Steve Lipner, Microsoft's director of security assurance, said in an email interview this week that any old code containing security flaws will be removed and replaced in upcoming releases of Windows .Net Server and Windows XP SP1.
Lipner declined to address the question of whether patches would be issued for other Windows versions currently in use. A Microsoft spokesperson, however, confirmed that for now the only plan is to update new versions of the operating system.
"At some point, software becomes mature, which translates into 'We've moved on, folks, and you should too,'" says Dan Kusnetzky, vice president of system software research at IDC, an industry analyst firm based in Framingham, Mass. "Vendors usually have a cutoff date and after that certain time, software goes into a maintenance mode and they do very little development on it. Windows 98 is four or five years old."
The decision was based on Microsoft's four-month old Trusthworthy Computing initiative, which Chairman Bill Gates said prioritized security over the creation of new features.
Tear Out Troublesome Code
The announcement, however, has been followed by myriad vulnerability announcements and resulting criticism that the company isn't doing enough fast enough.
Now, Microsoft has upped the ante of its security promises by saying it will tear out troublesome code that has climbed the evolutionary ladder from early Windows versions to the latest releases, which are reportedly double in size to their Windows 95 predecessor.
But just as some old coding has hung on through the years, millions of corporate users have hung on just as fiercely to their older versions of Windows. Kusnetzky estimates that there are more than 140 million copies of Windows 98 still in use. And about seven years after it first hit the streets, there are still about 65 million copies of Windows 95 being used in American companies.
And that means more than 200 million corporate users won't be rid of any unsecure code lurking in their systems until they upgrade.
But Kusnetzky points out that they won't be any worse off tomorrow than they were yesterday.
"In terms of computer software, it's ancient," says Kusnetzky. "If they've kept their other software up to date -- virus software, firewall software -- then they're probably in as good a condition as they could hope to be in for software that old. But, obviously, some of the coding in that operating system needs attention."
Gordon Haff, an analyst at Nashua, N.H.-based analyst firm Illuminata, said he's glad that at least the new Windows versions will get that attention and shed some of the problems the operating systems have been carrying around for years.
"The old code wasn't developed with a lot of thought to threats," says Haff. "Windows 2000, actually, did break to a degree from the older code base. But it's still fair to say it's more focused on reliability, stability and scalability than on security specifically."
And Haff noted that the buzz around the delayed release of the Windows .Net server is that a lot of the code is being ripped out and replaced.
"Some of the delays are being laid at the feet of improving security," he added. "I've heard enough from enough different sources that the .Net release is being pushed out to incorporate new code, specifically in the security area."
Windows .Net server now is predicted to ship to manufacturers by the end of this year and hit the market by early in 2003.
Will Changes Affect Legacy Apps?
The removal of the old code has some analysts wondering how the move will affect corporate users' legacy applications, which very well could be using old coding to run.
"Most users will still see a usable system, but some will have to take explicit action to use older code that they require for application compatibility," said Microsoft's Lipner, who added that he's not sure how much code will be removed or replaced. "It's hard to say in terms of numbers or proportion. Some code will be removed from the system. Some will be supplied as separate directories -- not installed by default -- for customers who need it for compatibility. Much will be disabled by default."
Lipner added that he thinks code that is in line to be retired will include older utilities, compatibility packages and code that implements obsolete protocols.