"One of the things that drove much of this coverage was that it coincided with the end of support for Windows XP. [...] We made this exception based on the proximity to the end of support for Windows XP. The reality is there have been a very small number of attacks based on this particular vulnerability and concerns were, frankly, overblown."
Or, reading between the PR-speak: "We're sick of journalists banging on about this bug so we're going to go back on our support policy to shut you up just this once".
The interesting dilemma now is: what happens next time? If a remote execution vulnerability is an "overblown" one, then what happens when the next vulnerability arises that is serious enough not to be deemed "overblown"? Where will this leave Microsoft's policy on XP security patches? Presumably their official line isn't "we refuse to patch security vulnerabilities, except the overblown ones"...?
No comments:
Post a Comment