There is no getting away from it. Windows 7 was never intended to be launched this week, and would in more normal circumstances have appeared at some point next year or ever later.
What went wrong, why was normality disrupted, and why the world has been invited to experience the launch of something as technically opaque as an operating system, is now a matter of widely-held orthodoxy: Vista, the trumpeted successor to XP, didn’t measure up.
Launched to business customers throughout late 2006, the scale of Vista’s market failure still looks bad, no matter that it has ended up maturing into a perfectly stable piece of software. According to a survey by Forrester this week, XP is still the main OS used on an astonishing 79 percent of PCs in the key US and European SMB sector, with Vista used by 9 percent, not much ahead of the aged Windows 2000.
The grip XP has maintained on businesses at all levels is still a shock if you ponder one of the main reasons it was supposed to deserve being kicked out– woeful security.
There was a time when security would have been seen as an afterthought and that was probably how XP’s planners saw it as they churned through code in mid-2001, close to launch. That turned out to be historic complacency and so the whole OS had to be retrofitted with a security-oriented service pack in late 2004 just to turn it into something almost mediocre. XP has struggled security-wise ever since.
Vista’s various failings have been well documented but - the incessant pestering of its User Account Control (UAC) aside - had little to do with security, which just goes to show that security is not the bit that most people notice, most of the time. Businesses wanted better security, but decided to wait for a better all-round product.
By now, desperation has probably set in, and businesses will flock to buy Windows 7 as their upgrade cycles allow. Forrester reports that 66 percent have plans to do so in the fullness of time, a not very surprising finding given that not doing so would mean sticking with an eight year old OS. Forrester also found that 28 percent of companies planned to deploy in one hit.
In essence, the security case for Windows 7 over XP is unanswerable, starting with some basic reforms (such as a proper distinction between user and admin accounts) that make you wonder how firms have coped all this time. Given that Windows 7 shares its security architecture with Vista, the case for an upgrade here is far less clear cut and would depend on the desirability of other features.
New, yes, but better?
Windows 7’s new security features can be summed up pretty quickly. UAC can be tuned to reduce tiresome application alerts, revising Vista’s sometimes unfairly maligned application controls; The old Software Restriction Policies (SRPs) are reprised in more usable form (we are told) to allow a feature called AppLocker to control which applications users can run, and not run, from the desktop; BitLocker encryption has been simplified, as well as extended to allow its use with removable drives.
Undoubtedly, BitLocker and BitLocker To Go (the mobile version) will be easier to set up than with Vista (the necessary partition is created automatically for instance), and admins will like the theory behind AppLocker. Both will take considerable management effort, nonetheless, and policies need to be thought through for key recovery, which luckily is now easier thanks to the embedded data recovery agent (DRA) included in Windows 7.
There are a scattering of other security improvements in Windows 7, but the problem with security is that it is never just about lists of features. All of them have to be managed, as does the environment as a whole. Some of Windows 7’s security baubles could probably be added without needing a brand new OS.
What about the SDL
The bigger picture for Microsoft and its business users alike is that Windows 7 is the first operating system it has ever conceived wholly within the auspices of its much-vaunted Software Development Lifecycle (SDL) programme, a massive overhaul of the way the company turned out software inspired by a rethink in the light of Windows XP’s well publicised security failings.
The programme inflects everything Microsoft now does right down to code level, and the company will point to the slowing in the number and severity of vulnerabilities found in the core OS in XP SP2 onwards (admittedly from a low base), in Vista, and now, it hopes, in Windows 7.
Vulnerabilities are bad because they expose PCs to potentially serious exploits and at the very least require admins to patch to reduce that attack surface whether there is an exploit or not. That adds up to work, made worse by possibly having to carry out the exercise across three versions of Windows at once, an almost unprecedented state of nuisance.
The SDL doesn’t mean that vulnerabilities don’t persist, whether in the OS, or the expanding code base Microsoft is adding as it shoehorns in new features and boosts Microsoft applications.
On the one hand, of the most serious security flaws of the year happened last summer in an ActiveX control buried inside Internet Explorer, a version running exclusively on XP and pre-dating the SDL-inspired IE8. On the other, Microsoft’s mammoth patch of this month featured a raft of vulnerabilities Vista, and nine for Windows 7, an operating system not even launched.
All of this convinces Amichai Shulman, a bug hunter at Israeli patching company Imperva, that Microsoft’s SDL might now be in the grip of the law of diminishing returns.
“Microsoft has dramatically improved the quality of its code,” says Shulman. “There is no argument that having good production processes is a must. But is it the Holy Grail?”
Vulnerabilities were a function of how much new code there is and the willingness of researchers and criminals to hunt down the flaws. The processes used to create it were important, but far from being the only factor involved. Windows 7’s problem is that, SDL or not, it will mean huge amounts of new code coming under scrutiny, something that hadn’t happened with Vista because of its poor uptake.
“You very quickly reach the point where investment in producing better software will not produce returns,” says Shulman, pessimistically. "The fact that Microsoft has broken its own Patch Tuesday record suggests that the software giant has reached the inherent limits of real world software debugging processes."
Windows 7 flaws would still come at a steady speed, and overall platform flaws might actually increase as its complexity expands from today’s levels.
Windows 7 features the same core elements that appeared in Vista - Kernel Patch Protection, and Data Execution Prevention – improvements but not necessary the bits to worry about in the first place. For admins, the similarity between Windows 7 and its predecessor in terms of security design mark the new OS as a sort of re-launch of Vista. That won’t bother the eager XP user base, but it might give the few that have embraced Vista pause for thought.
And what of Vista? Maligned, unfashionable, but in recent incarnations highly capable if extended to incorporate some of its successor’s best features.
That won’t stop it being lost in the rush for the new model. Vista will linger on desktops for some time to come, but history will judge it a mezzanine floor on the ascent to better things. Ahead of its time, Vista will still be the OS that launched new many new ideas. You could say that Windows 7 is better, yes, but not that much better.