If you're one of about 200 million people using older versions of Windows and you want the latest security enhancements to Internet Explorer, get your credit card ready.
Microsoft this week reiterated that it would keep the new version of Microsoft's IE Web browser available only as part of the recently released Windows XP operating system, Service Pack 2. The upgrade to XP from any previous Windows versions is $99 when ordered from Microsoft. Starting from scratch, the OS costs $199.
That, say analysts, is a steep price to pay to secure a browser that swept the market as a free, standalone product.
"It's a problem that people should have to pay for a whole OS upgrade to get a safe browser," said Michael Cherry, analyst with Directions on Microsoft. "It does look like a certain amount of this is to encourage upgrade to XP."
Microsoft affirmed that its recent security improvements to IE would be made available only to XP users.
"We do not have plans to deliver Windows XP SP2 enhancements for Windows 2000 or other older versions of Windows," the company said in a statement. "The most secure version of Windows today is Windows XP with SP2. We recommend that customers upgrade to XP and SP2 as quickly as possible."
The Internet's security mess has proved profitable for many companies, particularly antivirus firms. Microsoft has declared security job number one.
By refusing to offer IE's security upgrades to users of older OSes except through paid upgrades to XP, Microsoft may be turning the lemons of its browser's security reputation into the lemonade of a powerful upgrade selling point.
That lemonade comes in the midst of a painfully dry spell for the company's operating system business.
Three years have passed since Microsoft introduced its last new OS, and its upcoming release, code-named Longhorn, has been plagued by delays. Microsoft last month scaled back technical ambitions for Longhorn in order to meet a 2006 deadline.
While Wall Street anxiously awaits an operating system release that can produce revenues until Longhorn appears, Microsoft is eyeing the nearly half of the world's 390 million Windows users who have opted to stick with older OSes than XP, including Windows 2000, Windows ME, Windows 98 and Windows 95.
Microsoft denied it was deliberately capitalising on the Internet's security woes to stimulate demand for XP.
"Microsoft is not using security issues or any security situation to try to drive upgrades," said a company representative. "But it only makes sense that the latest products are the most secure."
Microsoft has maintained that the browser is part of the operating system, a point of contention in its antitrust battle with the US government.
Last year, the company ruled out future releases of IE as a standalone product. This week, the company reiterated that stance.
"IE has been a part of the operating system since its release," said the Microsoft representative. "IE is a feature of Windows."
When asked about IE's origin as a free, standalone product, the representative said, "You're talking in software terms that might be considered ancient history."
Microsoft promised "ongoing security updates" for all supported versions of Windows and IE.
Those ongoing security updates do not, as Microsoft points out, include the latest security fixes with Service Pack 2, released last month. Those include a new pop-up blocker and a new system of handling ActiveX controls and downloaded content.
And it's those more substantial changes, rather than the bug fixes that come with routine upgrades for supported products, that security organisations have lauded for addressing IE's graver security concerns.
Now it's unclear whether even half the Windows world will have access to the shored up IE.
"It's particularly bothersome if a product is in mainstream support, because what does mainstream support mean then?" said Directions on Microsoft's Cherry.
Microsoft currently commands about 94 percent of the worldwide OS market measured by software shipments, according to IDC. (That number factors in revenue-producing copies of the open-source Linux OS, but not free ones).
Of Microsoft's approximately 390 million operating system installations around the world, Windows XP Pro constitutes 26.1 percent, Windows XP Home 24.7 percent, IDC said.
The remaining 49.2 percent is composed of Windows 2000 Professional (17.5 percent), Windows 98 (14.9 percent), Windows Me (6.5 percent), Windows 95 (5.4 percent), and Windows NT Workstation (4.9 percent).
Those 49.2 percent of Windows users are left out in the cold when it comes to significant updates to IE and other software.
People running IE without SP2 face an array of security scenarios, many of them linked to lax security associated with the ActiveX API, or application programming interface.
SP2 also brought IE up to date with its competitors with a robust pop-up blocker.
"Although I can understand the reasons why Microsoft would like to simplify its internal processes, I'm not in favour of bundling security patches, bug fixes and new features into one package," said IDC Vice President Dan Kusnetsky. "Organisations wanting only security-related updates or just a specific new feature are forced to make an all-or-nothing choice."
Talkback
Oh, and also don't forget to upgrade your PC if it won't run XP.
Alternatively, just switch to Mozilla Firefox in the short term.
And then switch to Linux as soon as you can.
And tell MS where to stuff their bug-ridden, bloated spyware (**) operating system.
** Spyware as in 'activation' - you effectively have to get your hardware upgrades approved by MS.
Why bother with IE. Switch to Mozilla FIREFOX. It's more secure, faster, smaller to download and standards compliant (which is more than can be said of IE).
I have to say that such a report from ZDNet should at least point out the availability of other(more secure) browsers that don't need XP-SP2 (or XP for that matter).
Are MS trying to lose the browser war?! Will 95, 98, Me, 2000 etc... users pay out £500 to get XP or will they make a 4.5mb download to get Firefox which is more secure than SP2 anyway?
Microsoft have already won the browser war, for better or worse IE is the defacto standard web browser. £500 for XP?? your kidding right? a quick search and I've found and upgrade to XP for £80 from a large online retailer. As for Firefox being more secure... well 'security' is one of those strange qualities you can't measure, so we'll just have to wait and see on that one.
Firefox is not integrated with Windows, hence there is no need to wait and see if it more secure.
"Firefox is not integrated with Windows", so what you're saying is that only applications that are "integrated" into windows are a security risk? Don’t talk rubbish. So if a buffer overflow vulnerability is found in Firefox, it’s some how magically not a problem just because firefox is not integrated into windows? Unfortunately that just isn’t true, if I inject code into firefox using a buffer overflow, I can get it to do pretty much whatever I like including download various malware apps.