- Nov 5, 2011
- 5,855
Why Microsoft really patched XP : on nothingjustworks.com : http://nothingjustworks.com/why-microsoft-really-patched-xp/
Despite claiming MS would release no more security fixes for Windows XP, it has patched the recent hole in IE which received this now infamous warning from US-CERT.
Long story short, it hurt their IE brand. MS no longer has to worry about reputation management for the XP brand, but they sure do for IE.
Can you imagine the conventional wisdom for IE being, “Don’t use it, ever. It has known holes that MS refuses to fix.” Even with the qualifier, “Only on XP,” it would be a PR nightmare for a browser that isn’t exactly well loved.
So where does this leave MS now? Arguably, they’re going to continue to patch XP for non-paying extended support customers depending on the severity of the exploit and especially if it affects IE. We probably won’t see anything patched outside of serious IE vulnerabilities or maybe a conficker-type vulnerability that can be exploited remotely. Serious vulnerabilities like privilege escalation that crop occasionally will remain unpatched.
What does this extended support mean for web developers? IE8 on XP is alive and well apparently. This is a five year old browser with a poor feature set compared to modern browsers. I remember watching my remaining IE6 traffic disappear almost completely in a 12 month span about three years ago only to be replaced with IE8. Is IE8 the new IE6? Maybe, but whats for certain is that this kind of extended support is just going to make the problem worse.
Of course, the larger question is why aren’t we all using EMET, which thwarts this, and other, vulnerabilities without patching? I tested it in my environment, and Sophos refused to let IE run when EMET was running. Sophos support had no resolution. If third-party AV companies can’t work with first-party utilities, what hope is there of Joe User or Joe Corporate Admin rolling this stuff out and expecting it to work without major issues?
The protections EMET offers are pretty impressive. I wonder why these protections aren’t enabled by default. This would be a good differentiator for Windows9. I could see a business friendly version of Windows with less focus on the Modern mobile-like UI and a return to the full features of the Start menu. Now, imagine it with EMET on by default with an option for admins to disable it via a whitelist. One can dream.
Despite claiming MS would release no more security fixes for Windows XP, it has patched the recent hole in IE which received this now infamous warning from US-CERT.
Long story short, it hurt their IE brand. MS no longer has to worry about reputation management for the XP brand, but they sure do for IE.
Can you imagine the conventional wisdom for IE being, “Don’t use it, ever. It has known holes that MS refuses to fix.” Even with the qualifier, “Only on XP,” it would be a PR nightmare for a browser that isn’t exactly well loved.
So where does this leave MS now? Arguably, they’re going to continue to patch XP for non-paying extended support customers depending on the severity of the exploit and especially if it affects IE. We probably won’t see anything patched outside of serious IE vulnerabilities or maybe a conficker-type vulnerability that can be exploited remotely. Serious vulnerabilities like privilege escalation that crop occasionally will remain unpatched.
What does this extended support mean for web developers? IE8 on XP is alive and well apparently. This is a five year old browser with a poor feature set compared to modern browsers. I remember watching my remaining IE6 traffic disappear almost completely in a 12 month span about three years ago only to be replaced with IE8. Is IE8 the new IE6? Maybe, but whats for certain is that this kind of extended support is just going to make the problem worse.
Of course, the larger question is why aren’t we all using EMET, which thwarts this, and other, vulnerabilities without patching? I tested it in my environment, and Sophos refused to let IE run when EMET was running. Sophos support had no resolution. If third-party AV companies can’t work with first-party utilities, what hope is there of Joe User or Joe Corporate Admin rolling this stuff out and expecting it to work without major issues?
The protections EMET offers are pretty impressive. I wonder why these protections aren’t enabled by default. This would be a good differentiator for Windows9. I could see a business friendly version of Windows with less focus on the Modern mobile-like UI and a return to the full features of the Start menu. Now, imagine it with EMET on by default with an option for admins to disable it via a whitelist. One can dream.
