It's always fun to stand and watch as two big names slug it out, and they don't come much bigger than Microsoft. Sophos, it has to be said, is no small fry either when it comes to the world of IT Security. So when a Sophos blog posting from it's Chief Technology Office, Richard Jacobs, started with the playground taunt equivalent of 'I've been kissing your mum' by saying "Windows 7's planned XP compatibility mode risks undoing much of the progress that Microsoft has made on the security front in the last few years and reveals the true colours of the OS giant" you kind of new things would get nasty, and quick. Jacobs continued his verbal assault on Microsoft and Windows 7 by adding "XP mode reminds us all that security will never be Microsoft's first priority. They'll do enough security to ensure that security concerns aren't a barrier to sales, but not so much that it gets in the way of progress". Ooh, a little below the belt perhaps?
That's certainly what the Chief Security Advisor for Microsoft in the EMEA region, Roger Halbheer, thought. Halbheer responded with a blog posting entitled 'Why Windows 7 XP Mode makes sense from a security perspective' and argued "I know of companies that have decided to stay with XP and not move to Windows Vista because of concerns over compatibility issues with other applications they run. Their systems no doubt run, but they are depriving themselves of security and privacy enhancements designed to cope with modern threats – bear in mind that XP was designed in 2001 to cope with the threats back then – threats which changed significantly over the last eight years! The impact of Windows Vista as a secure platform is significant, and Windows 7 will built on that foundation" concluding "Which risk is higher? Leaving our customers on an 8-10 year old operating system for another few years, or helping them to migrate to a modern one, accepting the drawback with XP Mode? With XP Mode, we could have helped my friend above without actually having to force him to run a PC just for the sake of this single application!".
So who's side am I on in this particular security fist fight? I think I am veering towards the Sophos position, it has to be said. After all, everything that Halbheer has argued hangs on the use of XP mode being a strictly temporary move with a strategy to migrate away in place. As Halbheer himself admits in the comments section of his blog, responding to a reader called 'Stuck in the Mud' who thinks that "in the majority of cases that temporary thing becomes part of established infrastructure" his biggest fear is just that. Halbheer admits "Windows XP will go out of support 8.4.2014 according to http://support.microsoft.com/lifecycle/?p1=3223. This is the point where you will not get any security updates anymore... And this scares me".
Guess what Roger, you are not alone!