It's always fun to stand and watch as two big names slug it out, and they don't come much bigger than Microsoft. Sophos, it has to be said, is no small fry either when it comes to the world of IT Security. So when a Sophos blog posting from it's Chief Technology Office, Richard Jacobs, started with the playground taunt equivalent of 'I've been kissing your mum' by saying "Windows 7's planned XP compatibility mode risks undoing much of the progress that Microsoft has made on the security front in the last few years and reveals the true colours of the OS giant" you kind of new things would get nasty, and quick. Jacobs continued his verbal assault on Microsoft and Windows 7 by adding "XP mode reminds us all that security will never be Microsoft's first priority. They'll do enough security to ensure that security concerns aren't a barrier to sales, but not so much that it gets in the way of progress". Ooh, a little below the belt perhaps?

That's certainly what the Chief Security Advisor for Microsoft in the EMEA region, Roger Halbheer, thought. Halbheer responded with a blog posting entitled 'Why Windows 7 XP Mode makes sense from a security perspective' and argued "I know of companies that have decided to stay with XP and not move to Windows Vista because of concerns over compatibility issues with other applications they run. Their systems no doubt run, but they are depriving themselves of security and privacy enhancements designed to cope with modern threats – bear in mind that XP was designed in 2001 to cope with the threats back then – threats which changed significantly over the last eight years! The impact of Windows Vista as a secure platform is significant, and Windows 7 will built on that foundation" concluding "Which risk is higher? Leaving our customers on an 8-10 year old operating system for another few years, or helping them to migrate to a modern one, accepting the drawback with XP Mode? With XP Mode, we could have helped my friend above without actually having to force him to run a PC just for the sake of this single application!".

So who's side am I on in this particular security fist fight? I think I am veering towards the Sophos position, it has to be said. After all, everything that Halbheer has argued hangs on the use of XP mode being a strictly temporary move with a strategy to migrate away in place. As Halbheer himself admits in the comments section of his blog, responding to a reader called 'Stuck in the Mud' who thinks that "in the majority of cases that temporary thing becomes part of established infrastructure" his biggest fear is just that. Halbheer admits "Windows XP will go out of support 8.4.2014 according to http://support.microsoft.com/lifecycle/?p1=3223. This is the point where you will not get any security updates anymore... And this scares me".

Guess what Roger, you are not alone!

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

8 Years
Discussion Span
Last Post by happygeek

i always thought loading something on a virtual machine is safer if you want to run a program that might be infected with viruses.


The Sophos/Jacobs argument is "The problem is that Microsoft are not providing management around the XP mode virtual machine (VM). This creates the potential for a security disaster. XP mode is an independent Windows instance, that shares the odd folder and device with the host Windows 7 installation. What it doesn't share is processes and memory. So it doesn't share security settings, security software, patches etc. It does not inherit any security from the host."

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.