Is Microsoft’s Decision to Patch Windows XP a Mistake?

17

Well known Microsoft observer Dr. Pizza (Peter Bright) has written an editorial criticizing Microsoft’s decision to patch IE on Windows XP.

The decision to release this patch is a mistake, and the rationale for doing so is inadequate.

A one-off patch of this kind makes no meaningful difference to the security of a platform. Internet Explorer received security patches in 11 of the last 12 Patch Tuesdays. Other browsers such as Chrome and Firefox receive security updates on a comparable frequency.

The security of a browser is not contingent on any one bugfix; it’s dependent on a continuous delivery of patches, fixes, and improvements. One-off “exceptions” do not make Internet Explorer on Windows XP “safe.” There’s no sense in which this patch means that all of a sudden it’s now “OK” to use Internet Explorer on Windows XP.

And yet it seems inevitable that this is precisely how it will be received. The job of migrating away from Windows XP just got a whole lot harder. I’m sure there are IT people around the world who are now having to argue with their purse-string-controlling bosses about this very issue. IT people who have had to impress on their superiors that they need the budget to upgrade from Windows XP because Microsoft won’t ship patches for it any longer. Microsoft has made these IT people into liars. “You said we had to spend all this money because XP wasn’t going to get patched any more. But it is!”

Bosses who were convinced that they could stick with Windows XP because Microsoft would blink are now vindicated.

……

Although I often disagree with Dr. Pizza I absolutely agree with him in this case. Microsoft “blinking” is not limited to this situation either. It is a company wide problem. We have seen them to do it with Windows 8, Xbox, email policies and much more. Microsoft has a fundamental problem in thinking through a problem and sticking with it. The company is also oversensitive to media criticism and often reverses decisions for more favorable press coverage. This creates a never ending loop where a small minority, but vocal group, can make enough noise to get Microsoft to change a decision they had made. Microsoft needs to show they can make decisions and stick with them and the noise will dissipate over time.

Read Peter Bright’s full analysis at ArsTechnica

About Author

Suril is a scientist, journalist and obsessive Microsoft observer. He holds an advanced degree in Biotechnology with minors in Biochemistry, Microbiology, and Molecular Biology. Send him tips on twitter: http://www.twitter.com/surilamin

  • koenshaku

    I disagree, I think since the issue did exist since IE 6 to IE 11 which was probably an exploit for the NSA, but anyway it should have been patched across the board and the press telling people to use Chrome or Firefox was a big deal, because I had people even switching at my job before talking to myself. Point is the damage has already been done and I am sure it has increased google’s browser market share and has made mac users cling to their devices all the more. When an exploit like this gets this much press script kiddies flock to it and it left XP as a lamb to the slaughter MS made a patch for businesses that continue support for XP for a large price they may as well spread the love since it was such a long existing exploit coupled with the bad press airing on TV.

  • Guest

    Damn it XP, I just can’t quit ya’.

  • NegLewis

    NO.
    it’s like 20% of the world PC’s.
    MS should update XP. Should be called Modern XP. Should cost like $20 for another 12 months of support…
    Patch it and add all modern algorithms and drivers (HDD, Indexing, API/Software…) and the OS UI … Make it more like Metro. Add support for Modern UI/Apps/App Store.

    This would take max. 1-2 months for a single MS Employee.
    The end result would be phenomenal… 20% of People/PC’s would start understanding Metro…

    This shows how hard is for regular people to buy another devices… and for the industry to replace their old machines…

    Meanwhile MS will release V1 of it’s MegaBite FootPrint Windows OS…

    XP on a PC is like a dead Horse… beating it… solve nothing.
    MS will NEVER be able to force “those” people to upgrade/update… because those PC’s are just too old…

    • cr_buck

      Wow. 1-2 months for a single employee. I hope I’m just missing a joke because it takes a couple of developers months to develop a small app let alone restructure an OS and validate changes.

      • TURNERO

        I don’t think you understand the enormity of the test matrix for Windows.

        • cr_buck

          I think you replied to the wrong person. I was saying just that about the original poster. I used to be a programmer and saying 1-2 months for 1 person is vastly underestimating the scope of the task.

          • NegLewis

            I think we get it :)
            I bet that a MS/XP makeover will take that long… even less. :)
            (I hope people understand that I am slightly exaggerating … just slightly).

            When you have 20% of your revenues sucked into an old age product and you just STOP supporting it… it means ONE thing alone: YOU are a crazy MF.

            W8 hardware requirements are a JOKE. I can run W8 on a single core Atom at 1.x GHz without any major problems…

            MS could lower W8 hard. req. and let those sub 1GHz “lazy bastards” upgrade “for free” … or update XP to be more like Metro… this will take WAY MORE less than waiting for 20% of the industry to dye or upgrade/update…

    • koenshaku

      Easier said than done hardware requirements limit most of those features and most low to mid-range XP systems cannot even meet the windows 8 hardware requirements. I am going to pop 2gb of ram into some of the older dell OptiPlex Pentium 4 systems at my job and see if they will run on the volume license of windows 8.1 I just put in for.

      • cr_buck

        Funny things is I have ignored the requirements and put it on old XP systems and they ran better and faster with Windows 8 than Windows XP. XP for me as a clean install never ran decent without at least 2GB of RAM to begin with.

  • Mikhail Kutyin

    Calling it a mistake is a bit overreacting. Microsoft said explicitly that this patch is a one-off, and only because the support period ended just recently. As for the IT people who could be called liars, just wait for another patch tuesday. If there aren’t any updates for XP, then it’s really over.

  • iamakii

    Hallelujah Peter!

  • redtidal

    You will damned if you do, and damned if you don’t.

    It happened, already.

  • grs_dev

    It’s a huge mistake.
    Microsoft is better off releasing IE 11 for XP that plugs the hole instead of patching XP directly. It would have been better for the users and better for business.
    Microsoft, make XP patches available only by installing the latest and greatest version of IE.
    Good luck!

    • NegLewis

      IExx == NEW directx + new hardware (API) + abstraction layers… ++
      It’s more to IExx than just a number. IE6 has absolutely nothing in common with IExx… software-wise…

      • grs_dev

        Ummm. OK fine. I am not talking about a number. If IExx can be adapted to run on different Operating Systems (Win 7, Win 8, Win 8.1, Win Phone 8.1, etc) then there is no reason why the same code base cannot be adapted to run on XP.

        Worst case scenario, Microsoft could release a IExx (XP Edition) or something.

        The point I was trying to make was a business one, and it is that patching Windows XP is not a good business decision after they exhausted the world with their claims about how support was going to end and that there was nothing that anyone could do about it.

        Well it turns out that there is something that could be done. It’s called find the defects.

        Doing the right thing here can ultimately be a Win-Win for all involved sides.

        #1 The users must be protected and that should not come at a new cost to the user.

        #2 Microsoft could and should be able to use these opportunities to further strengthen its user adoption of its products.

        #3 Communications that are planned, coordinated, and executed at a global massive scale should become worthless. Otherwise why even do them if Microsoft wasn’t even prepared or willing to handle all the potential outcomes.

        Were they surprised that this exploit popped up when it did? That would be ultra naïve on their behalf. I’d like to think that they have more mature middle and sr. leaders who know better…

        My proposal simply says that Microsoft could do the right thing and continue to stick to its plans all in one shot.

  • NGM123

    What a goose. MS damned if they do and damned if they don’t. Better to release a patch for what appears to be a major security problem in the interests of good customer relations. Fact is in most cases they wont get support so they still have to switch but to abandon a huge slice of the enterprise community with regard to such a highly publicised breach would have left MS in a bad light, this just goes to show the level of support they do offer enterprise and another good reason to buy windows when they finally do get around to switching…..idiot.

  • Danny Dodge

    Dr Pizza…