Criticism of Windows XP
|Part of a series on|
Windows XP has been criticized for its vulnerabilities due to buffer overflows and its susceptibility to malware such as viruses, trojan horses, and worms. Nicholas Petreley for The Register notes that "Windows XP was the first version of Windows to reflect a serious effort to isolate users from the system, so that users each have their own private files and limited system privileges." However, users by default receive an administrator account that provides unrestricted access to the underpinnings of the system. If the administrator's account is compromised, there is no limit to the control that can be asserted over the PC. Windows XP Home Edition also lacks the ability to administer security policies and denies access to the Local Users and Groups utility.
Microsoft executives have stated that the release of security patches is often what causes the spread of exploits against those very same flaws, as crackers figure out what problems the patches fix and then launch attacks against unpatched systems. For example, in August 2003 the Blaster worm exploited a vulnerability present in every unpatched installation of Windows XP, and was capable of compromising a system even without user action. In May 2004 the Sasser worm spread by using a buffer overflow in a remote service present on every installation. Patches to prevent both of these well-known worms had already been released by Microsoft. Increasingly widespread use of Service Pack 2 and greater use of personal firewalls may also contribute to making worms like these less common.
Many attacks against Windows XP systems come in the form of trojan horse e-mail attachments which contain worms. A user who opens the attachment can unknowingly infect his or her own computer, which may then e-mail the worm to more people. Notable worms of this sort that have infected Windows XP systems include Mydoom, Netsky and Bagle. To discourage users from running such programs, Service Pack 2 includes the Attachment Execution Service which records the origin of files downloaded with Internet Explorer or received as an attachment in Outlook Express. If a user tries to run a program downloaded from an untrusted security zone, Windows XP with Service Pack 2 will prompt the user with a warning.
Spyware and adware are a continuing problem on Windows XP and other versions of Windows. Spyware is also a concern for Microsoft with regard to service pack updates; Barry Goff, a group product manager at Microsoft, said some spyware could cause computers to freeze up upon installation of Service Pack 2. In January 2005, Microsoft released a free beta version of Windows Defender which removes some spyware and adware from computers.
Windows XP offers some useful security benefits, such as Windows Update, which can be set to install security patches automatically, and a built-in firewall. If a user doesn't install the updates for a long time after the Windows Update icon is displayed in the toolbar, Windows will automatically install them and restart the computer on its own. This can lead to the loss of unsaved data if the user is away from the computer when the updates are installed. Service Pack 2 enables the firewall by default. It also adds increased memory protection to let the operating system take advantage of new No eXecute technology built into CPUs such as the AMD64. This allows Windows XP to prevent some buffer overflow exploits.
On April 8, 2014, extended support of Windows XP ended. As this means that security vulnerabilities are no longer patched, the general advice given by both Microsoft and security specialists is to no longer use Windows XP.
In light of the United States v. Microsoft Corp. case which resulted in Microsoft being convicted for illegally abusing its operating system monopoly to overwhelm competition in other markets, Windows XP has drawn fire for integrating user applications such as Windows Media Player and Windows Messenger into the operating system, as well as for its close ties to the Windows Live ID (now Microsoft account) service.
In 2001, ProComp – a group including several of Microsoft's rivals, including Oracle, Sun, and Netscape – claimed that the bundling and distribution of Windows Media Player in Windows XP was a continuance of Microsoft's anticompetitive behavior and that the integration of Windows Live ID (at the time Microsoft Passport) into Windows XP was a further example of Microsoft attempting to gain a monopoly in web services. Both of these claims were rebutted by the Association for Competitive Technology (ACT) and the Computing Technology Industry Association (CompTIA), both partially funded by Microsoft. The battle being fought by fronts for each side was the subject of a heated exchange between Oracle's Larry Ellison and Microsoft's Bill Gates.
Microsoft responded on its "Freedom to Innovate" web site, pointing out that in earlier versions of Windows, Microsoft had integrated tools such as disk defragmenters, graphical file managers, and TCP/IP stacks, and there had been no protest that Microsoft was being anti-competitive. Microsoft asserted that these tools had moved from special to general usage and therefore belonged in its operating system.
To avoid the possibility of an injunction, which might have delayed the release of Windows XP, Microsoft changed its licensing terms to allow PC manufacturers to hide access to Internet Explorer (but not remove it). Competitors dismissed this as a trivial gesture. Later, Microsoft released a utility as part of Service Pack 1 (SP1) which allows icons and other links to bundled software such as Internet Explorer, Windows Media Player, and Windows Messenger (not to be confused with the similar-named Windows Live Messenger, formerly MSN Messenger) to be removed. The components themselves remain in the system; Microsoft maintains that they are necessary for key Windows functionality (such as the HTML Help system and Windows desktop), and that removing them completely may result in unwanted consequences. One critic, Shane Brooks, has argued that Internet Explorer could be removed without adverse effects, as demonstrated with his product XPLite. Dino Nuhagic created his nLite software to remove many components from XP prior to installation of the product.
In addition, in the first release of Windows XP, the "Buy Music Online" feature always used Microsoft's Internet Explorer rather than any other web browser that the user may have set as his/her default. Under pressure from the United States Department of Justice, Microsoft released a patch in early 2004, which corrected the problem.
Migrating from Windows 9x to XP can be an issue for users dependent upon MS-DOS. Although XP comes with the ability to run DOS programs in a virtual DOS machine, it still has trouble running many old DOS programs. This is largely because it is a Windows NT system and does not use DOS as a base OS, and because the Windows NT architecture is different from Windows 9x. Some DOS programs that cannot run natively on XP, notably programs that rely on direct access to hardware, can be run in emulators, such as DOSBox or virtual machines, like VMware, Virtual PC, or VirtualBox. This also applies to programs that only require direct access to certain common emulated hardware components, like memory, keyboard, graphics cards, and serial ports.
Product activation and verification
In an attempt to reduce piracy, Microsoft introduced product activation in Windows XP. Activation required the computer or the user to activate with Microsoft (either online or over the phone) within a certain amount of time in order to continue using the operating system. If the user's computer system ever changes — for example, if two or more relevant components of the computer itself are upgraded — Windows will return to the unactivated state and will need to be activated again within a defined grace period. If a user tried to reactivate too frequently, the system will refuse to activate online. The user must then contact Microsoft by telephone to obtain a new activation code.
However, activation only applied to retail and "system builder" (intended for use by small local PC builders) copies of Windows. "Royalty OEM" (used by large PC vendors) copies are instead locked to a special signature in the machine's BIOS (and will demand activation if moved to a system whose motherboard does not have the signature) and volume license copies do not require activation at all. This led to pirates simply using volume license copies with volume license keys that were widely distributed on the Internet.
Product key testing
In addition to activation, Windows XP service packs will refuse to install on Windows XP systems with product keys known to be widely used in unauthorized installations. These product keys are either intended for use with one copy (for retail and system builder), for one OEM (for BIOS locked copies) or to one company (for volume license copies) and are included with the product. However a number of volume licence product keys (which as mentioned above avoid the need for activation) were posted on the Internet and were then used for a large number of unauthorized installations. The service packs contain a list of these keys and will not update copies of Windows XP that use them.
Microsoft developed a new key verification engine for Windows XP Service Pack 2 that could detect illicit keys, even those that had never been used before. After an outcry from security consultants who feared that denying security updates to illegal installations of Windows XP would have wide-ranging consequences even for legal owners, Microsoft elected to disable the new key verification engine. Service Pack 2 only checks for the same small list of commonly used keys as Service Pack 1. This means that while Service Pack 2 will not install on copies of Windows XP which use the older set of copied keys, those who use keys which have been posted more recently may be able to update their systems.
Windows Genuine Advantage
To try to curb piracy based on leaked or generated volume license keys, Microsoft introduced Windows Genuine Advantage (WGA). WGA comprises two parts, a verification tool which must be used to get certain downloads from Microsoft and a user notification system. WGA for Windows was followed by verification systems for Internet Explorer 7, Windows Media Player 11, Windows Defender, Microsoft Office 2007 and certain updates. In late 2007, Microsoft removed the WGA verification from the installer for Internet Explorer 7 saying that the purpose of the change was to make IE7 available to all Windows users.
If the license key is judged not genuine, it displays a nag screen at regular intervals asking the user to buy a license from Microsoft. In addition, the user's access to Microsoft Update is restricted to critical security updates, and as such, new versions of enhancements and other Microsoft products will no longer be able to be downloaded or installed.
On August 26, 2008, Microsoft released a new WGA activation program that displays a plain black desktop background for computers failing validation. The background can be changed, but reverts after 1 hour.
Common criticisms of WGA have included its description as a "Critical Security Update", causing Automatic Updates to download it without user intervention on default settings, its behavior compared to spyware of "phoning home" to Microsoft every time the computer is connected to the Internet, the failure to inform end users what exactly WGA would do once installed (rectified by a 2006 update), the failure to provide a proper uninstallation method during beta testing (users were given manual removal instructions that did not work with the final build), and its sensitivity to hardware changes which cause repeated need for reactivation in the hands of some developers. Also if the user has no connection to the Internet or a phone, it will be difficult to activate it normally.
Strictly speaking, neither the download nor the install of the Notifications is mandatory; the user can change their Automatic Update settings to allow them to choose what updates may be downloaded for installation. If the update is already downloaded, the user can choose not to accept the supplemental EULA provided for the Notifications. In both cases, the user can also request that the update not be presented again. Newer Critical Security Updates may still be installed with the update hidden. However this setting will only have effect on the existing version of Notifications, so it can appear again as a new version. In 2006, California resident Brian Johnson attempted to bring a class action lawsuit against Microsoft, on grounds that Windows Genuine Advantage Notifications violated the spyware laws in the state; the lawsuit was dismissed in 2010.
- Petreley, Nicholas (2004-10-22). "Security Report: Windows vs Linux | The Register". The Register. Retrieved 2010-01-31.
- Leyden, John. "The strange decline of computer worms | Channel Register". Channel Register.
- "Microsoft: Spyware could bungle SP2 update". USA Today. 2 September 2004. Retrieved 10 November 2013.
- "News Briefs: May 26–31, 2001". Techlawjournal.com. May 31, 2001. Retrieved 2010-01-31.
- Declan McCullagh (May 31, 2001). "MS Launches Counter PR Attack". Wired.com. Retrieved 2010-01-31.
- David Kleinbard (June 28, 2000). "Oracle's Ellison rips into Bill Gates". money.cnn.com. CNN. Retrieved 2010-01-31.
- Newsletter - June 5, 2001 Freedom To Innovate Network; Microsoft. June 5, 2001. Retrieved 2010-05-31.
- Wilcox, Joe (July 11, 2001). "Microsoft changes Windows license terms | CNET News.com". News.com.com. Retrieved 2010-01-31.
- "XPlite and 2000lite Uninstall Windows Components". Product info. Litepc.com. Retrieved 2010-01-31.
- "nLite — Deployment Tool for the bootable Unattended Windows installation". Product info. Nliteos.com. Retrieved 2010-01-31.
- "The "Shop for music online" link starts Internet Explorer instead of your default Web browser in Windows XP". Support.microsoft.com. Microsoft Inc. October 26, 2006. Retrieved 2010-01-31.
- "Troubleshooting MS-DOS-based programs in Windows XP". Knowledge Base. Microsoft Product Support. Archived from the original on 2004-10-16.
This means that Windows does not support 16-bit programs that require unrestricted access to hardware. If your program requires this, your program will not work in Windows NT, Windows 2000, or Windows XP.
- Mary Jo Foley (2007-10-04). "Internet Explorer 7 update: Now WGA-free". ZDNet. Archived from the original on October 11, 2007. Retrieved 2007-12-16.
- Steve Reynolds (2007-10-04). "Internet Explorer 7 Update". Microsoft. Retrieved 2007-12-16.
- "Description of the Windows Genuine Advantage Notifications application". Retrieved 2006-10-31.
- "Description of the Windows Genuine Advantage Notifications application". Support.microsoft.com. 2010-07-02. Retrieved 2010-08-26.
- "New WGA Notifications Released". MSDN Blogs. 2006-09-29. Retrieved 2006-12-03.
- "Lawsuit Labels Windows Genuine Advantage as Spyware". eWeek. 2006-07-29. Retrieved 2010-08-19.
- "Microsoft wins Windows XP WGA lawsuit". Ars Technica. 2010-02-09. Retrieved 2010-08-19.