A month ago, Microsoft took the unprecedented step of issuing security patches for Windows XP, an edition supposedly interred in Support Cemetery more than three years ago.
The decision to help aged personal computers running Windows XP -- as well as also-retired Windows 8 and Windows Server 2003 -- was intended to slow the spread of the "WannaCry" ransomware, which encrypted files on hundreds of thousands of PCs worldwide. The cyber criminals than tried to extort payments from the machines' owners in return for unlocking the files.
WannaCry's rapid spread was credited to its exploit of a Windows vulnerability, one that Microsoft had patched in March on still-supported versions, such as Windows 7 and Windows Server 2008.
But after WannaCry wreaked its havoc and Microsoft reversed its long-standing policy against free fixes for older operating systems, Computerworld had questions, both about the criticism aimed at seemingly every party except the attackers, as well as what Microsoft's release of patches portended.
Computerworld put those questions to two patch experts: Susan Bradley, a computer network and security consultant known for her writing on Windows patching processes in the Windows Secrets newsletter; and Chris Goettl, product manager with patch management vendor Ivanti.
Their responses have been edited for length.
What does Microsoft owe users of retired products when a serious event occurs, as with WannaCry? Does it owe them patches in most cases? Every case? Some have argued that it does.
BRADLEY: I don't think Microsoft owes us patches. We have a clear support statement. We can purchase support if we choose to. We clearly have decided that the risk of being unsupported was acceptable. We made the decision. Now we are paying the price (literally, in some cases).
GOETTL: In the case of retired software, Microsoft doesn't owe their customers anything. One of the challenges of being a vendor is that you do need to move your products forward, and maintaining old platforms becomes a resource drag, acting like a sea anchor. Anyone who wants to stay on an older platform can, and Microsoft has created extended support programs for customers who wish to keep those platforms secure.
Post-WannaCry, critics blamed, among others, IT administrators for allowing out-of-support systems to remain in use. What circumstances and conditions impede retiring older operating systems or products? Why do firms keep running, say, Windows XP, when everyone knows that they are insecure?
BRADLEY: A combination of lack of resources for upgrades, or there is no comparable product to upgrade to that gives you equivalent functionality. It takes time and resources to test and ensure that there is vendor support, ensuring that your current software works with it. [Or] the device may [run] Windows XP Embedded, and thus you have to buy a whole new device, not just upgrade the hardware.
Sign up for CIO Asia eNewsletters.