Patching the wrong product — a bad thing?
Microsoft's reaction to the news yesterday that a simple hack could effectively extend security updates for Windows XP for five years was careful, but the company's tone was clear:
"We recently became aware of a hack that purportedly aims to provide security updates to Windows XP customers. The security updates that could be installed are intended for Windows Embedded and Windows Server 2003 customers and do not fully protect Windows XP customers. Windows XP customers also run a significant risk of functionality issues with their machines if they install these updates, as they are not tested against Windows XP. The best way for Windows XP customers to protect their systems is to upgrade to a more modern operating system, like Windows 7 or Windows 8.1."
You really don't want to do this, they say. Even so, I have to think that the most credible part of the statement is the last sentence: Users of Windows XP really ought to upgrade to a better, more secure operating system. A hack like this is just an excuse for putting off what you really ought to be doing.
Featured
What about Microsoft's other claims, i.e. that the patches may not be appropriate for a Windows XP system or that you might not be properly protected by them? It seems as though Microsoft is overplaying its hand here. There's every reason to believe that the point-of-sale (POS) versions of Windows are just desktop Windows with some extra device support.
Have you ever seen a Windows-based point of sale system? I've seen a few, and to me they look like Windows PCs with some extra devices. In fact, if you were Microsoft designing a point of sale system, why would you do it any other way?
Making the POS edition as close as possible to the mainstream version allows ISVs, IHVs, and OEMs to adapt to the new version as quickly and easily as possible.
Developers can work on software on regular Windows desktop. System vendors need only make the most minor of repackaging — or no repackaging at all. That seems to be what Dell did with some of its Windows POSReady systems. The Optiplex XE (designed for POSReady 2009, now discontinued), marketed as a POS platform, sure looks like a desktop computer.
In fact, they call it (emphasis mine) an "OEM- and POS-ready desktop available in two sizes and featuring an adaptable, heat-tolerant design."
I'm not sure why a POS system needs to be hardened against tough environmental conditions more than a regular PC, but this one is. They have also added things like RS-232 serial ports, which haven't been in PCs for ages, probably because some older POS external devices use them. The newer Optiplex XE2 shares many of these characteristics, but there's no mention of POS on that page. I can only assume the XE POS line flopped. So now it's just a somewhat-ruggedized PC.
Microsoft also points out that the updates that show up after you hack the XP system "...are intended for Windows Embedded and Windows Server 2003 customers and do not fully protect Windows XP customers."
Well, not exactly.
In fact, if you look up the KB numbers for them, KB2932079 and KB2931365, you'll see the full names of the updates are:
- MS14-026: Description of the security update for the .NET Framework 2.0 Service Pack 2 on Windows XP and Windows Server 2003: May 13, 2014
- MS14-026: Description of the security update for the .NET Framework 4 on Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2: May 13, 2014
Oops. I guess they really are designed for Windows XP. The references to Windows XP have been removed from the descriptions displayed by Windows Update on a hacked Windows XP system, but not from the KB articles.
It's remarkable, at least in retrospect, that in March 2009, Microsoft released a new product — a new edition of Windows — based on Windows XP. Windows Embedded POSReady 2009 was released over 2 years after Windows Vista, shortly before the release of Service Pack 2 for Windows Vista and only about six months before the release of Windows 7.
And at a time like that they choose to give 10 more years to the Windows XP platform? In hindsight, it's hard to see what could justify this, but I think the problem should have been obvious in foresight as well.
So what's Microsoft to do?
My money's on some sort of update going out to counter the hack and stop updates on Windows XP again. It could get tricky, especially if the change requires an update to the Windows Update controls in Windows XP, but if I were Microsoft, I would do it, and I'd say it was for the users' own good. Whether it really is for their own good is complicated.