Microsoft will craft XP patches after April '14, but not for you
- 26 August, 2013 20:32
Just because Microsoft doesn't plan on giving Windows XP patches to the public after April 8, 2014, doesn't mean it's going to stop making those patches.
In fact, Microsoft will be creating security updates for Windows XP for months -- years, even -- after it halts their delivery to the general public.
Those patches will come from a program called "Custom Support," an after-retirement contract designed for very large customers who have not, for whatever reason, moved on from an older OS.
As part of Custom Support -- which according to analysts, costs about $200 per PC for the first year and more each succeeding year -- participants receive patches for vulnerabilities rated "critical" by Microsoft. Bugs ranked as "important," the next step down in Microsoft's four-level threat scoring system, are not automatically patched. Instead, Custom Support contract holders must pay extra for those. Flaws pegged as "moderate" or "low" are not patched at all.
"Legacy products or out-of-support service packs covered under Custom Support will continue to receive security hotfixes for vulnerabilities labeled as 'Critical' by the MSRC [Microsoft Security Response Center]," Microsoft said in a Custom Support data sheet. "Customers with Custom Support that need security patches defined as 'Important' by MSRC can purchase these for an additional fee.
"These security hotfixes will be issued through a secure process that makes the information available only to customers with Custom Support," the data sheet promised.
Because Microsoft sells Custom Support agreements, it's obligated to come up with patches for critical and important vulnerabilities. And it may be required to do so for years: The company sells Custom Support for up to three years after it retires an operating system.
Custom Support and the XP security updates that result have been one reason why some experts have held out hope that Microsoft will backtrack from retiring XP next April. Their reasoning is straight-forward: Microsoft will have patches available -- its engineers won't have to do any more work than they already committed to doing -- so handing them out to all would be a simple matter.
Or not. Most experts have said that the chance Microsoft will prolong Windows XP's life run between slim and none. And giving away patches to everyone risks a revolt by those big customers who have paid millions for Custom Support.
But Microsoft does have options. Computerworld sees six.
Continue patching for free
If Windows XP remains a major presence, as it appears likely, with projections as high as 33.5% of all personal computers at the end of April 2014, Microsoft could decide to continue patching the aged OS with free fixes for critical vulnerabilities, maybe even those rated important.
Such a move would be unpalatable to Custom Support customers, but Microsoft could renegotiate the fees -- unlikely -- or remind those companies of the program's other benefits, which include access to support representatives, as well as to prior patches and hotfixes.
Patch the critical vulnerabilities under active attack
Microsoft could selectively patch only the critical bugs that are being exploited by hackers. Presumably, that would be a subset of the complete XP patch collection assembled each month.
Some analysts have picked this option as a possibility. Last December, Michael Cherry of Directions on Microsoft posed just such a situation.
"Suppose ... a security problem with XP suddenly causes massive problems on the Internet, such as a massive [denial-of-service] problem?" asked Cherry at the time. "It is not just harming Windows XP users, it is bringing the entire Internet to its knees. At this time there are still significant numbers of Windows XP in use, and the problem is definitely due to a problem in Windows XP. In this scenario, I believe Microsoft would have to do the right thing and issue a fix ... without regard to where it is in the support lifecycle."
Charge users for XP patches
Although Microsoft would much rather book revenue from the sale of a newer OS, it may realize that some will refuse to upgrade, and try to make money rather than give away fixes.
It's unlikely that Microsoft would be able to charge $200 annually for post-retirement patches, as it does with Custom Support customers, but it may be able to get away with $50 a year for individuals and small businesses, perhaps with a maximum machine cap at, say, five PCs per customer.
Traditionally, Microsoft's not charged for support, but it could cast this as a special situation caused by the longevity of XP, which was due to the delay of Vista and secondarily, that OS's subsequent flop. In late 2007, when Microsoft extended XP availability to OEMs by several months, it cited Vista's delayed launch for the unusual move. (It added another extension in 2008 that kept XP alive on new "netbook" PCs, the then-popular class of cheap laptops, until mid-2010.)
And Microsoft has talked up a transformation to a "devices-and-services" company; a pay-for-support plan would mesh nicely with the latter half of that strategy.
Heavily discount Windows 7 or Windows 8.1 to XP users
For several months late last year and through January 2013, Microsoft sold Windows 8 Pro upgrades for $40: It has not revived the cheaper prices since.
Microsoft might try another discount to nudge XP users off the creaky OS, pitching them either Windows 8.1, the update slated for a mid-October debut, or less likely, the option of moving from XP to Windows 7.
The latter would violate Microsoft's standing policy of shutting down retail sales of the preceding edition a year after the launch of a successor, but it might be worthwhile to backpedal to squeeze some money out of the XP situation without facing the backlash when customers complain that they're being pushed to adopt the radically-changed Windows 8.1.
Some revenue, in other words, would be better than no revenue, even if Microsoft had to eat crow and offer Windows 7 as an option.
Combine one or more of the above
Microsoft could get creative and blend one or more promotions. A combination of a pay-for-patches program with a discounted upgrade would, for instance, let Microsoft charge more, say $100, and effective "hide" a higher price for the patches in the total. A blended deal like that could also come with a definitive end to patching, even for a price, with Microsoft pledging to provide security updates for only one year, at which time the user would be expected to apply the Windows 7 or Windows 8 upgrade.
Microsoft may believe that none of the above are called for. One possible rationale for that thought: It's unlikely that any would have a significant impact in China, where an estimated 72% of all personal computers run Windows XP, or other emerging markets where cash is tight.
The standard thinking is that the bulk of those Chinese PCs are running a pirated copy of XP, and because of that, as well as lower consumer incomes there and in similar markets, any program that comes with extra fees would be dismissed out of hand.
Giving away patches for a longer period might help stifle exploits of XP PCs in China, for example -- and thus indirectly protect the global Windows ecosystem -- but even then, Microsoft may see no point in being generous. Most security experts believe few Chinese PC owners download and install patches, even though they can, because of their heavy reliance on pirated operating systems and an accompanying distrust of updates that they assume will sniff out the counterfeit and render it useless.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is email@example.com.
Read more about windows in Computerworld's Windows Topic Center.
Join the Computerworld Australia group on Linkedin. The group is open to IT Directors, IT Managers, Infrastructure Managers, Network Managers, Security Managers, Communications Managers.
- NAB plans customer migration to NextGen platform
- A/NZ College of Anaesthetists to expand campus security monitoring
- Credit Union Australia signs Good Technology to secure 400 devices
- Taxi startup ingogo hails $3.4 million in latest funding round
- Updated: Federal Court dismisses Aust Post trade mark appeal
Amazon drones are 'fantasy,' says eBay CEO
Training critical to Australia tapping broadband potential: CSIRO
US faces major Internet image problem, former gov't official says
Why CIOs stick with cloud computing despite NSA snooping scandal
Telstra hits 300 Mbps in LTE-A trial