Windows XP users can’t say they weren’t warned. Looking back over the last few years of Microsoft Patch Tuesday security bulletins you will find that most have at least one critical vulnerability that affects Windows XP, and there was certainly no reason to believe that would somehow stop once Microsoft support for the OS expired. Luckily for Windows XP users—and the rest of us who share the Internet with them—Microsoft decided to issue one last update for the geriatric operating system.
Adrienne Hall, general manager of Trustworthy Computing for Microsoft, explained in a blog post, “We believe, and take a huge amount of pride that, among widely used browsers, IE is the safest in the world due to its secure development and ability to protect customers, even in the face of cybercriminals who want to break it.”
She adds, “This means that when we saw the first reports about this vulnerability we said fix it, fix it fast, and fix it for all our customers. So we did.” That includes patching the vulnerability even for the now-unsupported Windows XP.
“To interrupt a scheduled development cycle for an emergency patch, or ‘out of band’ release is a noteworthy event where a vendor is placing the public good ahead of their development and delivery lifecycle,” stressed Trey Ford, global security strategist for Rapid7. “One thing particularly of interest is that Microsoft made the decision to issue this patch for Windows XP, which is no longer officially supported. I think this underscores the importance of this patch, and the priority with which it should be deployed.”
Chris Goettl, product manager at Shavlik, also shared some thoughts about Microsoft patching XP. “It is encouraging, but at the same time not surprising that Microsoft would include this for the Windows XP population. Having a Zero Day pop up before even a month of XP being out of service could go by was a perfect storm scenario. It is in Microsoft’s best interest to plug this gap since it is obvious that XP will be in circulation for a while yet. One can hope there are a few hackers out there wearing long faces knowing that this patch will likely be rolled out to XP systems ASAP.”
I agree with Goettl that it’s understandable why Microsoft would feel compelled to patch XP in this case…somewhat. I think it’s in the best interest of Microsoft's reputation to not have hundreds of millions of PCs running one of its operating systems left exposed to an active exploit, but I also think that issuing the patch sends mixed signals, and may just reinforce how stubborn some Windows XP loyalists seem to be. If Microsoft patched this one, many XP users will assume Microsoft will continue to do so on an as-needed basis, which muddies the waters a bit on the whole “Windows XP is no longer supported” issue.
Hall sums it up quite clearly. “Of course we’re proud that so many people loved Windows XP, but the reality is that the threats we face today from a security standpoint have really outpaced the ability to protect those customers using an operating system that dates back over a decade. This is why we’ve been encouraging Windows XP customers to upgrade to a modern, more secure operating system like Windows 7 or Windows 8.1.”
Yes, Microsoft “blinked” this time. But, if you’re planning to continue using Windows XP you should expect many more equally critical vulnerabilities in your future, and I wouldn’t hold my breath expecting Microsoft to come to your rescue every time.