Microsoft Won’t Give SP2 Security Fixes to Older Browsers

Microsoft is taking flack for saying it won’t offer some key patches and upgrades for older versions of its Internet Explorer (IE) browser, some of which are still widely used, that are available as part of its much-ballyhooed Service Pack 2 update.

In a move that some observers say is designed to convince more customers to upgrade their older versions of the Windows platform, Microsoft has said it would not include patches for Windows 2000 or earlier versions.

Microsoft has promised a similar service pack for Windows Server 2003, but had not explicitly revealed its plans for other legacy versions of its platform until this week. Some in the information-security community had hoped the company would provide some of the more basic security upgrades for older IE versions, such as a patch that blocks automatically activated viruses.

For its part, the software giant said the decision reflects a desire to provide customers the most secure platform it can.

“The most secure version of Windows today is Windows XP with SP2,” Microsoft said in a statement. “We recommend that customers upgrade to XP and SP2 as quickly as possible. We do not have plans to deliver Windows XP SP2 enhancements for Windows 2000 or other older versions of Windows.”

Threat to the Net?

Microsoft also hinted that patching older versions might give a false sense of security and noted that older platforms were developed long before the current environment of rampant security threats from the Web came about.

Analyst firm Directions on Microsoft noted that, by the company’s own estimates, as many as 200 million end users might have the older versions of Windows, many of them accessing the Web with older versions of IE.

Gartner analyst Michael Silver said SP2 remains a significant security improvement, especially for Internet Explorer, and by itself could provide added attraction for enterprises weighing whether to upgrade or wait for Microsoft’s long-promised next generation of Windows, known as Longhorn, which is expected to have more built-in security features.

“From the outset, SP2 gave Windows 2000 users an added incentive to upgrade now, or at least earlier than they would have if they were waiting for Longhorn,” which might not come until 2006 or 2007, Silver said. It was clear, he added, that any patches for older versions would be limited and for specific flaws, rather than sweeping updates.

The service pack contains “badly needed fixes” to IE that, if widely adopted, could have an impact on the ability of malicious code writers to spread viruses and worms, Silver added.

No Small Feat

So, will companies not ready to upgrade opt for third party browsers instead? Open-source versions by Moziilla and other offerings are starting to dent Microsoft’s dominant position.

Enderle Group analyst Rob Enderle said some security experts’ suggestions to change browsers as a security measure glosses over the fact that most security threats come from insiders to a network, not from the Web.

And while it might be too early to tell whether non-XP Microsoft customers will upgrade, doing so might make more sense than introducing a different browser into a Windows environment.

“Microsoft has said for years that IE is part of the browser, it’s integrated,” Enderle said. IE has not been available as a standalone download for some time, and each new version of Windows has tightened the integration with the browser, which in turn is often integrated to some extent with third party applications.

“There is a massive infrastructure that surrounds IE that would need to be considered even if you really could remove IE without replacing the OS,” Enderle said. “This would clearly not be something to be taken lightly.”