Microsoft’s decision to patch Windows XP is a mistake

Microsoft officially ended support of the twelve-and-a-half-year-old Windows XP operating system a few weeks ago. Except it apparently didn't, because the company has included Windows XP in its off-cycle patch to fix an Internet Explorer zero-day that's receiving some amount of in-the-wild exploitation. The unsupported operating system is, in fact, being supported.

Explaining its actions, Microsoft says that this patch is an "exception" because of the "proximity to the end of support for Windows XP."

The decision to release this patch is a mistake, and the rationale for doing so is inadequate.

A one-off patch of this kind makes no meaningful difference to the security of a platform. Internet Explorer received security patches in 11 of the last 12 Patch Tuesdays. Other browsers such as Chrome and Firefox receive security updates on a comparable frequency.

Web browsers are complex. They're necessarily exposed to all manner of potentially hostile input that the user can't really control, and as such, they're a frequent target for attacks. They need regular updates and ongoing maintenance. The security of a browser is not contingent on any one bugfix; it's dependent on a continuous delivery of patches, fixes, and improvements. One-off "exceptions" do not make Internet Explorer on Windows XP "safe." There's no sense in which this patch means that all of a sudden it's now "OK" to use Internet Explorer on Windows XP.

And yet it seems inevitable that this is precisely how it will be received. The job of migrating away from Windows XP just got a whole lot harder. I'm sure there are IT people around the world who are now having to argue with their purse-string-controlling bosses about this very issue and IT people who have had to impress on their superiors that they need the budget to upgrade from Windows XP because Microsoft won't ship patches for it any longer. Microsoft has made these IT people into liars. "You said we had to spend all this money because XP wasn't going to get patched any more. But it is!"

Bosses who were convinced that they could stick with Windows XP because Microsoft would blink are now vindicated.

After all, if Microsoft can blink once, who's to say it won't do so again? The next Patch Tuesday patch for Internet Explorer is almost certainly going to include flaws that affect Internet Explorer on Windows XP: the nature of software means that most flaws in Internet Explorer 7 (supported for the remainder of Windows Vista's life cycle) and Internet Explorer 8 (tied to Windows 7's life cycle) will also be flaws in Internet Explorer 7 and 8 when run on Windows XP. Many of them will also hit Internet Explorer 6.

In fact, this is precisely the pattern we've seen with this flaw. The first in-the-wild exploits hit only Internet Explorer 9, 10, and 11, on Windows 7 and 8. As security firm FireEye reports, it's only later that attacks for (unsupported) Internet Explorer 8 on Windows XP materialized.

Virtually every time Microsoft updates one of its remaining supported platforms, the company will also simultaneously be disclosing a zero-day vulnerability for Windows XP (something Apple has recently been criticized for doing). The patch list for May's Patch Tuesday—less than two weeks away—isn't out yet, but based on Internet Explorer's track record, it's highly likely that it's going to get updated, and it's highly likely that these updates will reveal exploitable flaws on Windows XP.

By Microsoft's "proximity" argument, those flaws should be patched on Windows XP, too. In fact, it's hard to see a time when "proximity" won't be an issue. It's inevitable that Patch Tuesday will reveal exploitable flaws for the unsupported operating system, and it's similarly inevitable that at least some of those flaws will get exploited. With Windows XP's market share as high as it is, there was never any realistic chance that an exploit would not materialize in "proximity" to the end of support.