Microsoft will craft XP patches after April '14, but not for you
Microsoft will craft XP patches after April '14, but not for you
The company could keep shipping updates, even play the
pay-to-patch card
Gregg Keizer
Just because Microsoft doesn't
plan on giving Windows XP patches to the public after
April 8, 2014, doesn't mean it's going to stop making those patches.
In fact, Microsoft will be creating security updates for Windows
XP for months -- years, even -- after it halts their delivery to the general
public.
Those patches will come from a program called "Custom
Support," an after-retirement contract designed for very large customers
who have not, for whatever reason, moved on from an older OS.
As part of Custom Support -- which according to analysts, costs
about $200 per PC for the
first year and more each succeeding year -- participants receive patches for
vulnerabilities rated "critical" by Microsoft. Bugs ranked as
"important," the next step down in Microsoft's four-level threat
scoring system, are not automatically patched. Instead, Custom Support contract
holders must pay extra for those. Flaws pegged as "moderate" or
"low" are not patched at all.
"Legacy products or out-of-support service packs covered
under Custom Support will continue to receive security hotfixes for vulnerabilities
labeled as 'Critical' by the MSRC [Microsoft Security Response Center],"
Microsoft said in a Custom Support data sheet. "Customers with Custom
Support that need security patches defined as 'Important' by MSRC can purchase
these for an additional fee.
"These security hotfixes will be issued through a secure
process that makes the information available only to customers with Custom
Support," the data sheet promised.
Because Microsoft sells Custom Support agreements, it's obligated
to come up with patches for critical and important vulnerabilities. And it may
be required to do so for years: The company sells Custom Support for up to
three years after it retires an operating system.
Custom Support and the XP security updates that result have been one
reason why some experts have held out hope that Microsoft will backtrack from
retiring XP next April. Their reasoning is straight-forward: Microsoft will have patches available -- its engineers
won't have to do any more work than they already committed to doing -- so
handing them out to all would be a simple matter.
Or not. Most experts have said that the chance Microsoft will
prolong Windows XP's life run between slim and none. And giving away patches to
everyone risks a revolt by those big customers who have paid millions for
Custom Support.
But Microsoft does have options. Computerworld sees six.
Continue patching for free
If Windows XP remains a major presence, as it appears likely, with
projections as high as 33.5% of all personal computers at the end of April
2014, Microsoft could decide to continue patching the aged OS with free fixes
for critical vulnerabilities, maybe even those rated important.
Such a move would be unpalatable to Custom Support customers, but
Microsoft could renegotiate the fees -- unlikely -- or remind those companies
of the program's other benefits, which include access to support
representatives, as well as to prior patches and hotfixes.
Patch the critical vulnerabilities under active attack
Microsoft could selectively patch only the critical bugs that are
being exploited by hackers. Presumably, that would be a subset of the complete
XP patch collection assembled each month.
Some analysts have picked this option as a possibility. Last
December, Michael
Cherry of Directions on Microsoft posed
just such a situation.
"Suppose ... a security problem with XP suddenly causes
massive problems on the Internet, such as a massive [denial-of-service]
problem?" asked Cherry at the time. "It is not just harming Windows
XP users, it is bringing the entire Internet to its knees. At this time there
are still significant numbers of Windows XP in use, and the problem is
definitely due to a problem in Windows XP. In this scenario, I believe
Microsoft would have to do the right thing and issue a fix ... without regard
to where it is in the support lifecycle."
Charge users for XP patches
Although Microsoft would much rather book revenue from the sale of
a newer OS, it may realize that some will refuse to upgrade, and try to make
money rather than give away fixes.
It's unlikely that Microsoft would be able to charge $200 annually
for post-retirement patches, as it does with Custom Support customers, but it
may be able to get away with $50 a year for individuals and small businesses,
perhaps with a maximum machine cap at, say, five PCs per customer.
Traditionally, Microsoft's not charged for support, but it could
cast this as a special situation caused by the longevity of XP, which was due
to the delay of Vista and secondarily, that OS's subsequent flop. In late 2007,
when Microsoft
extended XP availability to OEMs by
several months, it cited Vista's delayed launch for the unusual move. (It added
another extension in 2008
that kept XP alive on new "netbook" PCs, the then-popular class of
cheap laptops, until mid-2010.)
And Microsoft has talked up a transformation to a
"devices-and-services" company; a pay-for-support plan would mesh
nicely with the latter half of that strategy.
Heavily discount Windows 7 or Windows 8.1 to XP users
For several months late last year and through January 2013, Microsoft
sold Windows 8 Pro upgrades for $40: It has not revived the cheaper prices
since.
Microsoft might try another discount to nudge XP users off the
creaky OS, pitching them either Windows 8.1, the update slated for a
mid-October debut, or less likely, the option of moving from XP to Windows 7.
The latter would violate Microsoft's standing policy of shutting
down retail sales of the preceding edition a year after the launch of a
successor, but it might be worthwhile to backpedal to squeeze some money out of
the XP situation without facing the backlash when customers complain that
they're being pushed to adopt the radically-changed Windows 8.1.
Some revenue, in other words, would be better than no revenue,
even if Microsoft had to eat crow and offer Windows 7 as an option.
Combine one or more of the above
Microsoft could get creative and blend one or more promotions. A
combination of a pay-for-patches program with a discounted upgrade would, for
instance, let Microsoft charge more, say $100, and effective "hide" a
higher price for the patches in the total. A blended deal like that could also
come with a definitive end to patching, even for a price, with Microsoft
pledging to provide security updates for only one year, at which time the user
would be expected to apply the Windows 7 or Windows 8 upgrade.
Do nothing
Microsoft may believe that none of the above are called for. One
possible rationale for that thought: It's unlikely that any would have a
significant impact in China, where an estimated 72%
of all personal computers run Windows XP, or other emerging markets where
cash is tight.
The standard thinking is that the bulk of those Chinese PCs are
running a pirated copy of XP, and because of that, as well as lower consumer
incomes there and in similar markets, any program that comes with extra fees
would be dismissed out of hand.
Giving away patches for a longer period might help stifle exploits
of XP PCs in China, for example -- and thus indirectly protect the global
Windows ecosystem -- but even then, Microsoft may see no point in being
generous. Most security experts believe few Chinese PC owners download and
install patches, even though they can, because of their heavy reliance on
pirated operating systems and an accompanying distrust of updates that they
assume will sniff out the counterfeit and render it useless.
Comments
Post a Comment