Microsoft has changed its mind and decided it will issue a fix for a serious Internet Explorer bug for Windows XP users, despite officially ending support for the system last month.
It was the first real test of Microsoft’s resolve to abandon XP, though it seemed inevitable it would face such a dilemma. At first it appeared the company would stick to its guns, despite the security risks.
The bug is about as bad as it gets for Internet Explorer: it’s a zero day bug that allows a drive-by attack (ie, triggered solely by a user visiting a website) that allows remote code execution, and affects every edition of IE from 6 onwards, covering all versions of Windows from XP onwards.
While Microsoft was first working on a fix, it specifically said there’d be no update for XP. Support for the system, including security updates, officially ended on April 8, despite years of speculation that with so many people still on XP, Microsoft wouldn’t dare to pull the plug.
The company has now put out a curious statement explaining why it has changed its mind on this occasion:
Even though Windows XP is no longer supported by Microsoft and is past the time we normally provide security updates, we’ve decided to provide an update for all versions of Windows XP (including embedded), today. We made this exception based on the proximity to the end of support for Windows XP. The reality is there have been a very small number of attacks based on this particular vulnerability and concerns were, frankly, overblown. Unfortunately this is a sign of the times and this is not to say we don’t take these reports seriously. We absolutely do…. Just because this update is out now doesn’t mean you should stop thinking about getting off Windows XP and moving to a newer version of Windows and the latest version of Internet Explorer.
Arguing that it was right to issue an update because the deadline for support has only just passed seems an odd approach that misses the point of a deadline. It’s the same sort of argument made by somebody hit with a speeding ticket for going “only” one mile per hour above the limit.
It’s also somewhat baffling that Microsoft is trying to downplay the seriousness of the bug. It’s surely only the fact that this potentially could be a big security deal that’s persuaded it to backtrack on its support deadline and risk being accused of crying wolf. If there’s no real concern about the vulnerability, it makes no sense to be issuing a fix for XP.
The problem now is that next time a security flaw affecting XP is discovered, Microsoft will come under intense pressure to fix it, and it will struggle to make the argument that it can’t do so because the deadline for support has passed.
Realistically though, Microsoft is in the precise situation that’s been inevitable for years. Many people, for a variety of reasons, don’t yet want to upgrade from XP despite the security risks. The only real way to make many users change their minds is if they suffer serious harm from a major security that’s directly related to using an unsupported operating system. And a company like Microsoft that’s still in business and dominant in the market will find it incredibly difficult to allow that to happen.