Microsoft: To secure IE, upgrade to XP

Affirms plan to make browser upgrades available only through XP updates, while half the Windows world operates with older OSes.

If you're one of about 200 million people using older versions of Windows and you want the latest security enhancements to Internet Explorer, get your credit card ready.

Microsoft this week reiterated that it would keep the new version of Microsoft's IE Web browser available only as part of the recently released Windows XP operating system, Service Pack 2. The upgrade to XP from any previous Windows versions is $99 when ordered from Microsoft. Starting from scratch, the operating system costs $199.

News.context

What's new:
People using older versions of Windows can't get an important security update to the Internet Explorer browser without paying for an XP upgrade.

Bottom line:
Microsoft's policy could drive XP upgrades, but it also risks alienating Web surfers and prompting them to turn to free alternatives such as Firefox.

More stories on this topic

That, analysts say, is a steep price to pay to secure a browser that swept the market as a free, standalone product.

"It's a problem that people should have to pay for a whole OS upgrade to get a safe browser," said Michael Cherry, analyst with Directions on Microsoft in Redmond, Wash. "It does look like a certain amount of this is to encourage upgrade to XP."

Microsoft affirmed that its recent security improvements to IE would be made available only to XP users.

"We do not have plans to deliver Windows XP SP2 enhancements for Windows 2000 or other older versions of Windows," the company said in a statement. "The most secure version of Windows today is Windows XP with SP2. We recommend that customers upgrade to XP and SP2 as quickly as possible."

The Internet's security mess has proved profitable for many companies , particularly antivirus firms . Microsoft has declared security job No. 1 .

By refusing to offer IE's security upgrades to users of older operating systems except through paid upgrades to XP, Microsoft may be turning the lemons of its browser's security reputation into the lemonade of a powerful upgrade selling point.

That lemonade comes in the midst of a painfully dry spell for the company's operating system business.

Three years have passed since Microsoft introduced its last new operating system, and its upcoming release, code-named Longhorn, has been plagued by delays. Microsoft last month scaled back technical ambitions for Longhorn in order to meet a 2006 deadline.

While Wall Street anxiously awaits an operating system release that can produce revenues until Longhorn appears, Microsoft is eyeing the nearly half of the world's 390 million Windows users who have opted to stick with operating systems older than XP, including Windows versions 2000, ME, 98 and 95.

"Ancient history"
Microsoft denied it was deliberately capitalizing on the Internet's security woes to stimulate demand for XP.

"Microsoft is not using security issues or any security situation to try to drive upgrades," said a company representative. "But it only makes sense that the latest products are the most secure."

Microsoft has maintained that the browser is part of the operating system, a point of contention in its antitrust battle with the U.S. government .

Last year, the company ruled out future releases of IE as a standalone product. This week, the company reiterated that stance.

"IE has been a part of the operating system since its release," said the Microsoft representative. "IE is a feature of Windows."

When asked about IE's origin as a free, standalone product, the representative said, "You're talking in software terms that might be considered ancient history."

Microsoft promised "ongoing security updates" for all supported versions of Windows and IE.

The ongoing security updates do not, as Microsoft points out, include the latest security fixes with Service Pack 2, released last month . Those include a new pop-up blocker and a new system of handling ActiveX controls and downloaded content.

And it's those more substantial changes, rather than the bug fixes that come with routine upgrades for supported products, that security organizations have lauded for addressing IE's graver security concerns.

Now it's unclear whether even half the Windows world will have access to the shored up IE.

"It's particularly bothersome if a product is in mainstream support, because what does mainstream support mean then?" said Directions on Microsoft's Cherry.

Microsoft currently commands about 94 percent of the worldwide operating system market measured by software shipments, according to IDC. (That number factors in revenue-producing copies of the open-source Linux operating system, but not free ones).

Of Microsoft's approximately 390 million operating system installations around the world, Windows XP Pro constitutes 26.1 percent, Windows XP Home 24.7 percent, IDC said.

The remaining 49.2 percent is composed of Windows 2000 Professional (17.5 percent), Windows 98 (14.9 percent), Windows ME (6.5 percent), Windows 95 (5.4 percent), and Windows NT Workstation (4.9 percent).

That 49.2 percent of Windows users are left out in the cold when it comes to significant updates to IE and other software .

People running Internet Explorer without SP2 face an array of security scenarios, many of them linked to lax security associated with the ActiveX API , or application programming interface.

SP2 also brought IE up to date with its competitors with a robust pop-up blocker.

"Although I can understand the reasons why Microsoft would like to simplify its internal processes, I'm not in favor of bundling security patches, bug fixes and new features into one package," said IDC Vice President Dan Kusnetsky. "Organizations wanting only security-related updates or just a specific new feature are forced to make an all-or-nothing choice."

Firefox in the hunt
While organizations and individuals weigh the merits of all and nothing with respect to Windows and IE, a competing open-source browser may benefit from Microsoft's decision to reserve SP2's browser upgrades for XP users.

The Mozilla Foundation's Firefox browser is potentially eroding Microsoft's overwhelming market share even prior to its final version 1.0 release. Last week's release of the first preview release of Firefox 1.0 blew past its 10-day goal of 1 million downloads in just more than 4 days.

Firefox, Apple Computer's Safari browser and Opera Software's desktop browser together command a mere sliver of market share. But features such as tabbed browsing and earlier adoption of pop-up controls have won them adherents among potentially influential early adopters and technology buffs.

Even some Microsoft bloggers have admitted to liking Firefox.

With Longhorn still years away, Microsoft is feeling the heat to produce a browser.

That heat has come in many forms, from grassroots campaigns by Web developers urging people to switch from IE to Firefox and other alternatives, to Mozilla's own marketing push, to a steady drumbeat of lacerating Web log and newsgroup posts decrying IE's years of stagnation .

"I've always wondered what the problem is with the IE team," one respondent wrote in a feedback thread on IE evangelist Dave Massy's blog. "I mean, it's just a browser. You need to render a page based on well-documented standards...and that's it! You've opted to not have tabbed browsing or any other personalization. It's just a window shell and the browser content...I wonder if there are only like four people who work on IE or something? I seriously don't get it."

Massy and others have defended the company by explaining that recent development efforts have been geared at security improvements.

A representative for Firefox, which will face security scrutiny of its own should it make good on its competitive threat to IE, said any pressure it was exerting on Microsoft to update IE was evidence of its success.

"IE users need all the help they can get," said Mozilla Foundation spokesman Bart Decrem. "And we're trying to help them. If Microsoft will help them, all the better. At the end of the day, the mission of the Mozilla Foundation is to provide meaningful choice, and the reason there hasn't been a lot of innovation from the dominant provider is because of their monopoly position. So if they are forced to innovate and respond to the success of Firefox, we are achieving our mission."

Some analysts say Microsoft's reluctance to issue SP2's browser security features to non-XP users has as much to do with being shorthanded as wanting to drive XP adoption.

"Their main focus now is on Longhorn IE," said Matt Rosoff, another analyst with Directions on Microsoft. "It's a staffing and a cost issue."

Rosoff agreed that Firefox and other second-tier browsers might benefit from Microsoft's IE distribution policies, but he noted that the vast majority of consumers are far less likely to download a browser than the typical Firefox early adopter.

"From a consumer standpoint, I think evaluating other browsers makes sense," Rosoff said. "And Microsoft is going to face more and more users who are on dual platforms, who won't see any reason to upgrade once they see that Firefox offers the pop-up blocker and other features they'd have to pay for in IE. But most consumers don't download anything if they can avoid it."

 

Discuss Microsoft: To secure IE, upgrade to XP

Conversation powered by Livefyre

Show Comments Hide Comments
Latest Articles from CNET
NASA spots nearest rocky super-Earth at just 21 light-years away