Source

Was Patching XP the wrong choice?

Inevitably someone was going to question Microsoft for patching a security issue in XP.  (and to be fair, it really wasn’t a security issue in XP, per se—it was an issue with Internet Explorer).  I think the decision was the correct one, and here are some of my thoughts.

A new Microsoft

First off, we’re talking about a new Microsoft.  Much of XP can be considered the vestiges of an old Microsoft.  The support lifecycle of XP and other OSes was defined years ago—Microsoft has to abide by those agreements because they are contracts, not because it’s a logical thing to do.  They, of course, could extend the XP support again, but I think that would be the wrong choice.  Of course, only time will tell with this sort of thing, but I think a new philosophy is being used for decisions like this.

Plus, it’s not about XP.

It’s Internet Explorer

The issue at hand is really about Internet Explorer (IE).  As much as we’d like to tell everyone get off XP and get into the into the current digital century (which is every two years, right?), the issue isn’t about XP.  The problem is with IE, and if we take XP out of the picture, people are still using old versions of IE.  That’s not their fault.  That’s Microsoft’s fault.  There’s many reasons why IE was in the state is was back then (all “legitimate”) but the fact remains that those versions of IE are fundamentally broken.  I’m not talking by way of security (but I’m also not saying they’re secure) I’m talking about standards support.

Microsoft in that timeframe was pushing IE, they were pushing it hard.  They wanted browser dominance and they ended up getting it.  I can’t say for sure of course, but the push probably lost sight of the purpose of a browser—the underpinnings of what a browser uses in terms of protocols, markup, and scripting languages.  Regardless of what IE was at the time, many people bought into the story coming from Microsoft and built systems around IE.  Microsoft gave them an IE that they could develop for that were not future compatible.  They couldn’t be use their systems with other browsers, and they also could not be used on future versions of IE (at least reliably and in a cost-effective way from IT’s perspective).  It’s a old and tired argument that suggests is the developers problem not knowing to use a better API.  So, they’re stuck and many can’t afford to get out of where they are.

Righting the wrongs of IE

I think Microsoft did the right thing (explicit or not) by updating IE on XP.  In the future if I want to go with a Microsoft-specific solution, I’d think twice (or not even consider Microsoft) because I can tell the future based on what Microsoft is doing now with their past solutions.  If they’re going to make my life a security nightmare in the future because my business cadence does not exactly match Microsoft’s release schedule of all their products—and I can’t afford to keep up with updates to all Microsoft products and services—I’ll go somewhere else.

I’d like to think they’re recognizing this and starting to make different decisions; but I don’t really know.  I know that updating IE is a good thing.  You could argue that not updating IE and leaving security holes is impetus to upgrade (both IE and XP) but that’s just ignorant and dangerous!  We need to make the Internet a better place, not worse.

Now, if only we could get something done with IE in the broader sense…

with : ,