Calls news coverage of IE vulnerability ‘overblown,’ but patches IE6, IE7 and IE8 on XP anyway
May 1, 2014
Microsoft today shipped an emergency update for Internet Explorer to close a hole that hackers had already been exploiting.
But in an unexpected move, Microsoft allowed Windows XP machines to receive the update, even though it had long held that the 13-year-old operating system had absolutely, positively retired on April 8.
“I’m surprised they went out-of-band at all,” said Andrew Storms, director of DevOps at security company CloudPassage, using the term for an emergency update outside the normal monthly patch cycle Microsoft maintains. “While there was a lot of talk about this zero-day, it was mainly focused on the XP angle.”
In fact, today’s turnabout was bigger news than the security update itself, something Microsoft tacitly acknowledged by posting a long blog post that dealt not with the patch or the vulnerability, but with its decision to give XP customers a break.
In that blog, Adrienne Hall, a general manager in Microsoft’s Trustworthy Computing group, made plain that today’s release was the exception, not the rule, going forward. “We made this exception based on the proximity to the end of support for Windows XP,” Hall wrote.
Microsoft dropped XP from its support list three weeks ago.
But Storms questioned whether Microsoft had, knowingly or not, set a precedent that outsiders would cite each time a new vulnerability in Windows XP appeared.
“For me it begs the question: So when exactly is the end of life date for XP?” Storms said in an interview conducted via instant message. “What if there is another zero-day next week or next month? When is Microsoft really really really going to put their foot down? So I’m surprised they went against their word on the end of life date. It just leaves open the door for more patches either to XP or other