Windows XP: Microsoft can't wash its hands of the security problem so easily

Windows XP: Microsoft can't wash its hands of the security problem so easily

Summary: Microsoft might want to draw a line under Windows XP; hackers and users will be reluctant to let it off the hook.


Late last week, Microsoft published an unexpected security update for a flaw in its Internet Explorer browser. Even more unexpected, the patch also covered Windows XP, which Microsoft officially stopped supporting back in early April

Microsoft explained the change of heart by saying it had provided the security update "based on the proximity to the end of support for Windows XP".

For those companies scrambling to rid themselves of the last of Windows XP, this additional security update gives them a bit of extra security while they rush to complete their projects, and as such, Microsoft's gesture should be praised as decent and generous.

And perhaps Microsoft had always planned a one last extra XP security update, if only to remind those still clinging to the venerable operating system of just what they would be missing when support disappeared forever.

But it's a move that has also infuriated and confused some — the IT managers who have been pushing their bosses to find money for a Windows upgrade based on the end of security support might feel a little silly now, for example. More of a problem is that it also gives hope to those that haven't upgraded — they will now be thinking that next time there is a big security problem, Microsoft will still be there to save them.

And the problem for Microsoft is that there are still an awful lot of people out there on XP. Windows XP users are hardly cutting edge, but they're certainly tenacious.

According to NetMarketShare research, XP still accounts for 26 percent of the PCs connecting to the internet, a number that is down a mere two percentage points from March, suggesting there was little in the way of last-minute switching away from XP before Microsoft finally pulled the plug on support. Windows 7 still has almost half — 49 percent — of the market, while Windows 8 and 8.1 have grabbed just 12 percent combined. 

So despite warnings from Microsoft — for years — that XP support would finally be ending, a quarter of PCs on the web are still running an antique and out of support operating system. It's an unparalleled situation in IT security.

There will inevitably be more serious security flaws that will affect Windows XP. Already, security company FireEye is warning of exploits using the latest IE flaw that deliberately target Windows XP. And one in four PCs running an operating system without any new security updates is a hacker's dream.

There will continue to be pressure on Microsoft to provide fixes for every major new security flaw, and now the company has done it once, there will be calls to do it again (a situation further complicated by the fact Microsoft is still supporting a number of organisations on XP through its extended support programme). What happens at the next Microsoft Patch Tuesday will be interesting, shedding more light on whether Microsoft will continue to help out XP users in the long term.

There's no easy answer here. Microsoft has every right to end support; Vista, Windows 7 and Windows 8 have all been built since Windows XP, yet it has only just wound down support for the antique OS. Twelve-and-a-half years of support is a long time even in the world of enterprise software. But that doesn't mean that Microsoft will be able to rid itself of the XP security headache very easily.

ZDNet's Monday Morning Opener is our opening salvo for the week in tech. As a global site, this editorial publishes on Monday at 8am AEST in Sydney, Australia, which is 6pm Eastern Time on Sunday in the US. It is written by a member of ZDNet's global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and the US.

Previously on Monday Morning Opener


Topics: Security, Microsoft, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • And they'd be idiots.

    "More of a problem is that it also gives hope to those that haven't upgraded — they will now be thinking that next time there is a big security problem, Microsoft will still be there to save them."

    Microsoft has ended support for Windows XP. The fact they released a patch after the fact means nothing. They did it out of generosity because it was so close to end of support. No one should be counting on them to do it again. Anyone doing so is an idiot.
    • who needs M$
      • This is just another mitigation strategy ...

        ... which will work just as long as it is cost-effective for 2XLifeCyclePlus to support Windows XP (which will not be forever). If it truly is nothing more than a replacement shell, it will not please others any more than the Windows 7 shell which so many of these XP holdouts simply refuse to accept. It also urges the user to keep their XP AV software up to date. Soon, it will be too expensive for AV vendors to support XP as well.

        The bottom line is that the older XP gets, the harder it will be to find anyone who will support it. If you no longer like what Microsoft has to offer, it is incredibly naïve to think that is going to change so the sooner you abandon Microsoft the better of you will be.
        M Wagner
        • Nothing to do with age

          Getting support for Microsoft XP has nothing to do with the age of the OS, but by how many users there are. Even if there were only 10% of all computers on Windows XP, that would still be an enormous number of customers to sell software and compatible hardware to.
        • So your suggestion

          to those who are unconvinced by Windows 7 and 8, is to dump XP and start using - what? If a person is uncomfortable leavign XP, they are hardly going to want to use OSX or Linux now are they?
          • Of course not! Still, any mitigation strategy is better than none ...

            ... but it is naïve to think that it is a final solution. This third-party vendor will support the solution as long as they can profit from it.

            In the end, (when their hardware eventually becomes un-repairable) or, perhaps sooner, then they need to buy new software which will not run under Windows XP, they are going to have to choose. (If they do not like Windows 7, they are not going to like Windows 9 either.) The longer they wait, the more money they will spend to transition - to whatever they choose. In the mean time, many (if not most of them) will just take their chances.
            M Wagner
    • Generosity my foot. They did it because their

      PR and/or legal team calculated the cost of not doing it would be prohibitive.
      • What cost?

        "PR and/or legal team calculated the cost of not doing it would be prohibitive."

        I agree it was a goodwill gesture for PR reasons.
    • XP

      yes nice, just be a sheepie and go with lining the MicroSoft pockets again
      • They don't have to "line Microsoft's pockets" - but sooner or later ...

        ... they are going to have to pay someone to provide them with computing resources. It is better to be prepared for the next solution than it is to wait until something breaks.
        M Wagner
      • I don't understand comments like yours

        "just be a sheepie and go with lining the MicroSoft pockets again"

        Companies make profits to stay in and expand business. Consumers buy products. What do "lining the MicroSoft pockets" have to do with anything?
      • It's all about the $$$$ with Microsoft

        Sure, they're not charging anything for the security patch - but with MILLIONS of downloads, they can make it up in volume. (Right?)
        • What is profitable about a security download?

      • Is that bad?

        Each time you pay for something you need somebody's pocket is being lined. Exactly the same reason why your boss is paying you for your time and expertise, assuming you're working for someone.
      • A strange way to line ones pockets...

        How can Microsoft line their pockets maintaining a product that no longer generates any revenue?
    • support for XP

      They did not fix a security problem with XP. They fixed a security problem with IE8, IE8 was on Vista and W7 too. They fixed a security problem that would still exist on any Vista or W7 machine that had not updated to IE9- 10- or 11 (whose security problem was also fixed). It is just a fact that when they fixed IE8 for Vista and W7 it also fixed it for XP. Post Hoc Ergo Propter Hoc it is not correct to say they did a patch for XP.
      earl harbeson
      • and also ... the bug had been out since Jan

        Also, the bug had been out and reported since January 2014 ... I'm not a lawyer .. but I would figure someone might argue that Microsoft knew about the vulnerability and might have played the "we're going to hold off and not patch it when we can" game. Or at least I'd hope a set of lawyers would do..

        And besides I like the alternative even more ... don't use IE. :) I use firefox and chrome.
    • re: And they'd be idiots.

      Then they are idiots. Or didn't you get the memo that M$ just inked a custom deal to continue for support for XP in England.

      Please keep up.
      • That deal with the UK is part of a plan in the UK to complete their ...

        ... transition to Windows 7. They are paying millions of dollars for a one-year extension of support from Microsoft. If these large organizations were not paying for this extension, Microsoft would have had no income from XP and thus no incentive to fix XP.
        M Wagner
    • Idiots?

      Idioticness is a fact of life. Idiotisizing is not grounds for punishment.
      Producto Endorsair