Microsoft Reverses Course Will Patch Windows XP for IE Security Flaw

“You can count on us.” That’s how a new blog post from Microsoft concludes after discussing security updates to Internet Explorer in the wake of news of a major security vulnerability that affected all versions of the Microsoft browser from IE 6 to IE 11. That security flaw was made public last weekend and was so serious that it prompted the U.S. Department of Homeland Security to issue a warning that users should probably pick another browser until the vulnerability was patched.

The news also came just a short time after Microsoft had finally pulled the plug on continuing support for Windows XP, which includes security patches. That support ended on April 8, 2014. Given that short juxtaposition of time and the enormity of the security vulnerability, questions were immediately raised as to whether or not Microsoft would backtrack and issue a patch for versions of Internet Explorer still running on Windows XP. Windows XP users cannot update Internet Explorer beyond version 8.

The answer to those questions is yes. Microsoft is issuing patches for all vulnerable versions today according to a post from Adrienne Hall, General Manager, Trustworthy Computing on the Official Microsoft Blog.

The security of our products is something we take incredibly seriously, so the news coverage of the last few days about a vulnerability in Internet Explorer (IE) has been tough for our customers and for us.  We take a huge amount of pride that, among widely used browsers, IE is the safest in the world due to its secure development and ability to protect customers, even in the face of cybercriminals who want to break it.

This means that when we saw the first reports about this vulnerability we said fix it, fix it fast, and fix it for all our customers.  So we did.  The update that does this goes live today at 10 a.m. PDT.

Customers who have automatic updates turned on should see the update automatically or you can manually download the update by using “Check for updates.” The update is now live and does require a restart.

Regarding those using Windows XP, Hall states:

Even though Windows XP is no longer supported by Microsoft and is past the time we normally provide security updates, we’ve decided to provide an update for all versions of Windows XP (including embedded), today.  We made this exception based on the proximity to the end of support for Windows XP.

In plain language, this particular remote code execution vulnerability could let hackers gain full user permissions over your computer and allow a hacker to install programs, view and delete data, and much more by visiting a website. We’ve heard of similar zero-day flaws before, but the danger of this new one is magnified by the number of IE versions that are vulnerable.

Kudos to Microsoft for pushing out a patch quickly. And, I’m sure many users still running Windows XP will be grateful that Microsoft decided to reverse course and include support for the patch on their machines.

But the issue does raise an interesting conundrum for Microsoft and XP users going forward, and gives double meaning to the “You can count on us” concluding statement of Ms. Hall’s post.

Don’t get me wrong, given the severity of the security flaw I think it was a good move for Microsoft to reverse its position and issue a patch for the flaw for XP users. But that good move will probably lead to problems down the road.

What will XP users be thinking when the next severe security flaw comes along? Will they be able to “count on” Microsoft to backtrack once again? Will this move delay some from moving away from XP to later Microsoft operating systems? Keep in mind that there was quite a body of thought that feared we would see a rash of exploits targeted at XP users once Microsoft ceased XP support on April 8. That doomsday scenario has not occurred yet and may never occur, but there are obviously still quite a few vulnerable machines out there. Estimates say as many as 400 million PCs and devices.

There are a myriad of reasons why companies and individuals still run XP. Most of those reasons stem from budget concerns. For example, the cost of replacing proprietary business software that runs on XP but not on later versions of Windows.

Prior to Microsoft’s decision to patch XP for this latest security vulnerability there were those who took a hard line view that Microsoft shouldn’t issue a patch for XP machines. After all the operating system is 12 years old.

There is obviously some wisdom in that thinking, and indeed Ms. Hall states quite clearly that even tough this XP update is out now, users do need to seriously think about moving off Windows XP to a later version of the operating system. Curiously, her blog post points only to Windows 7 and not both Windows 7 and Windows 8.

Will Microsoft ever be able to make a clean break from Windows XP? Probably. But at some point that is going to require the guts to stick to such a hard line if Microsoft truly wants users to take them seriously when it says “you can count on us.”