Microsoft had to patch Windows XP

With a high-profile bug so close to XP's end of support, there was very little upside for Microsoft in being strict. This sort of thing has happened before.
Written by Larry Seltzer, Contributor

Much of the news about the recent Internet Explorer zero-day attacks had to do with the prospect of Windows XP not being patched. This was in spite of the fact that the actual attacks in the wild didn't work on Windows XP. Even so, Microsoft decided to patch Windows XP, even though it passed its expiration date several weeks ago.

They really had no choice. By not patching XP today they would have taken a stand which was very defensible, as the warning of this happening is years old. But there would have been lots of bad press and concern for the poor XP users.

I've already heard people say that this won't be the last XP update, but it might be. It depends on how long it is until the next severe vulnerability and, in particular, the next zero day.

Something similar happened in early 2005. Support for Windows NT 4 had ended in December 31, 2004, and it was a server operating system of great importance at the time. So when CAN-2005-0050 came out, "MS05-010 — Vulnerability in the License Logging Service Could Allow Code Execution (885834)," Microsoft released an NT4 update even though it had said it wouldn't and, just as with XP, they had been warning users for years.

Microsoft did take one measure to show NT4 users that things were changing: the update was not put on Windows Update and had to be downloaded from the Microsoft Download Center and installed manially. The advisory contains the company's explanation:

Windows NT Server 4.0 Service Pack 6a and Windows NT Server 4.0 Terminal Server Edition Service Pack 6 reached the end of their life cycles on December 31, 2004. On this rare occasion, we believe that this vulnerability presents a serious risk to a broad number of customers. We have previously communicated that we reserve the right to produce updates in these situations. We determined that the best course of action to help protect customers was to release this security update. Therefore, we have decided to release a security update for this operating system version as part of this security bulletin. However, since Windows NT Server 4.0 is no longer in support, this security update will only be available on the Microsoft Download Center and will not be available through Windows Update.
We do not anticipate doing this for future vulnerabilities that may affect this operating system version, but as mentioned previously, we reserve the right to produce updates and to make these updates available when necessary. It should be a priority for customers who have this operating system version to migrate to supported operating system versions to prevent potential exposure to vulnerabilities.

MS05-010 was the last update released for Windows NT 4.

So it depends on what happens. The first Patch Tuesday of the XP end-of-service era is 12 days from now. Let's see if there are Windows bugs not fixed in XP then. I'm betting that's when they start to take a stand. But even so, we're still close enough that if something severe and unexpected comes up, we might still see the next of the final updates to XP.

Editorial standards