In-depth

Why Microsoft is guilty of bad parenting with the IE XP update

Microsoft should have employed tough love tactics and excluded XP users from the latest Internet Explorer patch, argues Davey Winder

Almost exactly a month ago I wrote about the forthcoming Windows XP Zombie Apocalypse, as the veteran operating system enters end of life and stops receiving official support and security updates from Microsoft.

So imagine my surprise when Microsoft issued an out of band emergency update last week for an Internet Explorer zero-day flaw that was being exploited in the wild.

The fact Internet Explorer was being patched for yet another vulnerability warranted no surprise at all, but there more than few raised eyebrows at the news XP users were being included in the rollout of this fix.

In my opinion, Microsoft should have grown a pair and simply not included XP users in the latest IE patch.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

There's an argument to be made that Microsoft had no choice but to include XP users in the security update process. If they hadn't, that would leave upwards of 30 per cent of all Internet Explorer users open to attack.

It's not an awfully compelling argument as far as I am concerned, especially as XP users have been warned many times during the last few years to make the move to a more secure OS.

Leaving older versions of Internet Explorer unpatched could have lead to cries of "told you IE was insecure" from the Microsoft naysayers. But that still doesn't make rolling out this update to XP users the right thing to do. In fact, I'd say it's a case of bad parenting.

Bad kids

Every parent knows teaching their kids right from wrong and protecting them from harm is never an easy task, and often results in some difficult decisions being made. It's what my old mum would call "being cruel to be kind" by applying short-term hardship for long-term benevolence.

In this sense Adrienne Hall, who is the General Manager for Trustworthy Computing at Microsoft, is being a bad mother.

Advertisement - Article continues below

She is sending conflicting messages to the already stubborn brigade of XP hangers-on by stating on the one hand that "threats we face today from a security standpoint have really outpaced the ability to protect those customers using an operating system that dates back over a decade" while on the other adding "we've decided to provide an update for all versions of Windows XP."

The mixed messages don't stop there. Mummy Hall insists the decision was made "based on the proximity to the end of support for Windows XP" and in the next breath insists that the reality is that there were "a very small number of attacks based on this particular vulnerability and concerns were, frankly, overblown."

So let me get this straight, Mrs Microsoft: You've been telling users to move away from XP before end of life status was reached because it would become a security liability. You reach that end of life status and an 'overblown' threat appears that results in you immediately backtracking. How does that kind of knee jerk reaction help anyone?

It doesn't help encourage people, including many enterprises (especially at the smaller end of the business spectrum), to get moving and change to a more secure OS.

Advertisement
Advertisement - Article continues below

It doesn't help people sticking with XP to be any safer, in the long-term. Or even the short-term, because if you don't think there is going to be another zero-day, or that there aren't other zero-days being exploited already, then you are living in cloud cuckoo land.

It doesn't help that once you've warned your OS children in the sternest terms they need to change their behaviour, that you then treat them to an extra hug and go straight back to the "you still need to upgrade" message.

Advertisement - Article continues below

Web browsers of all flavours are dish of the day to the bad guys. Seriously, they are right at the top of the menu when it comes to the most attractive attack routes.

You only have to look at the sheer number of security patches applied to them, and - in particular - Internet Explorer month in and month out.

Old browsers are even more likely to give the IT support folk a severe case of the runs. A single out of patch fix for a vulnerability does not make a browser safe, yet that's going to be the message XP users are likely to take away. A message that couldn't be more wrong.

 And when the next set of Microsoft patches comes rolling out (if not this month, then next) there will most likely be some mention of an Internet Explorer vulnerability that has been fixed for everyone but XP users.

Those who will be at risk from the bad guys, who know the chances are that a vulnerability for a later version of IE will probably work quite nicely on an earlier, and now unpatched and unprotected, one as well.

In my opinion, Microsoft should have grown a pair and simply not included XP users in the latest IE patch.

Advertisement - Article continues below

Especially if, as it insists, it wasn't really that serious in the first place. By taking the tough mummy approach, Microsoft might just have found the immediate short, sharp shock XP business users need to show them they don't actually know it all and the time to upgrade has arrived.

Instead it has just given them a reason to flick the Vs and say I told you so, feeling smug in the knowledge that Microsoft backed down and didn't ground them. The trouble is, smugness and security really don't mix.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/business-strategy/mergers-and-acquisitions/354602/xerox-to-nominate-directors-to-hps-board-reports
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/business-strategy/public-sector/354608/uk-gov-launches-ps300000-sen-edtech-initiative
public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020