MS and Sophos incompatible over Win 7 XP Mode

No eye-gouging, no fish-hooking


A row has broken out between Sophos and Microsoft over the alleged patching and management difficulties posed by Windows 7's XP Mode.

The technology allows XP applications to run in a virtualised environment within Windows 7. This offers backward compatibility with applications but comes at the expense of security, according to Richard Jacobs, Sophos chief technology officer.

By creating an easy migration path from XP to Windows 7, bypassing Vista, Microsoft is creating a potential security disaster, Jacobs argues.

XP mode is an independent Windows instance, that shares the odd folder and device with the host Windows 7 installation. What it doesn't share is processes and memory. So it doesn't share security settings, security software, patches etc. It does not inherit any security from the host.

When you use XP mode, you need to patch the copy of XP as well as the host Windows 7. You need to manage settings separately, configure two personal firewalls and install and manage two copies of anti-malware software.

Jacobs said that the problem is made worse because users don't know how to manage virtual machines on a desktop and because of the lack of tools from Microsoft to handle this process. He concludes that XP Mode "risks undoing much of the progress that Microsoft has made on the security front in the last few years".

The argument provoked a robust response from Roger Halbheer, Microsoft's chief security advisor for EMEA. Halbheer describes XP Mode as a temporary mechanism that allows customers to enjoy the better security benefits of the latest Operating Systems while ensuring application compatibility. He describes it as a pragmatic option, and far better than leaving users with only a forklift upgrade option.

Halbheer concludes: "Which risk is higher? Leaving our customers on an eight to ten year old operating system for another few years, or helping them to migrate to a modern one, accepting the drawback with XP Mode?"

Sophos's Jacobs retorts that simply arguing Windows 7 is more secure than XP, but user still need XP compatibility fails to tackle cost of ownership questions raised by he technology.

"The problem is not with the idea of XP mode, but with the lack of management and the lack of clarity about the costs that users will incur," Jacobs said. "I don’t know many IT departments that will be happy to double their workload and costs in the name of security. They’re much more likely to stick with native XP and sacrifice any of the other benefits that Windows 7 might have delivered."

Microsoft developer James O'Neill responded angrily to Jacobs, saying he has got his facts wrong - especially about the lack of management tools. Larger shops should be using Microsoft Enterprise Desktop virtualization (MEDV) software, he said, adding that standalone XP mode uses is only for small shops. "Windows XP Mode is specifically designed to help small businesses move to Windows 7," O'Neill writes.

"XP mode is just standard virtualization software and a pre-configured VM. You can treat the VM as something to be patched via Windows update or WSUS just like a physical PC.

"You install anti-virus software on it like a physical PC. To manage the VM you use the big brother of XPmode." ®


Other stories you might like

  • Threat and risk specialists signal post-COVID conference season is back on
    Well, we'll see in a week or so

    RSA Conference For the first time in over two years the streets of San Francisco have been filled by attendees at the RSA Conference and it seems that the days of physical cons are back on.

    The security conference trade has been more cautious than most when it comes to getting conferences back up to speed in the COVID years. Almost all cons were virtual with a very limited hybrid-conference season last year, including DEF CON, where masks were taken seriously. People still wanted to mingle and ShmooCon too went ahead, albeit later than usual in March.

    The RSA conference has been going for over 30 years and many security folks love going. There are usually some good talks, it's a chance to meet old friends, and certain pubs host meetups where more constructive work gets done on hard security ideas than a month or so of Zoom calls.

    Continue reading
  • What if ransomware evolved to hit IoT in the enterprise?
    Proof-of-concept lab work demos potential future threat

    Forescout researchers have demonstrated how ransomware could spread through an enterprise from vulnerable Internet-of-Things gear.

    The security firm's Vedere Labs team said it developed a proof-of-concept strain of this type of next-generation malware, which they called R4IoT. After gaining initial access via IoT devices, the malware moves laterally through the IT network, deploying ransomware and cryptocurrency miners while also exfiltrating data, before taking advantage of operational technology (OT) systems to potentially physically disrupt critical business operations, such as pipelines or manufacturing equipment.

    In other words: a complete albeit theoretical corporate nightmare.

    Continue reading
  • US cyber chiefs: Moving to Shields Down isn't gonna happen
    Promises new alert notices but warn 'we can sometimes predict thunderstorms but not lightning strikes'

    RSA Conference A heightened state of defensive cyber security posture is the new normal, according to federal cyber security chiefs speaking at the RSA Conference on Tuesday. This requires greater transparency and threat intel sharing between the government and private sector, they added.

    "There'll never be a time when we don't defend ourselves –— especially in cyberspace," National Cyber Director Chris Inglis said, referencing an opinion piece that he and CISA director Jen Easterly published earlier this week that described CISA's Shields Up initiative as the new normal. 

    "Now, we all know that we can't sustain the highest level of alert for an extensive period of time, which is why we're thinking about, number one, what's that relationship that government needs to have with the private sector," Easterly said on the RSA Conference panel with Inglis and National Security Agency (NSA) cybersecurity director Rob Joyce.

    Continue reading
  • Feeling highly stressed about your job? You must be a CISO
    'The attack surface has expanded exponentially' during the work-from-home pandemic, says one

    Almost all cybersecurity professionals are stressed, and nearly half (46 percent) have considered leaving the industry altogether, according to a DeepInstinct survey.

    For its annual Voice of SecOps Report, the endpoint security biz commissioned a poll of 1,000 senior-level security professionals in the US, UK, Germany and France.

    It found that although 91 percent of those surveyed experience at least a low-degree of work-related stress, and almost half (46 percent) of those professionals claimed their stress levels had risen over the past 12 months, their root causes differed based on their jobs. While six percent of all professionals claim to be "highly stressed" due to their work, among CISOs, ITOs, CTOs and global IT strategy directors, the number climbs to 33 percent.

    Continue reading

Biting the hand that feeds IT © 1998–2022