After details about a critical security bug affecting Internet Explorer 6 to 11 on Windows XP through 8.1 hit the web, it was inevitable that Microsoft would fix the issue and release a patch to keep everyone safe(er). And today Microsoft has done exactly that: a patch for the hole in Internet Explorer has been released and you can get the patch by running Windows Update. (If you have Windows Update configured to download and install updates automatically, you will get the patch without having to do anything although I’d recommend manually trigger Windows Update anyway.)
What is surprising, however, is that Microsoft included a patch for Internet Explorer on Windows XP. This is surprising because official support for Windows XP ended in April, meaning Microsoft is no longer responsible for and will no longer issue any updates to Windows XP (aside from to those countries or companies that paid Microsoft to extend Windows XP support for a bit longer.) Really no one expected Microsoft to issue the patch for Windows XP, yet they have.
This is what Adrienne Hall, general manager of Microsoft Trustworthy Computing group, has to say about XP being included in today’s patch:
Even though Windows XP is no longer supported by Microsoft and is past the time we normally provide security updates, we’ve decided to provide an update for all versions of Windows XP (including embedded) today. We made this exception based on the proximity to the end of support for Windows XP. The reality is there have been a very small number of attacks based on this particular vulnerability and concerns were, frankly, overblown. Unfortunately this is a sign of the times and this is not to say we don’t take these reports seriously. We absolutely do.
Personally speaking, while I’m happy that Microsoft decided to not leave Windows XP users on their own for this bug, I must question Microsoft’s wisdom.
In my mind, either you end Windows XP support or you don’t; either you continue to provide patches, or you don’t. Having one foot in both worlds is not helping anyone. Sure, Windows XP users are safer thanks to patch, but they aren’t safe — there is bound to be another bug that will be discovered sooner rather than later… a bug Microsoft won’t patch because XP support has ended. And Microsoft releasing a patch for Windows XP after official support has ended is counterproductive when, at the same time, Microsoft and IT experts are trying to convince people to move away from XP. Indeed, many XP’ers will take this as a sign that, to them, means XP support really hasn’t ended and there is no reason to switch… which is not true because Microsoft won’t continue to issue patches for XP.
In other words, in trying to be helpful Microsoft has done the opposite.
Nonetheless, it is good that Microsoft has released the patch because in-the-wild attacks using the security hole were already detected. Of course, in-the-wild attacks will continue but at least people will be patched against this particular vulnerability.