The revelation follows last week's warning that a serious vulnerability in Microsoft's Internet Explorer occurred in the software supporting a decade-old protocol that has rarely been used since the World Wide Web became popular.
"A lot of the (coming) design changes are to remove this feature or turn that one off by default," said Steve Lipner, director of security assurance for Microsoft and the man on the ground for the company's trustworthy computing initiative.
He added that when Microsoft is faced with a choice between removing old, possibly insecure code and keeping a feature to please a small fraction of customers, increasingly security is winning out. "Do we think that things will be retired more quickly? Sure," Lipner said.
The acknowledgment that the company is rushing to axe old code comes amid criticism that Microsoft's security initiative has been slow to show results. More than 30 vulnerabilities have been reported by the company since the initiative began, putting it on the same security track as last year.
Fifty-million lines of code
Even before Windows XP came out, Microsoft said it would sacrifice compatibility in some circumstances to increase performance. However, the recent, unexpected security problems are accelerating the process and prompting the company to remove more code than anticipated. But trying to figure out how to cut potentially problematic code is no easy task.
"The problem is that you are dealing with 50 million lines of code and everything depends on everything else," said Peter Neumann, principal scientist for technology think-tank SRI International.
Microsoft kicked off its trustworthy computing initiative in January, after Chairman Bill Gates urged the company's employees to focus more on security and less on creating new features. Critics of the company have kept watch for signs of any real changes in how the software giant deals with security. Changes in Windows, though, could take awhile, especially in light of how the operating system has grown.
Neumann--who designed the file system for the Multics operating system, the precursor to Unix--stresses that software security starts with good design, using modular components.
"Part of the problem is everything is too convoluted," Neumann said. "It's difficult to have an assurance that everything is going to work." Adding in backward compatibility only increases complexity, he added.
Marc Maiffret, 21-year-old security prodigy and chief hacking officer for eEye Digital Security, doesn't fault old code for security problems. He said that programmers who don't review the code before using it are at fault. Old code may have more security holes in it, but those holes should be caught, he said.
"With a lot of the more recent code, people are smarter about writing secure code," Maiffret said, adding that "there is no problem in having backwards compatibility, except when there is a flaw in it."
That's the problem Microsoft is facing. A feature that allowed Internet Explorer to communicate with servers running Gopher, a pre-Web protocol for hyperlinking information, has a vulnerability that could leave PC users open to attack, a Finnish researcher said last week.
GopherSpace, the name of the network of servers that supports the Gopher protocol, consists of less than 600 computers offering up less than 8 million links, according to a Gopher site maintained at Point Loma Nazarene University. The Web has more than 2 billion pages, according to the Google search engine.
While Microsoft is still analysing the claims, the company's trustworthy computing initiative already had project managers questioning the wisdom of having support for the rarely used protocol, said Microsoft's Lipner.
"Gopher was one of the functions that was flagged for being turned off by default" in the coming Windows XP Service Pack 1, Lipner said. While the disclosure of the apparent flaw beat the company's update, Lipner stressed that the design decision showed the initiative was paying off. "We were asking the right questions," he said.
Lipner wouldn't name other features that would be retired, or break down how much of Windows XP is considered old code and how much is new. Instead, he explained that part of the company's security process involves imagining the worst types of attacks against its code and developing a "threat model." It then searches for any holes in its defenses that would let such attacks through.
"The developers and testers were reviewing code and testing code as prioritised by the threat model," Lipner said.
Lipner said the work is ongoing, adding, "The security push is a big job."
So how old is code Microsoft 10, 20 years old? When was the last time you reviewed it and updated it 10, 15 years ago? Can we open up Windows XP and find MS-DOS 3 code sitting there in all it's glory exactly the same as when it was written 10 or 20 years ago.
When are you going to stop saying that you've created a new OS based on decades old code with a new coat of paint and in a new box? When are you going to sit down and look at all that old code and either review it, update it or throw it away?
When are we going to see a truly new operating system from you Microsoft? When are we going to see a brand new Windows completely rewritten and rebuilt from brand new code. A Windows that is truly new.
Well of course you going to have compatibility problems with it and of course it will take time build it but it will be long worth the wait don't you think? A OS Microsoft can call truly new A new OS for a new millennium not based on a lie but true.