Microsoft’s Conundrum with XP and IE

When Microsoft officially cut off support for Windows XP on April 8^th, 27% of the PC market was essentially left on its own to deal with new security vulnerabilities.  Just three weeks have passed and we’ve already reached a cybersecurity showdown. 

To be clear, Microsoft really shouldn’t be blamed for this situation.  Redmond supported XP for nearly 13 years and gave users plenty of lead time to upgrade to Windows Vista, 7 or 8.  Yet when Microsoft moved on from XP only 3 weeks ago, one-quarter of all PC users were still anchored to XP.  As I wrote in an earlier blog these users tend to be everywhere you wouldn’t want them to be – at Town Hall, the High School administration office, your local health care facility, the small credit union down the street, etc. 

It’s fair to generalize here:  Many XP users were content with the OS and may not have the funds to replace PCs or upgrade the operating systems.  Additionally, these organizations aren’t likely to be stocked with crack cybersecurity professionals that can implement countermeasures to decrease the PC attack surface, track CVEs, or monitor network traffic for anomalous behavior.

All of this set up a “perfect storm” for cybersecurity risk.  With OS patches cut off, some vulnerability or zero-day malware was bound to leave the XP crowd up the creek without a paddle.  Regrettably, it didn’t take long.  This past Saturday, Microsoft announced that Internet Explorer (IE) versions 6 through 11 were vulnerable to an exploit that could give hackers full access to Windows systems. 

Microsoft will likely issue an emergency patch for Vista, Windows 7 and Windows 8, but what about XP?  Microsoft’s nemesis Google intends to support Chrome on XP for another year so it will likely recommend that users simply eschew IE, now and forever.  Ditto for Mozilla and Firefox.  Many will likely swap out IE, especially since the U.S. Department of Homeland Security (US-CERT), issued an advisory yesterday, recommending that security professionals assess IE vulnerabilities and defenses or use an alternative browser.  Most XP users would rather switch than fight. 

This leaves Microsoft with the ultimate IT industry Faustian compromise.  If it patches XP, it sets a precedent that it will continue to do so in the future when serious cybersecurity issues arise.  Sort of digital morale hazard so to speak.  This will mollify XP users and encourage them to stay the course.  If it does nothing, it leaves users at risk, opens doors for Google, and will likely face a lot of public scrutiny from alienated customers and PR seekers in Washington. 

To be fair, there are a few things that users can do today if their web applications were designed for IE.  Microsoft recommends that users download and install the Enhanced Mitigation Experience Toolkit (EMET 4.1), which is still available for Windows XP SP3.  Users can also bolster IE security by changing their security setting to “high” (note that this may work but it changes browser functionality).  This may help some but not all IE users and it does create work for those that follow this advice.  (Note:  It may also be worthwhile to look at browser sandboxing technologies or advanced malware detection tools.  Also, consult your AV vendor for specific notifications, signatures, and countermeasures).

Here on the East Coast, we have an occasional severe hurricane.  Before these storms hit, law enforcement officers warn home owners to evacuate, but there are always a few people who stay put intending to ride out the storm.  When these folks get stranded, hurt, or killed, local officials always come away with a black eye in spite of their proactive risk management efforts.  Unfortunately for Microsoft, it is in a similar situation and will likely remain there for the foreseeable future.