Security and patch experts contend that Windows XP is still retired, still obsolete, still dead, even though Microsoft has arguably muddied the waters by issuing security updates two months running for the 16-year-old operating system.
“It’s retired,” said Amol Sarwate, the director of Qualys’ vulnerability lab. “It’s still obsolete.”
Chris Goettl, product manager with patch management vendor Ivanti, concurred. “Windows XP is retired,” Goettl said. “This is definitely unprecedented, but [Microsoft is] saying that this is not normal, and is not going to continue.”
Questions about Windows XP’s status — dead or undead? — surfaced in May when Microsoft distributed patches to the no-more-support XP, Windows 8 and Windows Server 2003. Those updates were issued to protect the trio from the fast-spreading “WannaCry” ransomware campaign.
After Microsoft repeated the policy-busting move Tuesday, with officials citing the possibility of new attacks by government-sponsored hackers to explain the release of additional updates, the questions resurfaced.
Microsoft has been adamant about cutting off users when a version of Windows exhausts its 10-year support lifespan. Cynics have long portrayed that as strong-arming customers into upgrading for Microsoft’s financial benefit. Meanwhile, the company typically boasts that the newer version of Windows is better, faster, and most important, more secure, and like a rusty tool, has worn out its usefulness.
Historically, support deadlines have driven upgrade cycles in the enterprise, as organizations hustle — sometimes in panic — to purge their networks of the older operating system. Some, not able to finish the job in time and unwilling (or unable) to expose unpatched systems to possible attacks, pay princely sums to Microsoft for after-retirement custom support.
But by issuing patches to Windows XP three years after expiration, some worried that Microsoft had set a precedent it might regret.
“If Microsoft says that Windows 7 truly reaches end of life in [January] 2020, is it really going to cut off support, or will they release critical patches like they have done twice with Windows XP?” asked Brad Sams of Petri.com on Tuesday.
Sarwate didn’t see it that way. He accepted Microsoft reasons for updating Windows XP, and believed the company when its officials said that it had not changed its support policies, even after two consecutive months of patches.
He also contended that it is against Microsoft’s interest to disinter a dead OS. “This is a double-edged sword,” he said of Microsoft’s XP patch releases. “It’s true that big issues like these need to be patched, but if they do this too much, it works against their objective getting folks onto a newer OS.”
Other clues added to Sarwate’s skepticism about an XP resurrection. “Some of them are pretty old,” he said of the dozen vulnerabilities that Microsoft patched. “They cleaned the house, if you will. This is purely a guess, but I think [the releases were] a one-time deal. I don’t think that in the coming months we’ll see more Windows XP patches.”
Goettl was less sanguine about Microsoft’s decision to patch Windows XP. Although he was certain the old OS remains retired, he sensed that Microsoft opened a small Pandora’s Box.
“There’s a risk that in trying to help by patching, they’re encouraging bad behavior,” Goettl said, of potential distrust of Microsoft’s once-rock solid support stance. “It was a good gesture on Microsoft’s part, to reduce [users’] risk level, but it does send a mixed message.”