Security Watch

Cooper on Business Adoption of Windows Vista

Unlike Microsoft's research into the matter, our resident security professional sees more obstacles that can hinder Vista adoption by businesses.

Over the past several months, several media outlets (InformationWeek, CNET and Redmond Channel Partner, to name a few) have reported on Microsoft's claims that sales of Vista far exceed those of the last business OS they created, Windows 2000. As a security professional, I've got six reasons to be not so optimistic:

1. If you remember the release of Windows 2000 Professional, you'll likely remember just how difficult it was to get it to run on a desktop. Chances are, you were upgrading from Windows 95 or Windows 98, not Windows NT. It meant you needed to get applications that were aware of user accounts and an entirely different environment than what you had been running on.

These problems are equally true for Vista. However, what Microsoft is nicely overlooking is the release of Windows XP Professional, specifically targeted at business users who were fed up with running Windows 9x because they couldn't get their environment running on Windows 2000 Professional, or didn't like how Windows 2000 Professional ran on their laptops. Windows XP Professional was the last OS targeted at businesses, not Windows 2000 as Microsoft would like InformationWeek to believe.

I can almost guarantee that businesses' adoption of Windows XP Professional was considerably faster than adoption of Vista has been, or is ever likely to be. But then, making that comparison wouldn't send the message that Microsoft's PR machines would like sent about Vista, would it?

2. Microsoft Select licensing renewals have nothing to do with what is being installed on systems. Licenses are annual, and so must be renewed or removed from systems. One thing definitely worth noting is that by renewing their Select licenses, Select customers can continue to use their Windows XP Professional SP2 DVDs to install new systems -- or have OEMs use the Select customer's custom builds on new equipment shipped and avoid having to receive Vista-laden systems (which they'd have to re-install to make functional with the rest of their environment.)

3. As for Gartner and IDC predictions about the end of the year that InformationWeek writes about...well, those firms have been wrong before. Their speculation has to consider the independent software vendors making Vista versions available. Right now, there's far more smoke than mirrors when it comes to Vista versions. A lot of ISVs are saying they'll have a Vista version or that they can run on Vista now. What they don't say is what you have to do in order to use their products on Vista (such as "Run as Administrator") or to what extent those versions are really "Vista-specific" rather than just "Vista-compatible."

Microsoft is really setting itself up for a fall here. If what we get in ISV Vista versions is a lot of "Vista-compatible," then pretty much all of the hard and good security work Microsoft has put into Vista will go by the wayside. We'll see fulfillment of the speculation that criminals are moving up the stack because, with the operating system and browser hardened, the applications are going to stand out like neon signs as targets. If I can't get my criminal code installed by you double-clicking on an e-mail attachment, I'll just have to make my malware look like a cool new thing and get you to run its setup program.

But if Microsoft reserved its Vista logo only for applications that were recoded to appropriately take advantage of Vista's capabilities, there'd be little Vista-logo'd -- ergo, no stampede to Vista.

4. When Microsoft did its pre-release survey of "excitedness," everyone thought there were going to be Vista-specific versions of their ISV applications available in a reasonable timeframe. I'd love to know just how excited people are now; I know that my excitement has abated.

5. As for Microsoft making progress on fixes and new drivers, the reason there aren't that many blog posts is that there aren't that many people looking at this stuff. If, when I was testing Vista for deployment in my organization, I realized there were no printer drivers for any of my corporate printers, would you expect me to be checking blog entries for updates? I keep checking HP's site to find out whether my 1-year-old printer now has a Vista driver. I've checked about 15 times so far since November and it still says, "It's on the list of printers we're going to make a driver for, but it's not there yet."

Can you imagine basing your deployment of a new desktop operating system on the availability of compatible products? Try explaining to your manager that you're spending x-hours every week trying to find updates to your existing applications so they'll work on Vista. The manager is going to say, "Well, let's just put that on the back burner for now and let the ISVs catch up."

6. Finally, as I've mentioned several times before, people are going to Vista from Windows XP. What's wrong with Windows XP? For the most part, nothing! Vista, itself, has little attraction -- though, with applications that use its new security features, it should have huge a attraction. But if ISVs were serious about writing secure applications, they would have done it long before now. And since they didn't do it during the six years that Windows XP has been around, why should we expect them to do it now that Vista is here?

If you were going to rewrite your applications to take advantage of Vista's security features, why would you? If you don't do a similar rewrite for Windows XP, then all of your existing customers are going to complain that the version you've left them with has huge deficiencies! If you do create a new Windows XP version, who are you leaving out in the cold? Most of your customers are still running Windows XP, and will be very happy to hear they've got an improved version from you.

Want More Security?

This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

So, in conclusion, you see how this is very "chicken and the egg." Which comes first -- Vista deployment demanding Vista-specific ISV versions, or Vista-specific ISV versions hoping people will deploy Vista to take advantage of their new security improvements?

I'm of the opinion that neither is going to happen. My bet is that we're waiting for either licensing changes from Microsoft over Select customers, or some new killer application that is only available on Vista (and which has no existing Windows XP customers). The licensing changes are extremely unlikely, given the back-peddling Microsoft has already done with OEMs. So can you imagine a killer business application that won't be made available for Windows XP users? Neither can I.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq,, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular