was so focused on security,” he said.

Bjones urged businesses to implement patches more quickly than they are currently doing, in order to protect their systems. He also defended Microsoft’s programme of scheduled monthly release for software patches instead of launching them as threats are discovered. “Typically an attacker will wait until the industry releases a patch. They then reverse engineer the patch and create an exploit – code that can attack the vulnerability,” he said. “Attackers are betting that customers are taking a long time to patch their systems. From that perspective, it’s better to [release patches] as a controlled process.”

A case in point was the worm that attacked many media organisations during August. Among the high-profile victims were CNN, the New York Times and the Financial Times. Microsoft had issued the patch for the vulnerability that this code exploited a week prior to the attack.

“The person who did this hadn’t attacked the latest technology. It just shows the barrier for script kiddies [people who release malicious code] is higher,” he said.

However, Bjones acknowledged that for large organisations that have a range of different applications, implementing software patches isn’t an easy process. “If you talk to chief information officer you have to see that the subject is more complex than putting Windows XP SP2 on desktops,” he admitted. He pointed out that Microsoft had combined all of the patches for its Exchange, Windows and Office products into a single engine, Windows Update, making the process easier to manage.

He claimed that improvements to the desktop operating system, as well as to Windows Server 2003 were “from a technology point of view a massive step forward”.

By Gordon Smith