Microsoft's decision to erase its support line in the sand has sowed confusion and will likely encourage bad behavior by some customers, analysts said today.
"If next month someone finds another zero-day like this one, Microsoft could just move the line again," said John Pescatore, director of emerging security trends at the SANS Institute, a security training organization.
"In a way, this encourages bad behavior. There's a risk that people will look at it that way," said Michael Silver, an analyst with Gartner, referring to those who will now question Microsoft's determination to end XP support, and thus slow or even suspend their migrations to newer editions of Windows.
The experts were talking about Microsoft's move on May 1 to issue fixes for a critical vulnerability in Internet Explorer (IE) that had been disclosed the week before and used by cyber criminals for an unknown length of time before that to hijack Windows PCs. Patching the bug was not unusual; what was out of the ordinary was Microsoft's decision to push the fix to Windows XP machines.
Previously, Microsoft had set the end of support for Windows XP as April 8, a date it had broadcast for years. When Microsoft software reaches its support retirement date, it's company policy to discontinue public patching.
Just weeks after the deadline, Microsoft essentially said, "Never mind," and patched the IE vulnerability on Windows XP. What had been certain -- the support line in the sand -- became irresolute.
Microsoft defended the decision, saying it had bent to what it called "overblown" media coverage and explaining that it did so only because XP had only recently been retired.
"I don't think the coverage was overblown," said Pescatore.
Wes Miller, an analyst with Directions on Microsoft, agreed. "It was a very bad vulnerability," he pointed out.
Even so, the analysts were surprised at the release of a fix for XP, not only because of the line Microsoft had so firmly drawn but because of the ramifications of erasing that line.
The precedent was what concerned the experts. "Absolutely, the precedent matters to Microsoft," said Miller. "It's not a question of if, but when, this issue will come up again. Until key organizations are off of XP, every major vulnerability becomes a major opportunity for exploitation."
Some customers still running Windows XP may view Microsoft's patching decision as a pass to continue running the 13-year-old operating system which, as Microsoft has repeatedly hammered home, lacks many of the advanced security and anti-exploit features and technologies in newer editions, including Windows 7 and Windows 8.1.
Even further in the future, customers running Windows 7 may recall this XP patch and conclude that Microsoft is not serious about retiring that OS when its January 2020 support deadline nears.
"There is now a difference between what Microsoft thinks they mean and what [customers] think they mean," said Miller. "Everyone is playing chicken. Which means [years from now] people may say, 'I can keep running Windows 7.'"
Microsoft was in a "lose-lose" situation with XP, according to Silver, because of the operating system's large user base. At the end of April, XP powered about 26% of the world's personal computers, analytics company Net Applications revealed last week.
Although Microsoft didn't mention XP's stubborn resistance to retirement, and the vast numbers of PCs that still run the OS, the decision was clearly based on its continued prominence. Which makes one wonder, analysts said, what Microsoft may do in the weeks and months to come.
"I think Microsoft thought hard about this one. But if the same thing happened in a year, you wouldn't see it. So that [patch last week] may have been the real line," contended Silver.
"Six months from now, an XP vulnerability may get the same [media] coverage," said Pescatore. "But then Microsoft has a much stronger story. They might say, 'XP's dropped in half since April, so we're sticking to the plan.'"
Computerworld's current projection -- based on a 12-month average of Net Applications' data -- is that XP will still account for 19% of all personal computer operating systems at the end of the year.
"This was the right thing to do," argued Silver. "Microsoft's move was defensible." But what about next time? Will there even be a next time? "Caveat emptor," said Silver, illustrating the new uncertainty about the company's support policy.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is email@example.com.