It has been over two weeks now since Microsoft support for Windows XP expired. So far, the world as we know it has not come to a grinding halt for Windows XP users, but that isn’t a reason to let your guard down—it’s really just a matter of time. With hundreds of millions of Windows XP systems still in use by businesses, government agencies, and individuals around the world, maybe Microsoft MSFT +0.43% should make the operating system open source and let developers take over.
When May 13 rolls around, things might start to look different. Many XP users viewed April 8 as some sort of “Y2K” event—as if their PCs would either stop working properly on April 9, or it was all just a bunch of needless hysteria. Stay calm and XP on.
The reality is that April 8 was just the beginning of the end, not the end itself. Where Y2K was a single event, and even the Heartbleed vulnerability that has gotten so much attention lately was a single vulnerability, Windows XP is an open wound that will never be patched. From April 8 forward, every vulnerability discovered in Windows XP will be a “zero day” vulnerability, and there won’t be any lifeline coming from Microsoft to help protect you from it.
Some are suggesting that a “black market” will emerge for Windows XP patches. That may very well be true. Just as attackers can reverse-engineer the patches Microsoft releases for the supported versions of Windows and find out where the vulnerability is to exploit it in Windows XP, independent developers could reverse-engineer to find the vulnerabilities and create a patch to protect Windows XP.
Ensuring the integrity and stability of the rogue patches, however, and safely distributing and applying them might present a problem, though. That’s where an open source community might come in handy.
If the source code for Windows XP were open source, independent security researchers and developers would be able to proactively analyze it to find and fix flaws rather than waiting for discovered vulnerabilities to be patched by Microsoft. If Microsoft were to sponsor or coordinate that effort—or even just cooperate—the open source community could be given early access to vulnerability data so that patches could be developed for XP in parallel with the supported operating systems, and released simultaneously along with the monthly Patch Tuesday security bulletins.
Of course, there are some very good reasons not to make Windows XP open source as well.
Craig Young, a security researcher with Tripwire, explains that opening the source code would almost certainly lead to an influx of vulnerability discoveries in Windows XP—as well as newer Microsoft operating systems that share the same code base. Whether that is a good or bad thing depends entirely on the morals and motives of the person identifying the vulnerability.
Young also expressed concern that open source Windows XP patches would themselves quickly become a popular method of exploiting and compromising Windows XP systems. “XP open source patches would be significantly different than Linux in that the people supplying the patches would not have any significant incentive to deliver quality software. Installing malicious patches would be very easy for XP users and the consequences could have very serious security implications.”
In fact, not everyone is gung ho about putting XP on continued life support. Some—especially in the security community—would like to just bury the OS and remember it fondly.
“I sincerely hope that those demanding continued support or that the XP source be released fall into the category of the vocal few,” declared Tyler Reguly, security research manager at Tripwire. “No mainstream consumer OS has ever been supported as long as Windows XP has been. If you look at server platforms, even Solaris 8 and AIX 5 (both of which were released after XP) are already past their end-of-life dates. Apple AAPL +8.2% released OS X 10.6 (Snow Leopard) in 2009 and dropped support for the OS roughly 4.5 years later. This is less than half of the 12 years Microsoft has supported XP.”
Andrew Storms, senior director of DevOps for CloudPassage, is pretty sure pigs will need air traffic controllers before Microsoft will make Windows XP open source. “This would set a precedent for all past and future end-of-life Microsoft products and surely it’s not likely that a commercial software company is going to suddenly feel generous. Not to mention I’m certain they would not feel like opening the kimono for all their dirty laundry of old code to be seen by the entire world.”
Storms has a better idea than trying to figure out how to continue patching Windows XP. “Let’s spend all these fruitless efforts of trying to hold on to XP on something else—like helping people upgrade.”
That is sage advice. Don’t hold your breath waiting for Microsoft to make Windows XP open source, but—by all means—if you would welcome making XP open source you should just migrate to an open source operating system. The net result will be essentially the same anyway. Switch to one of the multitude of Linux variants, and you can keep using your existing hardware, and upgrade to a more secure operating system that is still supported by an open source community.
news.google.com
No comments:
Post a Comment
Your comments are welcome and appreciated.