In Rare Move, Microsoft Offers Critical Security Patch For Windows XP, 8, Other OSes

Versions of Windows aren't supported forever. Microsoft stopped releasing updates for Windows XP in 2014, for example, and other versions of the operating system have also been dropped to let the company focus on their modern descendants (and encourage laggards to upgrade). Yet that didn't stop Microsoft from releasing a critical security fix that should offer Windows XP, Windows 8, and Windows Server 2003, among others, the same protections as their Windows 10 counterparts.

Microsoft reached that decision after the WannaCry ransomware spread across the world late last week. The ransomware spread by exploiting a vulnerability that was patched in recent versions of Windows (7, 8.1, 10, Server 2012, etc.) back in March. However, the vulnerability was still present in many devices, whether it was because they disabled automatic security updates or because the devices relied on unsupported Windows products.

As we pointed out today, some of the affected organizations simply can't use new versions of Windows because they rely on legacy software or fear that patches will create problems with critical devices. Continuing to use Windows XP three years after Microsoft stopped officially updating it creates security problems, sure, but it could also mean that hospitals and large businesses are able to use life-saving or mission-critical apps.

"This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind," Microsoft Security Response Center principal security group manager Phillip Misner said in the update's announcement.

With this update, Microsoft responded to the world as it is, not the world as the company wants it to be. In an ideal world, every individual and organization would use the most recent versions of all their software to defend against known vulnerabilities like those exploited by WannaCry. But this isn't an ideal world. People still use Windows XP and Windows 8 and Windows Server 2003. It's better to fix a problem as critical as this one than to chide everyone for using old versions of Windows, even if they're only doing so because critical legacy software doesn't support Windows 10.

You can learn more about the vulnerability patched with these updates, MS17-010, on Microsoft's website. Download links for old versions of Windows can be found in Microsoft's blog post. Misner said the company is "working with customers to provide additional assistance as this situation evolves, and will update this blog with details as appropriate."

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • randomizer
    This is the most sensible thing Microsoft has done with Windows in years.
    Reply
  • Achoo22
    It's hard to offer any praise for their actions when the backdoor existed for many years and Microsoft was demonstrably negligent in their handling of it.
    Reply
  • alextheblue
    Wow. That was unexpected... XP is positively ancient. I hope even with the out-of-support patch, companies will learn their lesson and start migrating systems any way they can. At a minimum, run legacy apps in a VM and handle all your other work including filesharing, email, etc on a fully patched host OS.
    Reply
  • JQB45
    We need to come up with a way of disabling wholesale file encryption *Accept* by authorized apps and services. Possible?
    Reply
  • jdwii
    XP is the best and i still use it every day as my OS.............NOT lol WTF come on guys what the hell i understand hating 10 but man XP is just so old upgrade to linux if you have to.

    I would never trust a XP OS in 2017 for security reasons.
    Reply
  • Anders235
    " some of the affected organizations simply can't use new versions of Windows because they rely on legacy software or fear that patches will create problems with critical devices. "

    This is an entirely bogus excuse that I'm tired of hearing. I've heard this from companies that partner with a Global Fortune 200 company and it's horsepuckey that comes down to, we don't wanna pay to upgrade.

    Microsoft is not on the hook forever to support ancient OSes and neither is the IT profession. Disappointed that TH, a nominally IT site, pedals this kind of low-information rubbish.
    Reply
  • -Fran-
    Considering I still see ATMs and Cashier machines running WinXP for their day-to-day usage, this doesn't surprise me one bit. That would be even worse press than what MS has already had with this round of news.

    Cheers!
    Reply
  • Mousemonkey
    19688966 said:
    " some of the affected organizations simply can't use new versions of Windows because they rely on legacy software or fear that patches will create problems with critical devices. "

    This is an entirely bogus excuse that I'm tired of hearing. I've heard this from companies that partner with a Global Fortune 200 company and it's horsepuckey that comes down to, we don't wanna pay to upgrade.

    Microsoft is not on the hook forever to support ancient OSes and neither is the IT profession. Disappointed that TH, a nominally IT site, pedals this kind of low-information rubbish.

    I can only assume that you are not in the UK and thus know not of the NHS! :lol:
    Reply
  • InvalidError
    19688966 said:
    " some of the affected organizations simply can't use new versions of Windows because they rely on legacy software or fear that patches will create problems with critical devices. "

    This is an entirely bogus excuse that I'm tired of hearing. I've heard this from companies that partner with a Global Fortune 200 company and it's horsepuckey that comes down to, we don't wanna pay to upgrade.
    Some companies and institutions do rely on software for which the company and/or the source code no longer exists and cannot be updated. You also have various 100+k$ lab instruments running Windows XP with custom drivers and software to run their acquisition cards, good luck upgrading them to any newer Windows version, same goes for any machinery relying on PC-based controls where upgrading may not be possible without reverse-engineering and rewriting the control software or shelling out hundreds of thousands of dollars to replace an otherwise still perfectly working piece of equipment. There is a whole lot more to it than the $200 license seat cost.

    If you think XP is ancient, many companies still run their payroll on 30+ years old VAX mainframes or 25+ years old AS400 mini-computers. Companies do not want to mess around with systems that are vital to parts of their core operations.
    Reply
  • 19688363 said:
    We need to come up with a way of disabling wholesale file encryption *Accept* by authorized apps and services. Possible?
    Do you like UAC? Because what you're suggesting is basically forcing UAC prompts every time any app attempts to modify any file on your PC.

    A lot of people already hated the UAC that showed up when installing new apps or changing Windows preferences. My guess is that if MS makes a stricter option for UAC, nobody's going to use it. And even if MS forces it on, people are just going to blindly click on "Allow". I mean, if your "Zelda Breath of the Wild for Windows PC" app wants file write access to update itself, why wouldn't you allow it? If you wouldn't, why did you download it in the first place?

    There are plenty of people who have asked themselves all sorts of questions involving security, some smarter than you and me, all of them have dedicated several decades more of their time to it. Trust me: if you think your idea about improving security is good, you're either a bloody genius, or you're awfully naïve. No offense.
    Reply