Only thee weeks into XP's EOL and the first zero-day flaw has Microsoft running for cover

Today we learned something important about the fate of Windows XP that some of us have long suspected; Microsoft wanted us to think that 8 April was the cut-off for the operating system’s End of Life but that was really a fiction designed for mass consumption.

In fact Microsoft is going to fix serious flaws in this OS (and that includes the integrated elements of IE) for at least a year or two because frankly the alternative would be to watch millions upon millions of holdout users getting owned on a scale no global software house could possibly contemplate.

The first event in this strange afterlife is today’s patch for the serious IE zero day flaw (advisory 2963983) that emerged earlier this week but there will be more. We predicted this some weeks ago (‘Why Microsoft will continue to patch the zombie OS') because it seemed completely obvious. The surprise isn’t that they are issuing a patch but that they are doing so in a matter of days and not weeks.

Here is the key paragraph from Microsoft’s announcement:

“We have made the decision to issue a security update for Windows XP users. Windows XP is no longer supported by Microsoft, and we continue to encourage customers to migrate to a modern operating system, such as Windows 7 or 8.1. Additionally, customers are encouraged to upgrade to the latest version of Internet Explorer, IE 11.”

But before people start invoking schadenfreude, let’s applaud the decision to jump on this flaw so quickly.  Microsoft has made the right decision because the moral hazard lies with the firm. It made XP and what happens to it still has the ability to affect how it is seen.  

You could argue that Microsoft was going to have to issue a patch for later versions of IE so adding XP’s earlier incarnation was an easy thing to do, but that is beside the point. What is interesting is whether this will continue, something that will particularly interest those who have agreed to pay for patches as part of Microsoft’s expensive support contracts and now see others getting some of them for nothing. My prediction is that zero days in the kernel and integrated software will always be fixed for the foreseeable future as long as an exploit is known or in the offing.

That doesn't mean that XP is reprieved because many less serious flaws won't be patched. But it does underline the fix the company finds itself in.

“Out of Band updates are a big deal. To interrupt a scheduled development cycle for an emergency patch, or ‘out of band’ release is a noteworthy event where a vendor is placing the public good ahead of their development and delivery lifecycle,” commented Rapid7 global security strategist, Trey Ford.  

“One thing particularly of interest is that Microsoft made the decision to issue this patch for Windows XP, which is no longer officially supported.  I think this underscores the importance of this patch, and the priority with which it should be deployed.”

XP just has too many users, around 17 percent if April numbers are to be believed. That’s a lot of people. Microsoft said it was finished with Windows XP but the users aren’t finished with Windows XP and that counts for more in a world where users and customers suddenly have some power.