Today's release of security updates for Windows XP, Windows 8 and Windows 8.1 signals an about-face by Microsoft. In the wake of the WannaCry outbreak, the intention was to stem the spread of a virulent and damaging ransomware attack. But should the company keep patching an operating system that has been out of mainstream support for over eight years and extended support for three?
In response to my story earlier today, rickinoz made the following comment:
This is an interesting dilemma between:
- patch XP to reduce the prevalence/impact of exploits globally
- don't patch XP as a lever to force users to update to a newer version
One of my friends also said "Microsoft folds and releases Wannacry fixes for Windows XP and Server 2003. I don't think they could have done anything else".
Microsoft did a lot to make the switch to Windows 10 as easy as possible. While it was not always an easy transition, it was a free update for some time. And they pushed the update out, making it reasonably easy for people to execute the update.
As many experts have said, the two best defensive measures against malware attacks are keeping software up to date and maintaining tested offline backups.
While I maintain most people learn the backup lesson the hard way, either through their own bitter experience or by witnessing the angst of a friend first hand, we don't seem to get the message when it comes to software updates.
I think it's time for Microsoft to take a hard line and say - it's time. The best way to patch your old software is to ditch it.
Where that is not possible, isolate it from your network and the internet and surround it with the best perimeter security needed based on the value of the data on that system.
Was Microsoft right to patch Windows XP again? Should they say "enough is enough"? r should they continue to issue patches for critical flaws indefinitely?