Windows XP patches: Did Microsoft make the right decision?

Windows XP patches: The tradeoffs

Nation-state attack tools and exploits rarely become available to the common criminal, but with the exploits released by the Shadow Brokers, this risk analysis changed.

It should be noted that third-party security researchers could have identified some of these attacks. Even with the release of minimal details about a vulnerability, other security researchers could have found the same vulnerability discovered by the National Security Agency (NSA).

The Shadow Brokers selling stolen exploits from the NSA is not something Microsoft or any other software vendor could have anticipated when developing their support lifecycle policies.

Once a vulnerability is made public, it should be assumed that it will be exploited by an attacker. Microsoft had to carefully weigh the benefits and the costs to develop a patch and, in this specific case, the vulnerability included a remote code execution vulnerability that could be widely used. This is probably what drove Microsoft to release a patch for its older, unsupported OSes. However, issuing these Windows XP patches may prolong enterprise use of these unsupported OSes and give users a false sense of security.

Enterprises' responses

The first step for enterprises is to update their Risk analysis using data from the new exploits that are now available for Windows XP/2003. This will help them determine if their plan for replacing Windows XP/2003 adequately meets their enterprise risk tolerance and ensure that they are running software supported by their vendor. If not, they may want to devote more resources to replacing Windows XP/2003 systems.

The next step, which may be done concurrently with the first step given the significant increase in risk, is to push the patch to all Windows XP/2003 systems still connected to networks. For enterprises that must use Windows XP/2003 systems on their network, they may want to implement other compensating controls to address these risks, but that will also increase the operational cost of maintaining these systems.

These new patches probably won't encourage customers to continue to use Windows XP/2003, as the drastically increased risk of an attack is not completely resolved by just applying these patches. Some systems will inevitably not get the patch and they will remain unprotected.

Enterprises that must continue to use unsupported systems may want to remove the systems from the network or at least put them on an isolated network with restricted outside access to only the absolutely necessary systems. This will increase support costs and decrease the functionality of these systems; however, it could help drive enterprises to replace these systems.

For enterprises stuck using a device or system controlled by a computer running Windows XP/2003, requiring your vendor to support current operating systems from the original vendor should be mandatory. Without enterprises making this requirement of their vendors, they may continue to be stuck in situations like this.

Conclusion

Software developers want to limit the number of versions of their software in use to reduce support and many other costs to ensure resources can be devoted to developing new versions. Microsoft is no exception to this generalization, and it carefully weighed the options before releasing Windows XP patches to customers.

Enterprises also want to minimize their costs and may delay rolling out new systems to manage these costs, but if the operational cost drastically increases, and the risk of being attacked increases, then this may make the enterprise increase the pace of deploying new systems. Enterprises should rely on Microsoft's generosity to ensure their systems are adequately protected.