Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Windows Bug Internet Explorer Microsoft Security

Why Microsoft Shouldn't Patch the XP Internet Explorer Flaw 345

Posted by Soulskill
from the going-to-take-flak-one-way-or-another dept.
Hugh Pickens DOT Com writes: "Sebastian Anthony argues that Microsoft is setting an awful precedent by caving and issuing a fix for Windows XP. 'Yes, tardy governments and IT administrators can breathe a little easier for a little bit longer,' writes Anthony, 'and yes, your mom and dad are yet again safe to use their old Windows XP beige box. But to what end? It's just delaying the inevitable.' Lance Ulanoff argues that Microsoft can't turn a blind eye the security of XP users, even though the company ended support for the 12-year-old operating system on April 8, a fact that Microsoft has been warning about for, literally, years. But this won't be the only vulnerability found in XP, says Dwight Silverman. 'If Microsoft makes an exception now, what about the flaw found after this one? And the next? And the one after that, ad infinitum?' Even though Microsoft has released a patch for the IE flaw, and Windows XP is included, it's time to move on – really. 'I don't want to hear that tired "if it ain't broke, don't fix it" line. Hey, XP IS broke, and it will just get more so over time. Upgrade to a newer version of Windows, or switch to another modern operating system, such as OS X or Linux.'"
This discussion has been archived. No new comments can be posted.

Why Microsoft Shouldn't Patch the XP Internet Explorer Flaw

Comments Filter:
  • Guy on the Internet says "Shut Down XP."

    Where are the crickets when we need them the most?

    • I have over 200 I can loan for the moment...after that my Bearded Dragon and Chameleons will have a massive feast.
    • I'm a guy on the Internet saying "Shut down XP", you insensitive clod!

  • by Anonymous Coward on Friday May 02, 2014 @04:54PM (#46903441)

    Microsoft is already contractually obligated to program these patches for its thousands of paid XP support customers. It has the right to decide whether the bug is critical enough that the situation warrants releasing the patch to the general XP userbase for free.

    Rest assured that Microsoft is not doing an iota of extra work on this front. It already has the patch. It will also have patches for every XP bug discovered for the next few years. It's just a question of how widely it wants to distribute each one.

    • by mark-t (151149)
      Of course... the problem is that by having this patch available for XP users after the date that they supposedly weren't going to support XP anymore, they've set a precedent that people are going to *expect* microsoft to continue to issue patches for XP whenever security is involved.... forever.
      • by Xeno man (1614779) on Friday May 02, 2014 @05:38PM (#46903871)
        My god, it's barely been a frigging month since support ended and now they have set a president? I don't think so. It's no different than any other company that makes exceptions for just out of warranty.

        It's like having a car with 100,000km warranty and at 100,500km the gas tank falls out. They have every right to tell you its not covered but most decent dealers will cover you because it's either a know issue or because they want to treat you right as a customer.

        This is no different, the patch was being made regardless and the seriousness of the problem warranted a release. It just happen to fall just on the other side of an arbitrary date. Nothing special has occurred here.
      • Re: (Score:3, Informative)

        by Stormy Dragon (800799)

        If I invite you over to my house for dinner, that doesn't create an obligation to feed you every night.

    • yup.. and I *strongly* suspect there will be a "leakage" of these patches, probably into a downloadable disk image that those who stay with XP will be able to obtain fairly easily.. of course, mom+pop XP user, likely not so much.. but for those in the know, who, for whatever reason, hasn't dumped MS for something better (hint: Linux)... They'll be able to find these patches fairly easily. Of course, MS will slap any site down that carries these "unauthorized" patches, but then the game of
      "Whack-A-Mole" come

      • You think there is going to be an active community of people fixing flaws in Windows XP? Why would anyone do that? Moreover, how would anyone do that? It's not like they have the original problematic source code for core files, how can they patch things without knowing that they aren't breaking something else?

        • by pla (258480)
          You think there is going to be an active community of people fixing flaws in Windows XP?

          Yes, they go by the name "Microsoft".

          MS already has extended support contracts in place that require it to continue keeping XP alive for those customers with deep enough pockets to pay for it. The GP simply meant that those patches will inevitably get leaked to the public, albeit not in a reliable, consistent manner.
  • I thought it was an Internet Explorer patch made available to XP users through XP's auto-update. This is a big difference from an XP system patch.

    • by jonwil (467024)

      Except that (as Microsoft argued at the various anti-trust proceedings) Internet Explorer is part of the OS and cant be separated from it. So this IS a "system patch". Also, this is not really a patch to "Internet Explorer" but (from a quick look at the patch exe) a patch to mshtml.dll (the HTML rendering engine used by Internet Explorer and other things) which is very much part of the OS.

    • XP

      MS should fix IE for Windows Vista and higher. There are repurcussions for not following manufacture guidelines. MS was more than fair with XP

  • Really? (Score:5, Insightful)

    by Alomex (148003) on Friday May 02, 2014 @04:56PM (#46903465) Homepage

    Does this idiot also let play kids with loaded guns because "that will teach them"?

    I mean, sure don't fix minor flaws, we discontinued support, tough bananas if you keep on using it. But a major security flaw for which you already have the solution for? Anyone but a douchebag would release the patch.

    • by raymorris (2726007) on Friday May 02, 2014 @05:02PM (#46903523)

      Agreed. Patching a major security hole isn't the same thing as continuing to provide regular support.

      My company does something similar. We offer an option at purchase where you can choose to forego any direct support and save a few dollars. We've still contacted those customers in the rare case of a significant security update.

      • Oh please it is.

        It is hard and costs money to run a center, find bugs, and then fix them. Billions a year MS spends doing just that. IT makes no economic sense for $130 someone paid 13 years ago.

        How often have you ever called microsoft at work? It is for the security updates right?

        MS should not provide them unless you are willing to pay them. Use Windows 7 otherwise

        • by kimvette (919543)

          Hint: XP was available for purchase until Windows 7 was released, so most licenses in use were purchased much more recently than 13 years ago. Microsot attempted to kill it but couldn't because Vista was such a spectacular flop in the marketplace.

        • > How often have you ever called microsoft at work?

          Why would I do that? Microsoft isn't allowed at work. We are an security company.

          > It is for the security updates right?

          Is that like calling Cheney for gun safety tips, and calling Obama for help with economics homework?

    • by 228e2 (934443)
      Parenting fail.

      If your kids are playing with guns, then as a parent you have failed. No simpler way to put it. You were warned not to let kids play with guns for literally years, and now April 8th came, you're still letting them play with guns. I think in this analogy its time for Child Services to come alleviate you of your kids, since you cant take care of them and have failed to follow simple. Don't give me that "its impossible, im too integrated into my ways". No, its possible, you failed to work that
      • by pla (258480)
        You were warned not to let kids play with guns for literally years, and now April 8th came, you're still letting them play with guns.

        Except, a dozen years ago, I bought a Nerf dart "gun". Feed it red paper tape, and it makes satisfying but harmless "bangs". Nerf never pointed out, back in 2002, that as of April 8th, 2014, my harmless foam darts would suddenly and randomly turn into armor-piercing explosive rounds.

        Sure, if you worked in enterprise IT and looked at the fine print, you'd know that Micro
    • by Flammon (4726)
      Running IE is like kids playing with a loaded gun? You're the idiot.
      • Running IE is like kids playing with a loaded gun?

        You are right. IE is far more dangerous, than mere children with a loaded gun. :)
        I don't have any kids... That is probably for the best.

    • by Livius (318358)

      Anyone but a douchebag would release the patch.

      Then why is Microsoft releasing it?

  • by NoKaOi (1415755) on Friday May 02, 2014 @05:02PM (#46903525)

    The author seems to have no grasp on why there's still so many XP installations out there. Sure, there are a bunch that are just because home users don't know better or offices don't want to spend a few hundred bucks to upgrade, and for those use cases where all that really matters are being able to edit Word documents and browse the web, then his ideas apply. Problem is, there are a ton of users that are using niche software, whose creators have either gone out of business or simply stopped developing upgrades, that won't work on anything other than XP. Upgrading would cost millions to a business and/or affect the work flow of the whole organization. For example, there's super-duper expensive hospital equipment that can only be run by software running on Windows XP. You can't air-gap it, because it has to be networked in order to move data around to actually be useful. Upgrading from XP means scrapping the equipment and spending 6-7 figures for just that one piece of equipment, which is otherwise still working fine. There's other systems that don't necessarily run hardware, but would cost 6-7 figures in implementation to switch systems, and not all businesses that use that software have that kind of spare cash so it's not necessarily that they are just being greedy.

    Yes, this is a problem, no, I'm not saying it's okay, what I am saying is that not issuing security fixes isn't going to force those types of users to upgrade, it just means they'll be forced to use a system that isn't secure. You have to fix the culture of the vendors who make this shitware (where there are usually no alternatives) before you can force their users to upgrade.

    • by jonwil (467024)

      You cant air-gap it but you CAN make sure that it isn't connected to the Internet, just to a local hospital LAN so data can be moved off it. And you CAN make sure its not used for anything other than what it has to be used for.

    • The author seems to have no grasp on why there's still so many XP installations out there. ...there are a ton of users that are using niche software, whose creators have either gone out of business or simply stopped developing upgrades, that won't work on anything other than XP...

      True, but that is only part of the story. A large part of the rest of the story is that Microsoft's follow on products suck too much and do not rule in any discernable way.

  • by Anonymous Coward

    A patch to remove the entire networking stack. Done.

  • by Blaskowicz (634489) on Friday May 02, 2014 @05:10PM (#46903591)

    That isn't helpful, XP is a modern operating system. It has user accounts, processes and all that stuff. It misses a desktop compositor but do we have to care about windows flying around?

    In fact I would like linux to catch up. Using LXDE makes it relatively close to XP in speed and stability, MATE is a slower but decent, but it could use some more driver quality and importantly I hope there'll finally be a way to fix backwards compatibility and game availability, which go hand in hand.

    Get me right, I know that XP has to be abandoned and advocate for it , I tell people to use Mint and do all updates (almost security only) that show up. The updates are pleasant instead of being a hassle. Though as usual I need to wait again. Wait for Mint 17 to be out, since Mint 16 will be deprecated despite coming out in last November.

  • if it would be his house or his car or his yacht that suddenly does no longer 'work'.

  • by phantomfive (622387) on Friday May 02, 2014 @05:24PM (#46903757) Journal
    In case anyone cares who these people actually are:

    Sebastian Anthony: A semi-hobo living in the middle of England, who thinks he's an engineer because he took apart a VCR. Literally.
    Lance Ulanoff: An editor and story teller. Used to be an editor for PCMag. Gets invited to speak at SXSW because he is a good story teller.
    Dwight Silverman: He seems to have been blogging since April

    None of these guys seem to understand corporate software. They seem to look at it as child-training or something, which it isn't. In all likelihood some companies were complaining to Microsoft about this bug, some product managers inside Microsoft thought it would be worth fixing to make them happy, so they allocated time to work on it. The idea that the CEO was personally involved is possible, but certainly not given. He has more important things to worry about than legacy software.
    • by w_dragon (1802458)
      Microsoft would have fixed it anyway, since there are still a few large organizations paying for extended XP support. All they decided to do was make the patch generally available.
  • switch to another modern operating system, such as OS X...

    Oh yes, because that would be such a simple and painless transition, with no legal or software-compatibility issues whatsoever...

    To be honest, I'm having trouble determining who should win the "Stupid Cunt of the Year" prize - the "author" of TFA for not being able to perceive the difference between an OS and an application, or the "editor" for letting such drivel onto /.

    Or, I suppose, myself for expecting any better from /. nowadays...

    • Or, I suppose, myself for expecting any better from /. nowadays...

      I would say yourself, since you obviously lack anything resembling perspective. Yes, surely the worst example of a person being stupid is some attention whore who thinks that Microsoft should really stop having anything to do with Windows XP.

  • now wait... (Score:4, Insightful)

    by roc97007 (608802) on Friday May 02, 2014 @05:30PM (#46903805) Journal

    There's something about this that I'm having trouble wrapping my brain around. We (the collective "we" of businesses and individuals still using XP) are stupid for not giving wads of cash to Microsoft when Microsoft says to do so? And Microsoft is stupid for choosing to patch a vulnerability in a half billion PCs?

  • Just keep Windows firewall on, install an alternative browser and only run software from trusted sources. It may be full of bugs, but its easy to close all realistic exploit vectors. Think of it as a chromebook with support for legacy software. Speaking of software, windows lost a lot of exclusivity after XP and most apps/games that require Vista/7/8 have good alternatives on other platforms.

    For me, Windows has meant a VirtualBox XP VM for the past decade and will stay this way forever.

    • by arbiter1 (1204146)
      A security expert said on a podcast that XP if you run as a regular user NOT AN ADMIN, 100% of flaws in IE were rendered dead, and like 94-96% of ones attacking XP directly were stopped. Its pretty damn safe to use it if you get off the admin account.
      • This week's IE vulnerability (https://technet.microsoft.com/security/bulletin/MS14-021 [microsoft.com]) is not "rendered dead" by running as a non-admin. It (like many other vulns) is limited to the rights of the user account running IE, but it can still do anything you can, such as deleting all your photos or uploading your tax details somewhere. This fact actually benefits the rest of the internet more than it does the affected user. We appreciate that grandma's limited account keeps the box from becoming a complete z
  • Stop with this upgrade nonsense. Most of the machines currently running Windows XP can not be upgraded because the later versions of Windows have additional hardware requirements.

    I made this post from a Windows XP laptop that can not be upgraded.

  • Sticking with XP would be a bad idea even if Microsoft were to release updates ad infinitum. Even since Windows 7 surpassed XP in market share, I still encounter several times more infected XP machines than Windows 7 ones. Updates are band-aid fixes that don't change the fact that XP was released just before the advent of ubiquitous broadband, and is fundamentally unsound when it comes to security.
  • by Ol Olsoc (1175323)
    Despite this Sebastian Anthony's well reasoned and thoughtful piece. ....

    If the XPocalypse happens, and the legions of XP machines are zombified, as we are warned they will be, and civilization is brought to a halt as efficiently as the Chicxulub meteorite hit - People are going to blame it on Microsoft.

    And they will have a point, whether he likes it or not, whether Microsoft likes it or not, and whether the shills like it or not.

  • After Vista, they owe use a decent amount of time to get onto the next decent OS. Windows 7 counted as decent, and has been out 3 years. It is quite fair for folks to have been getting new boxes with XP until a good alternative came out and proved itself to be stable, and to not have to upgrade those machines for several years at least. The current cutoff feels tone-deaf compared to the POS that Vista was.

    My $0.02.

    • After Vista, they owe use a decent amount of time to get onto the next decent OS. Windows 7 counted as decent, and has been out 3 years.

      3 years is not a decent amount of time to upgrade? Windows XP entered extended support from mainstream support in 2009. It's not like this is a surprise.

    • 7 has been out for 5 years.

      Get over it. Apple will cut you lose in 2.5.

  • 'I don't want to hear that tired "if it ain't broke, don't fix it" line. Hey, XP IS broke, and it will just get more so over time."

    WTF? It wasn't just XP that was broke. This affects ALL Microsoft browsers and OSes. So upgrading to Vista, Windows 7, Windows 8 would not have solved this issue.

    • That is because "XP IS broke", but it will not "just get more so over time." Its bugs exist whether they get patched or not, there will not be new bugs introduced, it's just that more will be discovered. All MS's other OSs are also "broke". The problem is that new OSs (or new code in general) means new bugs. So, not only does planned obsolescence [archive.org] (and code re-use) mean the full version set will forever be susceptible (often to a common bug), but artificial scarcity of patches means you can force the cus

  • They could always patch it all the way to Vista or maybe even Windows 7 and even 8.x then they will have a modern monoculture. Or how about Linux release an XP patch that ...
  • by AudioEfex (637163) on Friday May 02, 2014 @06:04PM (#46904065)

    It never ceases to amaze me how out-of-touch with the "real world" so many /. commenters are. Or, more precisely, how out-of-touch they come across as, because I don't think half of the folks who post some of this stuff actually believe what they say, they know better - the other half I do believe actually think what they are saying is accurate, because they don't associate with anyone who doesn't know the difference between SRAM and DRAM.

    "Switch to another modern operating system, such as OS X and Linux" - yeah, that's gonna happen. To run OS X one needs to buy a new, overpriced machine that isn't going to be compatible with a lot of existing stuff and is way overkill for the needs of most average folks. And Linux? Seriously? Linux is so out of reach of most folks it's not even funny. I'm sure someone will come along and say "well X distro is easy to install!" and they miss the entire freaking point. Linux is not for "average" users, or even for well-versed computer users, it's for tinkerers and folks who want to spend as much time working on their OS as they do using the computer. It's a ridiculous notion.

    The truth is, XP is not going away. Folks are saying "but they've been announcing this forever!" - not to middle America, they haven't. Those folks don't keep up on tech sites, and it's not like MS is sending them pop-ups to let them know. They just want to get on their computer and use Facebook and check their email, maybe play a few games. They also don't often have computers that even could run Windows 7 or better. Gone are the days when everyone had to replace their PC every 2-3 years, max - I know tons of folks who have PC's that are nearing a decade old and still in use and work just fine for them. Asking folks who have computers that to them seem working perfectly fine, and that meet their needs, to go out and buy a new one just to continue to do what they are already doing is never going to fly.

    MS is going to relent and continue to release security patches - I have no doubt. They already are making them for the large companies/governments that are paying for them, and there are going to be some major battles which will probably end up in the legal system over what really is MS hanging a large portion of users out to dry. As someone else said, these security flaws are already there, they are just fixing what they didn't do correctly in the first place - we all know the limited understanding of the court system of computer technology, that's what it's going to look like to lawyers and judges. We might finally see some real legal tests of EULA's in general, as well - if I put a bumper sticker on my car that says "I am not liable for any accidents I may cause" that doesn't absolve me of liability, and I have a feeling that just may be how some judges will interpret this (correctly or not).

    I know all of this is going to seem like bullshit to a lot of /.ers, but it's reality - XP was good enough that it will remain "good enough" for a lot of folks, and not issuing security patches isn't going to stop them from using it, because they never are going to know. It's in MS best interests to continue issuing these patches until these PC's finally die off and folks need to buy a new one, which is still going to be a few more years.

    Rant all you wish about how stupid they are, or how they just should stop using MS to begin with and use Linux (the most absurd notion - because even if they did, if Linux actually had more than the less than 2% install base it has, they'd just start trying to exploit that - and with all the different distros, etc. - what a clusterfuck that would be - Linux users just fly under the radar, for now). It's not going to change the reality that these folks aren't going to upgrade their OS until they buy a new PC - and if MS doesn't issue these patches, then once the news finally filters down to these folks (via local newsbroadcasts, etc.) the suggestion will just be to use a different browser, since most security issues are IE related - which is the LAST thing MS wants to happen.

    • And Linux? Seriously? Linux is so out of reach of most folks it's not even funny. I'm sure someone will come along and say "well X distro is easy to install!" and they miss the entire freaking point. Linux is not for "average" users, or even for well-versed computer users, it's for tinkerers and folks who want to spend as much time working on their OS as they do using the computer.

      As much as you insult other slashdotters, you sure fall into a parody of a different slashdotter: the one who insults other slashdotters. Really though, are you unaware that some distros try to position themselves as being for average users?

    • by ka9dgx (72702)

      Amen!

      I just "upgraded" some Windows 7 machines to IE8 (from IE10) because that is the standard the automobile industry has settled on.

      Linux is not any more secure than Windows in the long run... its not a multi-level secure system, nor is any other choice you've ever heard of. Until we adopt something like the Bell-LaPadula security model [wikipedia.org], we're going to be chasing our collective tails, and this is going to be happening for years!

  • by musixman (1713146) on Friday May 02, 2014 @06:22PM (#46904201)
    'I don't want to hear that tired "if it ain't broke, don't fix it" ... "Upgrade to a newer version of Windows, or switch to another modern operating system, such as OS X or Linux."

    You are obviously very out of touch with the WHO & WHY of why people continue to use XP.

    1) Not everyone can AFFORD to update their computer, buy a new computer or buy a new copy of windows. Let alone get a Mac...
    2) Most of the world is not tech savvy. The idea that you would get them to install Linux is really not practical. People are creatures of habit & that will never change. Look at how many people freaked out when W8 removed the start button.
    3) A large % of users are in 2nd & 3rd world countries. The fact they even HAVE a computer & electricity to power it is a BIG deal. You're being very dismissive of how the majority of the world lives. You should travel more.

    XP is like an old car... sure it eats 5x the amount of gas, but it gets you from point a to b.
  • A well formed argument that entirely misses the point; OS updates (not just microsoft) are essentially the broken window fallacy writ large.

    It's all about sales and marketing types being able to say "oooh look shiny!" whilst fleecing everyone.... good engineering is about form following function not planned obsolescence.

  • ok if you are going to act like an ass and start off with "tardy governments and IT administrators" and "your mom and dad are yet again safe to use their old Windows XP beige box" whats your selling point other than wake up grandma and shell out monies

    I understand XP needs to go, I ditched it years ago, but you have to do better than "cause microsoft said so" or acting like a snotty ass eleitest

  • Just a simple thought.

    If a 12-year old vehicle turns up with a major safety defect, car makers would be fixing it.

    I think Microsoft should just bite the bullet and resume security patching of flaws in XP if/when they turn up.

    Why not? It's a small price to pay to keep a good PR image of caring about your customers. And it's the right thing to do, something woefully missing from American businesses.

    • Software evolves more quickly than cars and costs much less. Sticking with your analogy, let's use generations of cars rather than model years (which sometimes have no changes whatsoever). There have been three major releases since XP - Vista, 7, and 8. '15 is the beginning of the sixth generation for the Mustang, and '14 was the seventh generation for the Corvette. How much Ford/GM support is there for the '79-'93 Mustang or the '84-'96 Corvette at this point?

      If you want to pay MS enough, they'll keep

    • by w_dragon (1802458)
      If the defect may kill you car makers may fix something 12 years old. Maybe. If the defect will allow someone to easily unlock your doors and steal everything in the car they won't care.
  • by viperidaenz (2515578) on Friday May 02, 2014 @06:42PM (#46904359)

    Windowx XP is not a "12 year old operating system"
    It's 4 years old, 6 years at best. It was still being sold by Microsoft up until June 30 2008. It was still being sold preinstalled on machines up until October 2010.
    What of those people who have 3 1/2 year old PC's? You can't tell them its a 12 year old operating system. It was still brand new in 2010.

  • If Microsoft hadn't fixed IE for all platforms, it would die a gory agonizing death. If the US Dept. of Homeland Security says don't use IE until its patched, you can bet a shrinking sliver of the pie would vanish in weeks.

Every successful person has had failures but repeated failure is no guarantee of eventual success.

Working...