Microsoft To Provide IE Patches for Windows XP Only

Fortunato_NC writes "Microsoft has decided that future IE updates, including those related to security, will only be available to customers using Windows XP. This news.com article has the complete scoop. A choice quote: 'Microsoft may be turning the lemons of its browser's security reputation into the lemonade of a powerful upgrade selling point.' This should provide a huge boost to Mozilla and other alternative browser backers."

Classic M$

[scifience]

Then they'll come back in a couple of days/weeks and say that "our business customers are unhappy with this decision" and decide to extend the patches through the end of 2006.

Re:Classic M$

[networkBoy]

We've been rollong our own patches for 3 years now. And while we're deploying XP Pro on all new notebooks we have a ton of older test equipment where the vendor has us locked into older revs of the WinOS (everything but ME, XP home, and PreNT4). It's a huge PITA when M$ tries a stunt like this and we are left holding the bag after our vendors (all smaller than us) give up and say they can't do anything about it. We employ roughly 60K people worldwide and have double that many PCs (at least). I'm sure other mega corps like us will be able to pressure M$ into supporting at least 2K for quite some time to come. With that said, half our data center and most all of our engineering data services are running on some form of *nix. -nB

Re:Classic M$

No, their view, believe it or not, is that people don't want the security patches for older systems! At least, that's what Bruce Morgan, of the Internet Explorer team, posted on the IEBlog.

Re:Classic M$

[deantallica]

What are you all complaining about? The 640 previous patches ought to be enough for anyone.

Re:Classic M$

[Zorilla]

I bet you're right too. I'm sure there are many large corps who won't move from W2K to XP.

Microsoft will definitely give it a second though when they realize organizations like this one are using Windows 2000 on user machines. It took them until 2002 to get fully upgraded from NT 4.0 where I was.

Re:Classic M$

[14erCleaner]

Nobody will ever need more than 640 patches.

Re:Classic M$

[poincaraux]

Don't be silly. You make it sound like his view, and the view of the IE team, is that a large number of people don't want security patches for old systems. What he said is this:

Here's another eWeek article on the same subject. You'll note that some people interviewed want an update for Win2K while some people do not.

And the article he's talking about has one person saying

he would much rather see Microsoft spend resources supporting current and future product releases rather than older ones.

So, fine, you may disagree with that, but it's not quite the fantastical position that you imply.

Re:Classic M$

[pbranes]

http://support.microsoft.com/default.aspx?scid=fh; [ln];LifeWin

Microsoft is already committed to supported Windows 2000 until **** 2010 ****.

All this article says is that Windows 2000 will not get a pop-up blocker and an add-on manager.

Re:Classic M$

[pbranes]

http://support.microsoft.com/default.aspx?scid=fh; [ln];LifeWin

Read it straight from Microsoft. Windows 2000 is supported until 2010. This article from cnet only states that Windows 2000 will not receive a pop-up blocker or an add-on manager. Hotfixes will still be released as needed.

Re:Classic M$

[Progoth]

Microsoft is already committed to supported Windows 2000 until **** 2010 ****.

All this article says is that Windows 2000 will not get a pop-up blocker and an add-on manager.

Mod this fellow up, if you bother to read the article you will see the post is correct. It specifically says security updates will be released, just not the sp2 "security enhancements." Didn't sp2 get some kind of protections against buffer overruns at a low level? that's what won't be backported.

XP only ?

[mirko]

What do they mean ?
No update for Win2000 which is still used by my 50000-employees company ?
Or do they mean they will not update IE/Solaris and IE/OS[9X] ???

Re:XP only ?

[DogDude]

Well, my 6 employee company has standardized on W2K. We've been testing Firefox for the past month, and with the exception of a few IE specific apps, we'll be staying with Firefox now.

Re:XP only ?

"We do not have plans to deliver Windows XP SP2 enhancements for Windows 2000 or other older versions of Windows," the company said in a statement. "The most secure version of Windows today is Windows XP with SP2. We recommend that customers upgrade to XP and SP2 as quickly as possible."

Seems pretty clear to me.. Unfortunate .. commonplace for larger companies to be using Windows 2000 ..

In other news Microsoft decides to stop patching Windows 2003 and recommends that everyone upgrade to Linux..

Re:XP only ?

[drinkypoo]

While they might stop patching everything but XP, the text you cite does not say that. Nor does it even imply it. They're only specifcally saying that SP2-related security enhancements will not be delivered to any other version of windows, until longhorn comes out sometime in 2014.

Re:XP only ?

[guacamole]

IE/Solaris (and HPUX) has been dead for many, many years. OS X version of IE has been EOLed shortly after apple introduced Safari.

Re:XP only ?

[narsiman]

What they mean is Windows 2000 is completely secure. It does not need anymore fixes. You should be happy that you selected W2K for all your 5000 employees.

Re:XP only ?

[overshoot]

What do they mean ?
No update for Win2000 which is still used by my 50000-employees company ?

Yup -- but you were supposed to upgrade to XP already, so what's the big deal? You have been paying for Software Protection, haven't you?

Re:XP only ?

[timeOday]

I have to side with the article summary on this one:

Microsoft promised "ongoing security updates" for all supported versions of Windows and IE.

The ongoing security updates do not, as Microsoft points out, include the latest security fixes with Service Pack 2, released last month. Those include a new pop-up blocker and a new system of handling ActiveX controls and downloaded content.

And it's those more substantial changes, rather than the bug fixes that come with routine upgrades for supported products, that security organizations have lauded for addressing IE's graver security concerns.

There you have it: there is no option for securing MSIE on Win2K.

Re:XP only ?

[HydrusZ]

"Microsoft promised "ongoing security updates" for all supported versions of Windows and IE."

It means you will still get all of the patches, but you will never get the popup blocker and other features specific to IE6 SP2. Not a big deal.

Re:XP only ?

[kfg]

You have been paying for Software Protection. . .

Yeah, youse wouldn't want anything to 'happen' to yer software, now would you?

KFG

Re:XP only ?

[Martin+Blank]

Man, you people are gullible.

Microsoft has said that they will not make IE6 SP2 available for older versions of Windows, not that they won't provide security patches.

Generally speaking, I don't criticize the Slashdot crew because they have enough story submissions to read through that things will slip past, but this is ridiculous. Microsoft has committed to several more years of Windows 2000 support, and there are still a couple of years left on Millenium. Because they view the browser as part of the OS, it would be asinine to think that they would patch XP's IE and leave the older ones to sit where they are now.

Re:XP only ?

[jekewa]

If you check the Product Lifecycle Dates they've already passed the end-of-life dates for many of the older versions of Windows.

Win3x, Win9x, and WinME are all long passed. WinNT Server remains until 31 Dec 2004, but other WinNTs are passed. Win2K is scheduled for demise on 30 June 2005 (start saving). Even WinXP is scheduled for desupport 31 Dec 2006. Win Server 2003 is scheduled for 30 Jun 2008, so you've got a while there, but it's on the plan.

It should not come as a surprise that they stop providing feature enhancements to the older versions. Profit and other greed aside, technically it's unrealistic to expect them continue to support systems indefinately.

Tick, tick, tick...

Re:XP only ?

[homer_ca]

"The option for securing MSIE on Win2k is the same as on any other platform, including XP - Don't use it"

It's not as simple as don't use IE as a web browser. Outlook and Outlook Express use it. Quicken uses it. Any executable or VBscript could open an IE control and send an exploit to it.

As other threads have pointed out, they won't be porting the XP SP2 enhancements like the popup blocker and the new, safe ActiveX handling (whatever that means). I'm guessing they'll still be releasing patches for exploitable bugs like the recent JPG decoder bug.

Good

[linsys]

I don't see this as anything but GOOD news for the alt browser market.

I have already moved all my customers off IE and onto firefox and have received NO complaints as of yet, actually they are like wow I don't seem to get any more of those pop up ads, you're a great admin... ;)

Microsoft continues to shoot them selves in the foot in the area of security. I thought they wanted to keep their market share, I guess the greed is getting to them.

Re:Good

[dtfinch]

Unfortunately, a great deal of home users will never even think of installing a browser besides the one that came preinstalled.

Re:Good

[linsys]

Try turning it on!

Re:Good

[Quinn_Inuit]

It's not so much shooting themselves in the foot as shareholder pressure. One of the ironies of M$'s near-monopoly position is that their old products are their biggest competition (in most markets). Shareholders, of course, are not content to rest on the companies laurels, but want new profits.

It may sound strange, but this is just an attempt to choke out the competition.

Not security updates but security enhancements

[FuzzzyLogik]

They aren't saying they won't provide security patches for holes, they're stating they won't provide the features that are in SP2 in anything other than XP. That's what I got out of it. Which isn't such a big deal, did you expect anything less really?

"We do not have plans to deliver Windows XP SP2 enhancements for Windows 2000 or other older versions of Windows," the company said in a statement.

Re:Not security updates but security enhancements

[Xawen]

I think the confusion is that the article says the recent security ENHANCEMENTS wouldn't be provided to anything but XP. This means no pop-up blocker/firewall/{insert service pack 2 goodie here} for Win2k or below.

They are not saying that they're going to stop making hotfixes for the older versions. Windows 2000 is still officially supported...just don't hold your breath for a pop-up blocker.

Re:Not security updates but security enhancements

[FortKnox]

The key word in that quote is "Improvements"... I see that as tools to help you stay secure, not security patches.

There's a difference between giving the user a firewall (improvement) vs giving the user a patch in a security flaw in the OS (patch).

Metaphorically speaking...

[kahei]

This article tries to turn the sow's ear of an overstretched metaphor into the silk purse of a pithy comment, but winds up counting it's chickens in a castle built on sand as the skeletons in the closet come home to roost.

How many reasons?

[DigitalRaptor]

Really, how many reasons do people need to switch to another browser before they do it?

I know a LOT of really intelligent, well educated people, many of whom are programmers or use linux in a server environment, who still use IE / Outlook [Express] on their desktops.

That is just begging for it.

I tell them over and over again the risks, and they still stay where they are. Ironically, complete neophites switch over as soon as I tell them about Firefox / Thunderbird.

I guess the meek really will inherit the earth.

Re:How many reasons?

[Mr_Silver]

I know a LOT of really intelligent, well educated people, many of whom are programmers or use linux in a server environment, who still use IE / Outlook [Express] on their desktops.

This could be because those people have never been affected by all the exploits that are out there.

Think of it like a house with a dodgy lock, you don't bother getting around to changing it because it's the last thing on your mind. As soon as you get broken into, you'll fix it.

These people just haven't been given an incentive to change yet. They're happy with what they have and aren't interested in changing. Banks rely on this sort of apathy all the time - otherwise you'd get some decent competition when you're shopping around for a new current account.

No, that's not what they said.

[stratjakt]

First fucking line of the article.

Microsoft this week reiterated that it would keep the new version of Microsoft's IE Web browser available only as part of the recently released Windows XP operating system, Service Pack 2.

Only the new version of the browser is available under XP Service Pack 2, for architectural reasons the other OS's lack (NoExecute and whatever else).

It says nowhere they won't provide patches for the most current IE's available under 2000.

The new IE only runs under XP SP 2. You also need to upgrade if you want true HT support, BTW.

Wait a minute....

[FortKnox]

We do not have plans to deliver Windows XP SP2 enhancements for Windows 2000 or other older versions of Windows

Seeing as IE isn't apart of windows (wasn't that part of the anti-trust agreement?), shouldn't I be able to D/L the latest and greatest version of IE (with patches already included) from MS??

When asked about IE's origin as a free, standalone product, the representative said, "You're talking in software terms that might be considered ancient history."

Oh, I see... the settlement is ancient history....

I can see them only including it in windows update for XP only, but not giving out the latest and greatest as a standalone product? Bad move.

Re:just like them

[miracle69]

I haven't been to a website in years that I couldn't see in Mozilla.

Care to provide any examples?

Still patches for previous versions...

[ImpTech]

According to the article, there will still be security updates for all supported versions of IE and Windows. What they're saying is that Win2k and older will not get the pop-up blocker or any other such enhancements.

Still sucks for the Win2k users though... Its clearly nothing more than a ploy to make them upgrade.

Firefox shines, but free hard to believe for some

[Leomania]

What I mean is this: no one believes that you can get something for nothing any longer. Case in point, I just installed Firefox (and Spybot/AdAware/SpywareBlaster) for my next-door neighbor who had a slew of popup-generating malware on his PC. As I installed Firefox, he kept asking "And it's free? Why? What's their business model?" As a salesman, he just couldn't swallow that it could be a full-featured application AND available for free.

The good news is that he's happily using it now and he's starting to understand that IE was how the malware was getting onto his system. But I tell you, if I have to spend as long convincing/educating others as I did with him, it's going to become a full-time job pretty damned fast.

- Leo

So much for MS's new focus on security

[Maestro4k]

You have to love this quote from the article:

• "Microsoft is not using security issues or any security situation to try to drive upgrades," said a company representative. "But it only makes sense that the latest products are the most secure."

Well yes that's true but it's also true that a large portion of the zombie PCs out there spewing spam, viruses, worms and DDoS attacks are NOT running the latest product from Microsoft. Effectivly Microsoft's saying "well we'll concentrate on security only in a future sense." Bet that once Longhorn finally arrives XP will stop getting security patches shortly thereafter.

Frankly we can only hope that there's enough big business clients that have "legacy" Windows OSs that will raise holy hell with Microsoft on this. Otherwise we can expect the situation with compromised machines to not get any better. It seems most of the people with badly compromised PCs don't even try to get them fixed until they finally grind to a halt, they're not likely to be upgrading to XP anytime soon.

Read the EULA

[overshoot]

When you license (not "buy") an MS product, you waive any claim on them for anything. Put another way: whatever problems you have are none of their worry.

Re:Read the EULA

[CountBrass]

Fortunately, at least in the UK, anything a company sells has to be of "merchantable quality" and "fit for purpose" and that's not something the company weasle their way around in anyway at all. Doesn't matter if they put up signs in the shop saying "sold as seen" or make you agree to an EULA: those consumer rights still hold regardless.

In addition, it's a basic part of contract law that any clause that effectively takes away precisely the benefit you were contracting to receive is automatically void.

Re:And my car?

[Adam9]

Microsoft's definition of "SP2 enhancements" is quite vague. They're referring to securtiy features. These "security features" could easily translate to bug fixes.

From TFA: "It's a problem that people should have to pay for a whole OS upgrade to get a safe browser..."

This implies that the older versions of MSIE won't be considered "safe" anymore.

Re:Microsoft responsibility?

[danheskett]

IANAL
Not many people are.

but couldn't a corporation hold microsoft liable for damages incurred to an unpatched system
They could try, but they would probably fail. Others have tried, and failed.

1. First off, with a security flaw, you need to be exploited to suffer damages. In a court case it will be easy to argue that MS shouldn't be responsible because even though they made a flawed product there was an overt criminal act involved that trumps their involvement. For example, if a car manufacturer makes cars with easily defeated locks, or locks that sometimes don't work, can the owner of the car sue the car company for damages if the car is stolen? They could try, butit probably won't get far just on that argument.

2. Second off, in liability cases you have to do your honest best to mitigate your exposure to loss. If I buy a product, and later am notified that is defective, it is my obligation to act appropriately. That may include stopping to use the product. In this case, it may mean active content filters, firewalling, security zone changes, etc.

3. Finally, many industries are exempt from liability in certain cases. For example, auto-manafacturers do not have to recall cars after a certain age. It doesn't make sense for the government to require Chevy to recall the remaining 1976 S-10's because of a latch that might go dangerously bad at 200,000 miles. Microsoft would have a good claim that Win2k and earlier is the equivalent of that outdated pickup truck. You drive that old pickup at your own risk. Windows XP is running on well over half of all Windows machines now. That percentage is getting bigger and bigger. Soon it will be 66%. At what point is it okay to stop supporting a product?

One last point. It may be tempting to say that MS should be liable for exploited systems. That is a bad road to go down. If all of the sudden liability is assignable to software makers because of exploits like this, the whole software world has a major problem.

Software liability could be exactly the tool that MS wants to destroy Linux in the business world. If an individual writing OSS software new that any possible flaw they introduced coul cost them everything they own you can bet that the number of checkins to Sourceforge will drop drastically. Companies like MS will be able to whither the storm. They'll force everyone to use only signed binaries. Machines will become locked down to the Nth degree, and proprietary will be back in. Every software vendor will force their users to run approved-only configurations. It'll be like the mainframe days of the 70s and 80s only worse. Companies like MS can afford to buy the liability insurance and the lawyers to hold on. Meanwhile, the Mozilla foundation will flounder and die.

Software liability is a bad, bad, bad, bad idea for the entire industry, but absolutely deadly for Linux and FOSS in general.

Sites not usuable by non-IE browsers

[spineboy]

I work in the medical field, and plenty of sites for reading X-rays, checking patient labs seem to be only usuable by IE(active-X issues, etc). It's the only reason I keep Windows on my Linux boxes.

You waived that right.

[Andy+Dodd]

When you agreed to the EULA, you agreed not to sue M$.

Odd that this is one of their biggest FUD weapons against OSS, "There's no one to sue.". Well, there's no one to sue with M$ software either.

TROLL ALERT!

The story, if you read it, states the XP SP2 improvements to IE will only be available to XP SP2 customers. THESE imporovements will only be able to XP SP2.

The article DOES NOT state no more IE patches for 2000/NT 4.0

Very very misleading title to this story on ./

Re:TROLL ALERT!

[Muerte2]

I'm not sure I totally agree with what you say. You see I'm one of the rare Slashdotters that actually READ the article.

By refusing to offer IE's security upgrades to users of older operating systems except through paid upgrades to XP, Microsoft may be turning the lemons of its browser's security reputation into the lemonade of a powerful upgrade selling point.

While I'm not sure it's 100% as cut and dried as what the /. title suggests, it does say that some security releases may not make it back down to the old OSes.

Does this surprise anyone?

[Xentax]

I'm a little annoyed (But not exactly surprised) that there's so much fuss about this.

I can understand companies needing time to upgrade to a new version of the OS in particular, and software in general.

But XP is the newest major version of the desktop OS. There is, AND SHOULD BE, and end-of-life for the older versions. Who's still running a 1.x kernel of Linux? What percentage are even running 2.2x? Does Apple still patch Mac OS 8 or 9 (I'm asking, I don't actually know the answer)?

I see all this "MS forcing you to upgrade" talk - well they're HARDLY the only company out there that does this, how else will a company that makes software for profit stay alive? This includes every gaming company out there, Oracle, Peoplesoft, etc. etc., in addition to the other OS vendors (Apple, Sun, RED HAT...you get the drift).

I guess maybe the sentiment is that 2000 isn't old enough "yet" to be back-burnered like this? That's at least debatable. But the notion that MS is wrong to wean people off of the older versions over time is folly.

Xentax

Re:Servers?

[jtharpla]

Actually, in a software company, it's not atypical at all to have Server installations used as desktops. We have a number of developers who develop/test software on top of databases, IIS, etc. Yes, some of this stuff is available for 2KPro and/or XP, but the only way to be sure it works 100% is to have access to the full server version. So it's not atypical for a developer to run Server as desktop. I myself use 2003 Server as my desktop because I wanted to be able to evaluate different server products (I'm a sys admin). I also wanted to get familiar with 2003 Server before it rolled out to our production systems--when you use it every day, you find all the nooks and crannies you'd overlook in terms of settings and whatnot. Finally, I prefer the remote access configuration of Server over XP. It's not unusual for me to use both remote sessions as well as the console, running different apps as different users, etc. Sometimes RunAs just isn't powerful enough for this.

Thank you, Microsoft!

[ParnBR]

Timing couldn't be better. Until the end of the year, we'll have Firefox 1.0 ready. A Brazilian Portuguese version should be ready not long after. I'm happy with this, because I work as a network admin in a public school in Brazil, and this situation will enable me to mandate a no-IE policy in our LAN. We only have licenses for Windows 2000, therefore we aren't eligible for IE updates. IE6, by itself, is already dangerous, despite the fact SP2 is a step in the right direction. But an unmaintained IE6 is nothing but trouble, and I think it will be easy to convince the school's principal of this. I foresee this happening in many other places, now.

Thunderbird is my next target, I'm eagerly waiting for a full-feature, almost-no-bugs release. I had some trouble this week with some recalcitrant Outlook Express users and viruses, and I already managed to convince them to change the e-mail client. You can use good arguments to convince them, but downtime can usually be even stronger than your arguments. ^^

Re:Soup nazi ref?

[Leomania]

Heh... I *just* saw that episode again last night. Classic.

Really, how can ppl buy MS if they know that in the future they may not recieve any support for their insecure software?

Let's compare Microsoft vs. OSS. The browser is one component (integrated into the core OS in Windows, yes, and that should NEVER have happened) but there's countless other bits of software that make up an operating system and its applications. I am still running a copy of Windows 2000 on one box, and I still get updates for various flaws from time to time, about four years after purchasing it. I'm pretty pleased about that.

By contrast, I can't keep a Linux distro on a box for longer than about two years. I can modify a spec file and rebuild a RPM with (the second cousin of) the best of them, but at some point things just stop building properly. The solution? Upgrade to a new distro. Just went through this on my mail/web server a couple of months ago; damn but it's hard to make the new versions of all the software play nicely together. But I digress...

Overall, I'd say MS is up there with the best of them in terms of shipping updates that are compatible with a fairly old version of their software, their broken security model notwithstanding. I'm a lot less concerned about broken components like IE that I can (happily) replace than core OS components needing an update that I am stuck with... thankfully those are rare enough in my case.

Anyway, I'm a flip-flopper on the subject of the OS I use; both Windows and Linux (oh yeah, Solaris too) on a daily basis and have both a use for, and issues with, all of them. C'est la vie.

- Leo

M$ Partners

[JambisJubilee]

This should provide a huge boost to Mozilla and other alternative browser backers.

Unfortunately, I don't think it will. I work for a small business (a Microsoft partner) which provides IT services for other small to medium sized businesses. We provide both solutions and support. If we chose to use a non-microsoft product, we loose tens of thousands of dollars in support. No viruses, worms, spyware, hijacked browsers == no money.

It seriously bothers me, but I would argue that the strength Microsoft has is not in providing well written software, but providing poorly written software prone to exploits.

Microsoft's Consistency is GUI

[abb3w]

What part of THIS don't you get?

How Microsoft is reconciling that with THIS:

"Microsoft remains committed to providing security updates to our customers for all supported Windows versions."

I suspect it means that the popup blocker, new download protector, IE plug in controls, window relocation blocker, e-mail screening, and e-mail bug blocker will not be made available for anything but XP-SP2. Which kinda sucks, but is mostly OK. If only it were possible to view the "Downloaded Program Files" folder without Windows Explorer filtering the contents; possibly the plug-in manager would improve that, but I doubt it. I've found the best blocker for these stupid add-ins and adware pieces is creating an empty NTFS folder where it wants to go... and then setting all permissions to "Everyone -- Deny".

As I've always said, IE was never 'free'

[Rob+Y.]

Back in the days when Mozilla wasn't a great performer, lots of /.'ers would say stuff like, "if IE's a free download, why should I use this crappy Mozilla stuff". Well, now you know why.

It was only a matter of time before MS decided to tie browser upgrades to OS upgrades. After all, for a large portion of users, the browser's the only app they use. With their ill-gotten browser semi-monopoly, why wouldn't MS force you to buy an OS upgrade to get a new browser. DOJ? Not this DOJ.

Sounds like as good a reason as any to separate the browser from the OS. After all, this side-effect of bundling can't possibly be regarded as beneficial to consumers, and consumer benefit was the only defense they could come up with for exempting their bundling from antitrust regulations.