Why Microsoft is guilty of bad parenting with the IE XP update

Almost exactly a month ago I wrote about the forthcoming Windows XP Zombie Apocalypse, as the veteran operating system enters end of life and stops receiving official support and security updates from Microsoft.

So imagine my surprise when Microsoft issued an out of band emergency update last week for an Internet Explorer zero-day flaw that was being exploited in the wild.

The fact Internet Explorer was being patched for yet another vulnerability warranted no surprise at all, but there more than few raised eyebrows at the news XP users were being included in the rollout of this fix.

In my opinion, Microsoft should have grown a pair and simply not included XP users in the latest IE patch.

There's an argument to be made that Microsoft had no choice but to include XP users in the security update process. If they hadn't, that would leave upwards of 30 per cent of all Internet Explorer users open to attack.

It's not an awfully compelling argument as far as I am concerned, especially as XP users have been warned many times during the last few years to make the move to a more secure OS.

Leaving older versions of Internet Explorer unpatched could have lead to cries of "told you IE was insecure" from the Microsoft naysayers. But that still doesn't make rolling out this update to XP users the right thing to do. In fact, I'd say it's a case of bad parenting.

Bad kids

Every parent knows teaching their kids right from wrong and protecting them from harm is never an easy task, and often results in some difficult decisions being made. It's what my old mum would call "being cruel to be kind" by applying short-term hardship for long-term benevolence.

In this sense Adrienne Hall, who is the General Manager for Trustworthy Computing at Microsoft, is being a bad mother.

She is sending conflicting messages to the already stubborn brigade of XP hangers-on by stating on the one hand that "threats we face today from a security standpoint have really outpaced the ability to protect those customers using an operating system that dates back over a decade" while on the other adding "we've decided to provide an update for all versions of Windows XP."

The mixed messages don't stop there. Mummy Hall insists the decision was made "based on the proximity to the end of support for Windows XP" and in the next breath insists that the reality is that there were "a very small number of attacks based on this particular vulnerability and concerns were, frankly, overblown."

So let me get this straight, Mrs Microsoft: You've been telling users to move away from XP before end of life status was reached because it would become a security liability. You reach that end of life status and an 'overblown' threat appears that results in you immediately backtracking. How does that kind of knee jerk reaction help anyone?

It doesn't help encourage people, including many enterprises (especially at the smaller end of the business spectrum), to get moving and change to a more secure OS.

It doesn't help people sticking with XP to be any safer, in the long-term. Or even the short-term, because if you don't think there is going to be another zero-day, or that there aren't other zero-days being exploited already, then you are living in cloud cuckoo land.

It doesn't help that once you've warned your OS children in the sternest terms they need to change their behaviour, that you then treat them to an extra hug and go straight back to the "you still need to upgrade" message.

Web browsers of all flavours are dish of the day to the bad guys. Seriously, they are right at the top of the menu when it comes to the most attractive attack routes.

You only have to look at the sheer number of security patches applied to them, and - in particular - Internet Explorer month in and month out.

Old browsers are even more likely to give the IT support folk a severe case of the runs. A single out of patch fix for a vulnerability does not make a browser safe, yet that's going to be the message XP users are likely to take away. A message that couldn't be more wrong.

And when the next set of Microsoft patches comes rolling out (if not this month, then next) there will most likely be some mention of an Internet Explorer vulnerability that has been fixed for everyone but XP users.

Those who will be at risk from the bad guys, who know the chances are that a vulnerability for a later version of IE will probably work quite nicely on an earlier, and now unpatched and unprotected, one as well.

In my opinion, Microsoft should have grown a pair and simply not included XP users in the latest IE patch.

Especially if, as it insists, it wasn't really that serious in the first place. By taking the tough mummy approach, Microsoft might just have found the immediate short, sharp shock XP business users need to show them they don't actually know it all and the time to upgrade has arrived.

Instead it has just given them a reason to flick the Vs and say I told you so, feeling smug in the knowledge that Microsoft backed down and didn't ground them. The trouble is, smugness and security really don't mix.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.