A month ago, Microsoft took the unprecedented step of issuing security patches for Windows XP, an edition supposedly interred in Support Cemetery more than three years ago.
The decision to help aged personal computers running Windows XP -- as well as also-retired Windows 8 and Windows Server 2003 -- was intended to slow the spread of the "WannaCry" ransomware, which encrypted files on hundreds of thousands of PCs worldwide. The cyber criminals than tried to extort payments from the machines' owners in return for unlocking the files.
WannaCry's rapid spread was credited to its exploit of a Windows vulnerability, one that Microsoft had patched in March on still-supported versions, such as Windows 7 and Windows Server 2008.
But after WannaCry wreaked its havoc and Microsoft reversed its long-standing policy against free fixes for older operating systems, Computerworld had questions, both about the criticism aimed at seemingly every party except the attackers, as well as what Microsoft's release of patches portended.
We put those questions to two patch experts: Susan Bradley, a computer network and security consultant known for her writing on Windows patching processes in the Windows Secrets newsletter; and Chris Goettl, product manager with patch management vendor Ivanti.
Their responses have been edited for length.
What does Microsoft owe users of retired products when a serious event occurs, as with WannaCry? Does it owe them patches in most cases? Every case? Some have argued that it does.
BRADLEY: I don't think Microsoft owes us patches. We have a clear support statement. We can purchase support if we choose to. We clearly have decided that the risk of being unsupported was acceptable. We made the decision. Now we are paying the price (literally, in some cases).
GOETTL: In the case of retired software, Microsoft doesn't owe their customers anything. One of the challenges of being a vendor is that you do need to move your products forward, and maintaining old platforms becomes a resource drag, acting like a sea anchor. Anyone who wants to stay on an older platform can, and Microsoft has created extended support programs for customers who wish to keep those platforms secure.
Post-WannaCry, critics blamed, among others, IT administrators for allowing out-of-support systems to remain in use. What circumstances and conditions impede retiring older operating systems or products? Why do firms keep running, say, Windows XP, when everyone knows that they are insecure?
BRADLEY: A combination of lack of resources for upgrades, or there is no comparable product to upgrade to that gives you equivalent functionality. It takes time and resources to test and ensure that there is vendor support, ensuring that your current software works with it. [Or] the device may [run] Windows XP Embedded, and thus you have to buy a whole new device, not just upgrade the hardware.
GOETTL: No one group holds the blame. In many cases the business holds IT back by holding on to legacy systems that cannot run on newer platforms. In some cases, the cost to update the backend system may be significant, forcing the endpoint to remain on a system that is now out of date or -- if it is highly customized or built by a company that no longer exists -- it may be down to staying on the old system or having to migrate a business-critical system to an entirely new platform.
Other critics panned companies that had not deployed the March security updates to still-in-support Windows PCs by the time WannaCry hit. But what is an "average" patch time among Microsoft's commercial customers? Is it legitimate to expect a business to be fully patched 60 days after updates are available? 30 days? 90 days?
BRADLEY: Normally, for good patchers, I see a lag of no more than 30 to 60 days. But this pointed out we still suck at getting updates installed -- even in places where the servers should be managed and maintained.
GOETTL: I have seen stats over the years ranging from 60 to even 120 days. What we recommend at Ivanti is to ensure critical OS updates get rolled out within two to four weeks. Applications that are highly targeted (Chrome, IE, Firefox, Flash, [Adobe] Reader, Office) in two weeks or less. We know it can be done and see companies doing it ... in complex environments across tens of thousands, and in some cases hundreds of thousands, of endpoints.
Will offering patches for products out of support get more complicated once Windows 10 has gone through several additional upgrades? What will Microsoft do if, say, a serious security event occurs early next year that impacts versions 1507 and 1511, after both have been knocked off the support list? By January 2020, when Microsoft retires Windows 7, six versions of Windows 10 will have fallen from support. What happens if a critical threat occurs then?
BRADLEY: The people I've seen struggling the most with getting patches installed aren't even on Windows 10. So, the first thing that Microsoft needs to do is still address what is keeping us off of Windows 10. Once we're [there], then they need to ensure better compatibility and lack of issues between the releases.
[But to answer the question], as many times as Microsoft annoys me with their seemingly heavy-handed actions, remember that people in a conference room make the decision. And every time one of these events [happens] where customers are really getting hurt, Microsoft does the right thing and protects us.
GOETTL: I think Microsoft plans to be more aggressive with EoLs [End-of-life] of older branches [of Windows 10]. I am not sure we can expect them to do the extended support as they have done in the past. They established the Long-term Servicing Branch for that purpose. You either need to adopt that from the beginning or get on the treadmill and keep up with the branch upgrades.