A decade ago, Microsoft kicked off SDL, or Security Development Lifecycle, a now-widely-adopted process designed to bake security into software, and began building what has become an unmatched reputation in how a vendor writes more secure code, keeps customers informed about security issues, and backs that up with regular patches.
But the Redmond, Wash. company, which just touted SDL's 10-year history with a flashy, anecdote-filled online presentation, seems willing to risk torching that hard-won reputation by pulling the plug on Windows XP.
Microsoft plans to ship the final public patches for Windows XP on April 8. After that, it will not deliver fixes for security vulnerabilities it and others find in the 13-year-old operating system.
The result, even Microsoft has said, could be devastating. Last October, the company said that after April 8, Windows XP would face a future where machines are infected at a rate 66% higher than before patches stopped.
"After April , when we release monthly security updates for supported versions of Windows, attackers will try and reverse engineer them to identify any vulnerabilities that also exist in Windows XP," said Tim Rains, director of Microsoft's Trustworthy Computing group. "If they succeed, attackers will have the capability to develop exploit code to take advantage of them."
Microsoft has justified its stoppage of Windows XP patches by reminding everyone that it has supported the OS longer than any others, which is true: Its normal practice is to patch an operating system for 10 years. And it has argued that Windows XP is old, outdated software that is less secure than its newer operating systems: Windows 7, Windows 8 and Windows 8.1.
The problem that Microsoft has only occasionally touched on is that Windows XP powers a massive number of personal computers around the world. According to Internet measurement company Net Applications, 29.5% of the globe's PCs ran XP in February. Using estimates of the number of Windows PCs now in operation, that "user share" translates into approximately 488 million systems.
Four hundred and eighty-eight million.
If every PC sold in the next 12 months was one destined to replace an existing Windows XP system, it would take more than a year and a half -- about 20 months -- to eradicate XP. Windows XP isn't going anywhere.
Even if one discounts the 70% of the approximately 300 million XP machines in China that are not regularly updated with existing patches -- the 70% statistic comes from Microsoft -- that still leaves 278 million machines.
Microsoft has never faced this situation before, with a soon-to-be-retired OS running a third of all the Windows PCs worldwide. So on one hand it's not surprising that it has stuck to its guns, and is pushing XP into the sunset and forgetting it.
But by doing that, it could hurt itself as much as the customers who end up with an infected XP system.
There's the real possibility that large-scale infections of Windows XP will paint the Windows brand as insecure, fulfilling the implicit prophecy the company made late last year. To most people, Windows is Windows is Windows, with no distinction between XP and the newest, locked-down 8.1. And for those people, Windows is Microsoft because it's the best known of the company's software.
So if post-April headlines appear that shout, "Windows under massive attack," Microsoft's reassurances that the bug can be exploited only on XP, that newer editions of Windows are safe to use, will be lost amidst the noise.
Outside its own software, Microsoft has other reasons for worry. As the company has often said, it's not just Windows that it must keep secure, it's the entire Windows ecosystem, the gamut of software that runs on the platform. A bug in a third-party program, such as Adobe's like-a-sieve Flash Player, which has had to be patched 18 times in the face of ongoing attacks since 2010, reflects poorly not just on Adobe but also on Microsoft. That's because Windows powers 90% of the world's PCs.
That's one reason why Microsoft has reached out to third-party developers -- Adobe being just one -- to help them craft their own SDL-like processes, a fact last week's retrospective trumpeted when it said its SDL guidance had been downloaded more than 1 million times since 2008.
Co-founder and former CEO Bill Gates made the connection in an all-company email he sent in January 2002, the call to action memorandum that ultimately led to SDL. "Our new design approaches need to dramatically reduce the number of such issues that come up in the software that Microsoft, its partners and its customers create," Gates said. "Trustworthiness is a much broader concept than security, and winning our customers' trust involves more than just fixing bugs and achieving 'five-nines' availability. It's a fundamental challenge that spans the entire computing ecosystem, from individual chips all the way to global Internet services (emphasis added)."