Menu
Microsoft makes one-time exception, patches IE on Windows XP

Microsoft makes one-time exception, patches IE on Windows XP

Calls news coverage of IE vulnerability 'overblown,' but patches IE6, IE7 and IE8 on XP anyway

Microsoft today shipped an emergency update for Internet Explorer to close a hole that hackers had already been exploiting.

But in an unexpected move, Microsoft allowed Windows XP machines to receive the update, even though it had long held that the 13-year-old operating system had absolutely, positively retired on April 8.

"I'm surprised they went out-of-band at all," said Andrew Storms, director of DevOps at security company CloudPassage, using the term for an emergency update outside the normal monthly patch cycle Microsoft maintains. "While there was a lot of talk about this zero-day, it was mainly focused on the XP angle."

In fact, today's turnabout was bigger news than the security update itself, something Microsoft tacitly acknowledged by posting a long blog post that dealt not with the patch or the vulnerability, but with its decision to give XP customers a break.

In that blog, Adrienne Hall, a general manager in Microsoft's Trustworthy Computing group, made plain that today's release was the exception, not the rule, going forward. "We made this exception based on the proximity to the end of support for Windows XP," Hall wrote.

Microsoft dropped XP from its support list three weeks ago.

But Storms questioned whether Microsoft had, knowingly or not, set a precedent that outsiders would cite each time a new vulnerability in Windows XP appeared.

"For me it begs the question: So when exactly is the end of life date for XP?" Storms said in an interview conducted via instant message. "What if there is another zero-day next week or next month? When is Microsoft really really really going to put their foot down? So I'm surprised they went against their word on the end of life date. It just leaves open the door for more patches either to XP or other [outdated] platforms in the future."

Hall also seemed to blame news reports about the flaw -- in particular that most reports led with the fact that XP would be vulnerable -- for forcing Microsoft's hand.

"The news coverage of the last few days about a vulnerability in Internet Explorer (IE) has been tough for our customers and for us," she said to open the blog, then later argued that the IE bug made headlines only because of its timing. "One of the things that drove much of this coverage was that it coincided with the end of support for Windows XP," Hall asserted.

"The reality is there have been a very small number of attacks based on this particular vulnerability and concerns were, frankly, overblown," Hall added. "Unfortunately this is a sign of the times and this is not to say we don't take these reports seriously. We absolutely do."

Microsoft should not have been surprised that news spread about the IE flaw or that media reports focused on the fact that the bug was the first example of XP's out-in-the-cold situation. Others in the company's Trustworthy Computing group have long predicted that attacks against XP PCs would increase once support for the OS ended, and used the dire forecast to push customers into migrating to something newer.

The update itself, designated MS13-021, was straightforward, or at least compared to the ruckus over XP.

MS13-021 patched a single vulnerability in IE6, IE7, IE8, IE9, IE10 and the newest, IE11, on all supported editions of Windows, as well as XP. The bug was rated "critical" for all client versions of Windows -- XP, Vista, Windows 7, Windows 8 and Windows 8.1 -- but "moderate," two steps down in its four-step threat scoring system, for all Windows Server editions.

The critical vulnerability was first reported to Microsoft by FireEye last week. On Saturday, Microsoft issued a security advisory that offered several temporary ways to defend PCs from attacks.

Today's patch can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services (WSUS).

This article, Microsoft makes one-time exception, patches IE on Windows XP, was originally published at Computerworld.com.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about windows in Computerworld's Windows Topic Center.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Microsoftoperating systemssoftwareWindowsMalware and Vulnerabilities

Featured

Slideshows

The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments