It has been reported that Microsoft will be patching Windows XP+. This emergency fix contains previously released patches for Windows bugs exploited by NSA exploits leaked by the Shadowbrokers.
In response to this news, Andrew Clarke, EMEA Director at One Identity has offered some insight as to whether this is a good idea, and what implications it may have RE normal people taking accountability for their own system safety.
Andrew Clarke, EMEA Director at One Identity:
“Recently, Microsoft released patches for operating systems that were heretofore categorized as “out of support.” Is this a smart move by Microsoft? Is it a good move? There are many issues to examine here.
First, by patching its legacy OSes, Microsoft is admitting that there are vulnerabilities. This isn’t particularly surprising as the state of hacking has progressed considerably since these products were placed in “out of support” disposition.
Next, Microsoft had previously classified these operating systems as “out of support” yet the global software giant is patching the software. Will customers, who should have upgraded years ago, come to expect this type of “bonus” service? They shouldn’t but sadly, some may.
Lastly, the patches were in response to the recent WannaCry vulnerability. In other words, these are security patches. Not feature fixes or compatibility updates. It’s to protect the computers from hackers. We recently saw how these breaches can be used with the global release of the WannaCry malware. During this attack, we learned how many of these older computers and operating systems are being used by the UK NHS, and the loss of medical services that are at risk.
The bottom line is that Microsoft did the right thing and they are to be commended for it. Microsoft was under no obligation to write and release these patches and I doubt there’s a large payday to offset the investment. Yet, Microsoft did the right thing for its customers, and for society and business at large. Sure, it might cause some customers to come to expect this type of patching but we must remember that all those organizations were told, repeatedly, that their operating systems were no longer supported and they should have upgraded years ago. Their complaints should fall on deaf ears.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.