Microsoft's decision to erase its support line in the sand has sowed confusion and will likely encourage bad behavior by some customers, analysts said today.
"If next month someone finds another zero-day like this one, Microsoft could just move the line again," said John Pescatore, director of emerging security trends at the SANS Institute, a security training organization.
"In a way, this encourages bad behavior. There's a risk that people will look at it that way," said Michael Silver, an analyst with Gartner, referring to those who will now question Microsoft's determination to end XP support, and thus slow or even suspend their migrations to newer editions of Windows.
The experts were talking about Microsoft's move on May 1 to issue fixes for a critical vulnerability in Internet Explorer (IE) that had been disclosed the week before and used by cyber criminals for an unknown length of time before that to hijack Windows PCs. Patching the bug was not unusual; what was out of the ordinary was Microsoft's decision to push the fix to Windows XP machines.
Previously, Microsoft had set the end of support for Windows XP as April 8, a date it had broadcast for years. When Microsoft software reaches its support retirement date, it's company policy to discontinue public patching.
Just weeks after the deadline, Microsoft essentially said, "Never mind," and patched the IE vulnerability on Windows XP. What had been certain — the support line in the sand — became irresolute.
Microsoft defended the decision, saying it had bent to what it called "overblown" media coverage and explaining that it did so only because XP had only recently been retired.
"I don't think the coverage was overblown," said Pescatore.
Wes Miller, an analyst with Directions on Microsoft, agreed. "It was a very bad vulnerability," he pointed out.
Even so, the analysts were surprised at the release of a fix for XP, not only because of the line Microsoft had so firmly drawn but because of the ramifications of erasing that line.
The precedent was what concerned the experts. "Absolutely, the precedent matters to Microsoft," said Miller. "It's not a question of if, but when, this issue will come up again. Until key organizations are off of XP, every major vulnerability becomes a major opportunity for exploitation."
Some customers still running Windows XP may view Microsoft's patching decision as a pass to continue running the 13-year-old operating system which, as Microsoft has repeatedly hammered home, lacks many of the advanced security and anti-exploit features and technologies in newer editions, including Windows 7 and Windows 8.1.
Even further in the future, customers running Windows 7 may recall this XP patch and conclude that Microsoft is not serious about retiring that OS when its January 2020 support deadline nears.
Sign up for CIO Asia eNewsletters.