Microsoft today shipped an emergency update for Internet Explorer to close a hole that hackers had already been exploiting.
But in an unexpected move, Microsoft allowed Windows XP machines to receive the update, even though it had long held that the 13-year-old operating system had absolutely, positively retired on April 8.
"I'm surprised they went out-of-band at all," said Andrew Storms, director of DevOps at security company CloudPassage, using the term for an emergency update outside the normal monthly patch cycle Microsoft maintains. "While there was a lot of talk about this zero-day, it was mainly focused on the XP angle."
In fact, today's turnabout was bigger news than the security update itself, something Microsoft tacitly acknowledged by posting a long blog post that dealt not with the patch or the vulnerability, but with its decision to give XP customers a break.
In that blog, Adrienne Hall, a general manager in Microsoft's Trustworthy Computing group, made plain that today's release was the exception, not the rule, going forward. "We made this exception based on the proximity to the end of support for Windows XP," Hall wrote.
Microsoft dropped XP from its support list three weeks ago.
But Storms questioned whether Microsoft had, knowingly or not, set a precedent that outsiders would cite each time a new vulnerability in Windows XP appeared.
"For me it begs the question: So when exactly is the end of life date for XP?" Storms said in an interview conducted via instant message. "What if there is another zero-day next week or next month? When is Microsoft really really really going to put their foot down? So I'm surprised they went against their word on the end of life date. It just leaves open the door for more patches either to XP or other [outdated] platforms in the future."
Hall also seemed to blame news reports about the flaw -- in particular that most reports led with the fact that XP would be vulnerable -- for forcing Microsoft's hand.
"The news coverage of the last few days about a vulnerability in Internet Explorer (IE) has been tough for our customers and for us," she said to open the blog, then later argued that the IE bug made headlines only because of its timing. "One of the things that drove much of this coverage was that it coincided with the end of support for Windows XP," Hall asserted.
"The reality is there have been a very small number of attacks based on this particular vulnerability and concerns were, frankly, overblown," Hall added. "Unfortunately this is a sign of the times and this is not to say we don't take these reports seriously. We absolutely do."
Microsoft should not have been surprised that news spread about the IE flaw or that media reports focused on the fact that the bug was the first example of XP's out-in-the-cold situation. Others in the company's Trustworthy Computing group have long predicted that attacks against XP PCs would increase once support for the OS ended, and used the dire forecast to push customers into migrating to something newer.
The update itself, designated MS13-021, was straightforward, or at least compared to the ruckus over XP.
MS13-021 patched a single vulnerability in IE6, IE7, IE8, IE9, IE10 and the newest, IE11, on all supported editions of Windows, as well as XP. The bug was rated "critical" for all client versions of Windows -- XP, Vista, Windows 7, Windows 8 and Windows 8.1 -- but "moderate," two steps down in its four-step threat scoring system, for all Windows Server editions.
The critical vulnerability was first reported to Microsoft by FireEye last week. On Saturday, Microsoft issued a security advisory that offered several temporary ways to defend PCs from attacks.
Today's patch can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services (WSUS).
This article, Microsoft makes one-time exception, patches IE on Windows XP, was originally published at Computerworld.com.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.