In-depth

Why Microsoft is guilty of bad parenting with the IE XP update

Microsoft should have employed tough love tactics and excluded XP users from the latest Internet Explorer patch, argues Davey Winder

Almost exactly a month ago I wrote about the forthcoming Windows XP Zombie Apocalypse, as the veteran operating system enters end of life and stops receiving official support and security updates from Microsoft.

So imagine my surprise when Microsoft issued an out of band emergency update last week for an Internet Explorer zero-day flaw that was being exploited in the wild.

Advertisement - Article continues below

The fact Internet Explorer was being patched for yet another vulnerability warranted no surprise at all, but there more than few raised eyebrows at the news XP users were being included in the rollout of this fix.

In my opinion, Microsoft should have grown a pair and simply not included XP users in the latest IE patch.

There's an argument to be made that Microsoft had no choice but to include XP users in the security update process. If they hadn't, that would leave upwards of 30 per cent of all Internet Explorer users open to attack.

It's not an awfully compelling argument as far as I am concerned, especially as XP users have been warned many times during the last few years to make the move to a more secure OS.

Leaving older versions of Internet Explorer unpatched could have lead to cries of "told you IE was insecure" from the Microsoft naysayers. But that still doesn't make rolling out this update to XP users the right thing to do. In fact, I'd say it's a case of bad parenting.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Bad kids

Every parent knows teaching their kids right from wrong and protecting them from harm is never an easy task, and often results in some difficult decisions being made. It's what my old mum would call "being cruel to be kind" by applying short-term hardship for long-term benevolence.

In this sense Adrienne Hall, who is the General Manager for Trustworthy Computing at Microsoft, is being a bad mother.

She is sending conflicting messages to the already stubborn brigade of XP hangers-on by stating on the one hand that "threats we face today from a security standpoint have really outpaced the ability to protect those customers using an operating system that dates back over a decade" while on the other adding "we've decided to provide an update for all versions of Windows XP."

The mixed messages don't stop there. Mummy Hall insists the decision was made "based on the proximity to the end of support for Windows XP" and in the next breath insists that the reality is that there were "a very small number of attacks based on this particular vulnerability and concerns were, frankly, overblown."

Advertisement - Article continues below

So let me get this straight, Mrs Microsoft: You've been telling users to move away from XP before end of life status was reached because it would become a security liability. You reach that end of life status and an 'overblown' threat appears that results in you immediately backtracking. How does that kind of knee jerk reaction help anyone?

It doesn't help encourage people, including many enterprises (especially at the smaller end of the business spectrum), to get moving and change to a more secure OS.

It doesn't help people sticking with XP to be any safer, in the long-term. Or even the short-term, because if you don't think there is going to be another zero-day, or that there aren't other zero-days being exploited already, then you are living in cloud cuckoo land.

Advertisement
Advertisement - Article continues below

It doesn't help that once you've warned your OS children in the sternest terms they need to change their behaviour, that you then treat them to an extra hug and go straight back to the "you still need to upgrade" message.

Advertisement - Article continues below

Web browsers of all flavours are dish of the day to the bad guys. Seriously, they are right at the top of the menu when it comes to the most attractive attack routes.

You only have to look at the sheer number of security patches applied to them, and - in particular - Internet Explorer month in and month out.

Old browsers are even more likely to give the IT support folk a severe case of the runs. A single out of patch fix for a vulnerability does not make a browser safe, yet that's going to be the message XP users are likely to take away. A message that couldn't be more wrong.

 And when the next set of Microsoft patches comes rolling out (if not this month, then next) there will most likely be some mention of an Internet Explorer vulnerability that has been fixed for everyone but XP users.

Advertisement - Article continues below

Those who will be at risk from the bad guys, who know the chances are that a vulnerability for a later version of IE will probably work quite nicely on an earlier, and now unpatched and unprotected, one as well.

In my opinion, Microsoft should have grown a pair and simply not included XP users in the latest IE patch.

Especially if, as it insists, it wasn't really that serious in the first place. By taking the tough mummy approach, Microsoft might just have found the immediate short, sharp shock XP business users need to show them they don't actually know it all and the time to upgrade has arrived.

Instead it has just given them a reason to flick the Vs and say I told you so, feeling smug in the knowledge that Microsoft backed down and didn't ground them. The trouble is, smugness and security really don't mix.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement
Advertisement

Recommended

Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Visit/business/policy-legislation/356215/senators-propose-a-bill-aimed-at-ending-warrant-proof-encryption
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Visit/business/business-operations/356395/nvidia-overtakes-intel-as-most-valuable-us-chipmaker
Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020
Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/mobile/google-android/356373/over-2-dozen-additional-android-apps-found-stealing-user-data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020