Microsoft To Fix XP Bug, But Just This One Time, Honest


----------------

windows_xp

Microsoft has changed its mind and decided it will issue a fix for a serious Internet Explorer bug for Windows XP users, despite officially ending support for the system last month.

It was the first real test of Microsoft’s resolve to abandon XP, though it seemed inevitable it would face such a dilemma. At first it appeared the company would stick to its guns, despite the security risks.

The bug is about as bad as it gets for Internet Explorer: it’s a zero day bug that allows a drive-by attack (ie, triggered solely by a user visiting a website) that allows remote code execution, and affects every edition of IE from 6 onwards, covering all versions of Windows from XP onwards.

While Microsoft was first working on a fix, it specifically said there’d be no update for XP. Support for the system, including security updates, officially ended on April 8, despite years of speculation that with so many people still on XP, Microsoft wouldn’t dare to pull the plug.

The company has now put out a curious statement explaining why it has changed its mind on this occasion:

Even though Windows XP is no longer supported by Microsoft and is past the time we normally provide security updates, we’ve decided to provide an update for all versions of Windows XP (including embedded), today.  We made this exception based on the proximity to the end of support for Windows XP.  The reality is there have been a very small number of attacks based on this particular vulnerability and concerns were, frankly, overblown.  Unfortunately this is a sign of the times and this is not to say we don’t take these reports seriously.  We absolutely do…. Just because this update is out now doesn’t mean you should stop thinking about getting off Windows XP and moving to a newer version of Windows and the latest version of Internet Explorer.

Arguing that it was right to issue an update because the deadline for support has only just passed seems an odd approach that misses the point of a deadline. It’s the same sort of argument made by somebody hit with a speeding ticket for going “only” one mile per hour above the limit.

It’s also somewhat baffling that Microsoft is trying to downplay the seriousness of the bug. It’s surely only the fact that this potentially could be a big security deal that’s persuaded it to backtrack on its support deadline and risk being accused of crying wolf. If there’s no real concern about the vulnerability, it makes no sense to be issuing a fix for XP.

The problem now is that next time a security flaw affecting XP is discovered, Microsoft will come under intense pressure to fix it, and it will struggle to make the argument that it can’t do so because the deadline for support has passed.

Realistically though, Microsoft is in the precise situation that’s been inevitable for years. Many people, for a variety of reasons, don’t yet want to upgrade from XP despite the security risks. The only real way to make many users change their minds is if they suffer serious harm from a major security that’s directly related to using an unsupported operating system. And a company like Microsoft that’s still in business and dominant in the market will find it incredibly difficult to allow that to happen.





5 Responses to Microsoft To Fix XP Bug, But Just This One Time, Honest

  1. I can’t believe that people are still clinging to XP. It’s over!! Get Windows 7……

  2. There are a lot of business level applications that will not run on anything after XP. This is unfortunate but true. These are customized applications pertaining to these businesses that cannot be abandoned. Microsoft should look closely at this issue and come up with a business only OS that can support everything that XP can do but have the security and enhancements of their latest OS developments. If Microsoft wants cheers and applause from all business levels then they would look into making this happen.

  3. …except it’s not an xp flaw. it’s an IE flaw. and the ticket analogy really doesn’t work. a better one would involve deadlines and consequences. and on top of that, crying wolf is the opposite of what’s happening. MS is in “see? it happened. mode” crying wolf would be more if nothing was exploited for years