Cooper on Business Adoption of Windows Vista
Unlike Microsoft's research into the matter, our resident security professional sees more obstacles that can hinder Vista adoption by businesses.
Over the past several months, several media outlets (InformationWeek
and Redmond Channel Partner
, to name a few) have reported on Microsoft's claims that sales of Vista far exceed those of the last business OS they created, Windows 2000. As a security professional, I've got six reasons to be not so optimistic:
1. If you remember the release of Windows 2000 Professional, you'll
likely remember just how difficult it was to get it to run on a desktop. Chances
are, you were upgrading from Windows 95 or Windows 98, not Windows NT. It meant
you needed to get applications that were aware of user accounts and an entirely
different environment than what you had been running on.
These problems are equally true for Vista. However, what Microsoft is nicely
overlooking is the release of Windows XP Professional, specifically targeted
at business users who were fed up with running Windows 9x because they couldn't
get their environment running on Windows 2000 Professional, or didn't like how
Windows 2000 Professional ran on their laptops. Windows XP Professional was
the last OS targeted at businesses, not Windows 2000 as Microsoft would like
InformationWeek to believe.
I can almost guarantee that businesses' adoption of Windows XP Professional
was considerably faster than adoption of Vista has been, or is ever likely to
be. But then, making that comparison wouldn't send the message that Microsoft's
PR machines would like sent about Vista, would it?
2. Microsoft Select licensing renewals have nothing to do with what
is being installed on systems. Licenses are annual, and so must be renewed or
removed from systems. One thing definitely worth noting is that by renewing
their Select licenses, Select customers can continue to use their Windows XP
Professional SP2 DVDs to install new systems -- or have OEMs use the Select
customer's custom builds on new equipment shipped and avoid having to receive
Vista-laden systems (which they'd have to re-install to make functional with
the rest of their environment.)
3. As for Gartner and IDC predictions about the end of the year that
InformationWeek writes about...well, those firms have been wrong before.
Their speculation has to consider the independent software vendors making Vista
versions available. Right now, there's far more smoke than mirrors when it comes
to Vista versions. A lot of ISVs are saying they'll have a Vista version or
that they can run on Vista now. What they don't say is what you have to do in
order to use their products on Vista (such as "Run as Administrator")
or to what extent those versions are really "Vista-specific" rather
than just "Vista-compatible."
Microsoft is really setting itself up for a fall here. If what we get in ISV
Vista versions is a lot of "Vista-compatible," then pretty much all
of the hard and good security work Microsoft has put into Vista will go by the
wayside. We'll see fulfillment of the speculation that criminals are moving
up the stack because, with the operating system and browser hardened, the applications
are going to stand out like neon signs as targets. If I can't get my criminal
code installed by you double-clicking on an e-mail attachment, I'll just have
to make my malware look like a cool new thing and get you to run its setup program.
But if Microsoft reserved its Vista logo only for applications that were recoded
to appropriately take advantage of Vista's capabilities, there'd be little Vista-logo'd
-- ergo, no stampede to Vista.
4. When Microsoft did its pre-release survey of "excitedness,"
everyone thought there were going to be Vista-specific versions of their ISV
applications available in a reasonable timeframe. I'd love to know just how
excited people are now; I know that my excitement has abated.
5. As for Microsoft making progress on fixes and new drivers, the reason
there aren't that many blog posts is that there aren't that many people looking
at this stuff. If, when I was testing Vista for deployment in my organization,
I realized there were no printer drivers for any of my corporate printers, would
you expect me to be checking blog entries for updates? I keep checking HP's
site to find out whether my 1-year-old printer now has a Vista driver. I've
checked about 15 times so far since November and it still says, "It's on
the list of printers we're going to make a driver for, but it's not there yet."
Can you imagine basing your deployment of a new desktop operating system on
the availability of compatible products? Try explaining to your manager that
you're spending x-hours every week trying to find updates to your existing applications
so they'll work on Vista. The manager is going to say, "Well, let's just
put that on the back burner for now and let the ISVs catch up."
6. Finally, as I've mentioned several times before, people are going
to Vista from Windows XP. What's wrong with Windows XP? For the most part, nothing!
Vista, itself, has little attraction -- though, with applications that use its
new security features, it should have huge a attraction. But if ISVs were serious
about writing secure applications, they would have done it long before now.
And since they didn't do it during the six years that Windows XP has been around,
why should we expect them to do it now that Vista is here?
If you were going to rewrite your applications to take advantage of Vista's
security features, why would you? If you don't do a similar rewrite for Windows
XP, then all of your existing customers are going to complain that the version
you've left them with has huge deficiencies! If you do create a new Windows
XP version, who are you leaving out in the cold? Most of your customers are
still running Windows XP, and will be very happy to hear they've got an improved
version from you.
column was originally published in our weekly Security
Watch newsletter. To subscribe, click here.
So, in conclusion, you see how this is very "chicken and the egg."
Which comes first -- Vista deployment demanding Vista-specific ISV versions,
or Vista-specific ISV versions hoping people will deploy Vista to take advantage
of their new security improvements?
I'm of the opinion that neither is going to happen. My bet is that we're waiting
for either licensing changes from Microsoft over Select customers, or some new
killer application that is only available on Vista (and which has no existing
Windows XP customers). The licensing changes are extremely unlikely, given the
back-peddling Microsoft has already done with OEMs. So can you imagine a killer
business application that won't be made available for Windows XP users? Neither
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.