This is what IE 6 looked like on Windows XP when both were first released

No Need to Point Fingers in the Wake of XP Fix

Microsoft did the right thing

Microsoft's recent and apparently controversial decision to fix a major security flaw in Windows XP suggests that the firm still has a lot of work to do to overcome the disappointments and defeats of the past decade. I've never seen such a vindictive and negative reaction to such a well-intentioned move.

And as a reporter, analyst and observer of Microsoft for over 20 years, I thought I'd pretty much seen it all: The firm's ascendency in the 1990's, the peak of its power and influence with Windows 95, its nasty and painful antitrust downfall, the embarrassment of Longhorn's failure, its inability to quickly embrace the modern mobile computing phenomenon and now the hope of a new era under new CEO Satya Nadella.

And then last week happened. Microsoft fixed a vulnerability in all versions of Internet Explorer dating back to IE 6, which shipped as part of Windows XP in 2001. It did so via a set of out of band security updates—that is, outside of the normal monthly Patch Tuesday release schedule—because the firm knew that hackers were exploiting the flaw.

The controversy stems from Microsoft's decision to fix the flaw in "all versions of Windows XP," an OS which, as you know, just entered support retirement. In a post to the Official Microsoft Blog, Trustworthy Computing general manager Adrienne Hall justified the decision to support the unsupported Windows XP by noting the vulnerability's "proximity to the end of support for Windows XP." She referred to this as an "exception" and explained that Microsoft still wants its customers off of XP and using supported versions of Windows instead.

This is all perfectly reasonable.

But put in the perspective of Microsoft's history over the past 20 years, it should perhaps not have been surprising to me that customers—and, perhaps as notably, others in the industry who do what I do—have reacted entirely negatively. Apparently, no good deed can go unpunished. And the software giant's chorus of complainers has risen to the challenge.

The charges are spurious.

Despite the fact that Microsoft described this fix as an exception, many believe that the firm has now misled customers into believing that it will, in fact, fix future security vulnerabilities for Windows XP. I feel the firm has been clear about its intentions and see no lack of clarity there.

Some have pointed to the fact that the known exploits target only Internet Explorer 9, 10, and 11 and more recent Windows versions (7 and 8). So why even bother fixing the problem on Windows XP, they ask. Because known exploits lead to copycats and had the firm not fixed this problem on XP, those exploits could have easily been modified to target XP once the other, supported, OSes were patched.

The proximity comment has also come under fire: It's unclear why proximity matters when there are over 400 million customers still using XP, some argue. That figure should demand a certain amount of respect, of course. But I would challenge the assertion that anyone still running Windows XP is a customer, if we're going to get pedantic about it. (And even those customers who do in fact have XP migration plans in place shouldn't be excused. It's 2014, for crying out loud.)

What we should be doing here is accepting this for what it is, an unexpected gift. Microsoft spent years warning customers about the expiration of Windows XP, and got increasingly shrill about it as the April 2014 expiration date neared. Many of these customers simply ignored those warnings.

Windows XP is still unsupported. It's still vulnerable to other attacks and is still unsuitable in many ways for the modern workloads and capabilities that users should expect. Software isn't like wine, it doesn't get better with age. It in fact deteriorates as time goes by because the methods of attack get more sophisticated while the underlying code does not. This is especially true, exponentially truer, for software that is no longer supported by its maker.

Our weird nostalgia for Windows XP notwithstanding, it's well past the time to say goodbye, and I'm not going to eulogize or reminisce about this out-of-date OS again. Let's just thank Microsoft for the respectful sendoff and move on.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.