Microsoft’s decision to patch Windows XP is a mistake

Once again, Microsoft has opted to patch the off-support of Windows XP. Dan has written about the new patch, the circumstances surrounding the flaws it addresses, and why Microsoft has chosen to protect Windows XP users. While Microsoft's position is difficult, we argue in this post first published in 2014 that the patch is the wrong decision: it sends a clear message to recalcitrant corporations that may stick with Windows XP, unsure as it is, because if something too Seriously, Microsoft will update it anyway. Windows 10 contains a wide range of in-depth defense measures that will never be included in Windows XP: every time an organization resists upgrading to the latest Microsoft operating system, it compromises its own security.

Microsoft officially ended support for the Windows XP operating system twelve and a half years ago a few weeks ago. Except it apparently did not, because the company has included Windows XP in its off-cycle patch to fix a zero day Internet Explorer that is getting a certain amount of exploitation in the wild. In fact, the unsupported operating system is supported.

Explaining its actions, Microsoft says that this patch is an "exception" because of "proximity to the end of support for Windows XP."

The decision to release this patch is a mistake, and the reason for doing so is inadequate.

A single patch of this type does not make any significant difference in the security of a platform. Internet Explorer was given security patches in 11 of the last 12 Patch Tuesdays. Other browsers such as Chrome and Firefox receive security updates on a comparable frequency.

Web browsers are complex. They are necessarily exposed to all sorts of potentially hostile input that the user can not really control, and as such, are a frequent target for attacks. They need regular updates and continuous maintenance. The security of a browser does not depend on any error correction; It depends on a continuous delivery of patches, fixes and improvements. The "exceptions" do not make Internet Explorer in Windows XP "safe". It does not make sense that this patch means that suddenly it is now "OK" to use Internet Explorer in Windows XP.

And yet, it seems inevitable that this is precisely how it will be received. The work of migrating away from Windows XP has much more difficult. I'm sure there are IT people all over the world who now have to discuss with their stock control bosses on this same subject. IT people who have had to impress their superiors who need the budget to upgrade from Windows XP, since Microsoft will not send patches to it any longer. Microsoft has turned these people into liars. "You said we had to spend all that money because XP was not going to be repaired, but it is!"

Bosses who were convinced they could stay with Windows XP because Microsoft would blink now are vindicated.

After all, if Microsoft can blink once, who's going to say it will not do it again? The next Patch Tuesday Patch for Internet Explorer will almost certainly include flaws that affect Internet Explorer in Windows XP: The nature of the software means that most Internet Explorer 7 flaws (supported by the rest of the Windows Vista life cycle ) And Internet Explorer 8 (linked to the Windows 7 lifecycle) will also be flawed in Internet Explorer 7 and 8 when running on Windows XP. Many of them will also affect Internet Explorer 6.

In fact, this is precisely the pattern we have seen with this defect. Security company FireEye reports that only later did Internet Explorer 8 (unsupported) attacks materialize on Windows XP.

Virtually every time Microsoft updates one of its remaining supported platforms, the company will also simultaneously unveil a zero-day vulnerability for Windows XP (something that recently criticized Apple for doing so). The patch list for Patch Tuesday in May - less than two weeks - is not yet available, but based on Internet Explorer history, it is very likely that it will be updated and these updates are likely to reveal exploitable failures in Windows XP .

For Microsoft's "proximity" argument, those flaws should also be patched in Windows XP. In fact, it is hard to see a time when "closeness" will not be a problem. It is inevitable that Patch Tuesday will reveal exploitable failures for the unsupported operating system, and it is equally inevitable that at least some of those flaws will explode. With Windows XP's market share as high as it is, there was never any real possibility that an exploit would not materialize in "proximity" at the end of the support.

People using Windows XP will be exploited through known vulnerabilities without patching. That is what the end of support means. That is its inevitable consequence. As long as Windows XP has a substantial number of users, there will be calls for a "more patch" to be released. There is nothing special about this last defect that deserves special treatment, and the coming weeks and months will see the disclosure and exploitation of many other similar defects. If this error was corrected, all errors should be fixed, too.

The zero day defect and its exploitation is unfortunate, and it is likely that Microsoft will run from government calls to stop people from using Internet Explorer. The company had three ways to respond. He could not do anything - he stood firm in his arms, argued that the end of support means the end of support, and encouraged people to move to a different platform. It could also have completely yielded, extended the Windows XP support lifecycle for other years, and waited for the wear and tear to reduce the Windows XP user base to irrelevant levels. Or you could have claimed that this case is somehow "special", releasing a patch while still stating that Windows XP is not supported.

Neither of these options is perfect. A hard-line approach to the end of life means that there are people who are exploiting that Microsoft refuses to help. A complete turnaround means that Windows XP will take even longer to exit the market, making it a continuous headache for developers and administrators alike.

But Microsoft's choice is the worst of all worlds. It undermines IT staff efforts to abandon the old operating system and undermines Microsoft's claim that Windows XP is not compatible, while doing nothing to significantly improve the security of Windows XP users. The positive? It buys users on the best of some additional days of enhanced security. It's hard to say how that was possibly worth it.