Years ago I heard a joke that reminds me of the situation Microsoft found itself in last week with its latest IE vulnerability:
If a man is alone in a forest, and there’s no woman there to hear him, is he still wrong?
I was as shocked as anyone when Microsoft released just one last Internet Explorer patch for Windows XP on May 1. I can argue either side of the issue, but I don’t think I can argue either side convincingly enough to get a simple 50.1% majority of people to agree with me, because I’m not sure I can argue either side of the issue convincingly enough that Iwould agree with myself.
I think it’s important that 26% of all web traffic is still coming from Windows XP today, nearly three weeks after it went end of life. That likely played into the decision. Microsoft was in a no-win situation here, and they had to decide whether they wanted to lose 1-0 or 24-1. So I don’t think it matters all that much, but here are the pros and cons of each side, as I see them.
First, let’s look at the reasons to just let XP burn:
- They had 3 years’ warning
- Some users will have automatic updates turned off anyway
- Releasing a patch will give the impression that more patches are coming, which will slow upgrades even further
There’s no argument against #1. They’ve been trying to replace XP since 2005, when Vista came out. Vista was terrible, but Windows 7 is awfully nice once you get it running. I had more bumps in the road than most getting Windows 7 to run, but the difference between a 32-bit environment and a 64-bit environment is very noticeable. The jump from XP to 7 isn’t quite like the jump from 3.0 to XP was, but the timeline is the same, and the thought of anyone still running Windows 3.0 in 2002 is absolutely ridiculous.
While #2 is a possibility, it’s also an assumption–an assumption that anyone who’s running XP is always going to do the worst thing possible. Some percentage will do this, and some percentage will disable the firewall while they’re at it, but the exact percentage is unknowable. Lump them into the same category as people who defeat all of the safety mechanisms on their power tools and lawnmowers. Some people talk about doing things like this, but we can’t assume everyone does it. We can’t even assume that everyone who talks about it actually follows through and does it–some people say they do things like this because they like attention.
I do think #3 is a legitimate concern. There are some people who are still convinced that Microsoft will keep releasing XP patches indefinitely because some governments and corporations are paying for extended support, and therefore, everyone is entitled to them. This patch reinforces that. And since patching was pretty silent anyway, it’s likely many of the people in this category won’t know the difference and will assume that since their computer continues to work, everything must be fine.
Two good reasons out of three isn’t bad. I always assumed Microsoft wouldn’t patch this on XP, so you probably know where I stand.
So let’s look at the reasons to release one last patch:
- Many are likely set to defaults, and therefore using IE, and those set to defaults will take the update
- They wrote the patch anyway, might as well release it
- Turning 26% of the web into a botnet would be a bad thing
- The exploit is much easier to carry out on XP than on newer versions of Windows
#1 is the counterpoint to #2 above, and #3 is the counterpoint to #3 above. I think #3 and #4 are the clincher, especially in light of this coming too close to the end of XP support and in the wake of Heartbleed. Microsoft didn’t want to be accused of conspiring to not patch one last critical bug right at the end, to force people’s hand, especially when people’s minds are on security anyway. Most people don’t understand what Heartbleed is, but they know it’s bad, and it affects them.
I’m sure the argument is exactly like the argument whether to provide security patches to pirated copies of XP, which Patrick Gray discussed late last week on his Risky Business podcast. Patches that provide stability fixes or feature upgrades generally require an authenticated copy of Windows, but security patches do not. It’s not about protecting the pirates, but the people around the pirates. In order to protect its paying customers, Microsoft has to provide some protection to the pirates as well. So I understand why Microsoft did this one last time.
But will it really be the last time? Consider this: The extended support for XP that businesses and governments are buying is crazy expensive, and Microsoft can’t afford the backlash if they reverse course on that. The business sector is where Microsoft makes its money, not home users. And in order to buy extended support, the enterprise customers have to provide a credible plan to migrate off XP. Microsoft does want this to be over.
Perhaps Microsoft will hedge a bit and release the occasional patch for particularly egregious bugs over the next year or two while letting more minor security vulnerabilities burn. That would be a suitable compromise. But I wouldn’t count on it.