Friday, May 2, 2014

Microsoft blurs the line on "ending support" for Windows XP

In a slightly surprise (albeit not unprecedented) move, Microsoft have announced that a patch for its high-profile Internet Explorer vulnerability will be rolled out to versions of Windows including the officially obsolete Windows XP. In a blog post yesterday, General Manager for Trustworthy Computing, Adrienne Hall, rationalises this move as follows:

"One of the things that drove much of this coverage was that it coincided with the end of support for Windows XP. [...] We made this exception based on the proximity to the end of support for Windows XP.  The reality is there have been a very small number of attacks based on this particular vulnerability and concerns were, frankly, overblown."

Or, reading between the PR-speak: "We're sick of journalists banging on about this bug so we're going to go back on our support policy to shut you up just this once".

The interesting dilemma now is: what happens next time? If a remote execution vulnerability is an "overblown" one, then what happens when the next vulnerability arises that is serious enough not to be deemed "overblown"? Where will this leave Microsoft's policy on XP security patches? Presumably their official line isn't "we refuse to patch security vulnerabilities, except the overblown ones"...?