Following Microsoft Corp.’s announcement this week that it will move more quickly to retire old code in its Windows operating systems, industry analysts have been left wondering how it will affect users’ legacy applications, as well as security.
Steve Lipner, director of security assurance for Microsoft, said in published reports that Microsoft will ax old Windows code if it poses security problems.
Lipner was not available for an interview but a Microsoft spokesman confirmed the statement and added that they will “look to retire legacy code” as part of the software giant’s four-month-old Trustworthy Computing initiative.
With no word on when the code fixes will come or how they will be distributed to users, industry watchers are left wondering what Microsoft’s latest move will mean.
“It’s hard to tell what will happen,” says Dan Kusnetzky, vice president of system software research at IDC, an analyst firm based in Framingham, Mass. “But it’s clear that older versions of Windows didn’t make security a priority. It was there but it was not a priority. The code was written to make it work.”
Each new version of Windows has been part of an evolutionary process — the newer version growing out of the code base from the last version. There are an estimated 8 million to 10 million lines of code in Windows 2000. That’s compared to about 4 million to 5 million in Windows 95. That means the latest versions are not only bulkier than their predecessors but they carry around a lot of the code that was written four, five or even eight years ago.
Added to the equation is the fact that earlier this year, Microsoft Chairman Bill Gates kicked off his Trustworthy Computing agenda, prioritizing improved security above new features. The announcement, however has been followed by a myriad of vulnerability announcements and the resulting criticisms that the company isn’t doing enough fast enough.
Then about a week ago, Microsoft warned users of a security vulnerability in Internet Explorer that was based in old code for a protocol now rarely used. Lipner’s announcement came soon after.
“Why did it take them this long to strengthen the operating system?” asks Kusnetzky. “It’s one of the steps that has to be undertaken. Every aspect has to be examined for vulnerabilities.”
Peter Kastner, chief research officer for Boston-based Aberdeen Group, Inc., says this is a step that Microsoft simply has to take.
“I think it’s the only answer they could give and still be true to the mantra of, ‘If we find security-prone problems in our code, we will fix it,'” says Kastner. “Code, which otherwise would be considered working, is now being ripped out because it may have fundamental security flaws which cannot be patched. The security flaw was designed in.”
The old code, however, is often present in new releases because it supports old applications. If the old code is removed, how will that affect companies still running business critical legacy applications?
Laura DiDio, a senior analyst at Boston-based Yankee Group, says it could all be confusing to IT managers who may be dealing with reduced budgets and fewer workers on staff.
“What happens to functionality?” says DiDio. “You put on a service pack or a security patch and sometimes the install creates problems that didn’t exist before. IT has enough to worry about…I have doubts about the results.”
And this could affect millions of U.S. businesses since analysts say more companies are running older versions of Windows than the latest release. Tens of millions are still using Windows 9x, including millions who are still on Windows 95, according to Kastner, who adds that Microsoft will say they’ve been advising enterprise customers for years to move to Windows NT — based on newer 32-bit code.
But despite the headaches it may pose, IDC’s Kusnetzky says retiring the old code still makes sense.
“What will have trouble and what wont depends on what Microsoft finds and what replaces the legacy code,” says Kusnetzky. “If the new code operates the same way, old applications may still work. It’s hard to say at this point.”
But he also points out that IT administrators would be smart to protect themselves ahead of time.
“I certainly would have an inventory of old applications,” Kusnetzky adds, “and be prepared with alternatives in case those applications no longer function.”