How many times has a vendor released a critical cybersecurity patch for an operating system that is in “end of life” (EOL), or the lifecycle period where the vendor no longer issues patches for bug fixes, operational improvements and cybersecurity fixes free of charge? So if a vendor takes the time and resources to break this freeze and issue a patch for an EOL operating system like it did in response to BlueKeep, what does it tell you?

One thought is that if the vendor is going to take the time and energy to do this, there must be a really good reason to do so. That is, there must be some high level of confidence and certainty that a mass propagation of malware, worms or ransomware could have the potential to negatively affect the remaining global landscape of the legacy operating system, especially those that function in critical infrastructure and medical environments.

It is important to understand that this dilemma faces every operating system or software application. When and why do we patch something after it is outside of its range of normal support or maintenance cycles? This is not just isolated to Windows or Windows XP.

That being said, Windows XP is unique in that it still has a large worldwide footprint 18 years after becoming generally available to the market in October 2001. Windows XP entered its EOL term on April 14th, 2014, and Windows XP Embedded entered its end of life on January 12, 2016.

Three Post-EOL Fixes for Windows XP

Microsoft has issued emergency critical cybersecurity updates to Windows XP upon three separate occasions since it entered its end of life. These updates included fixes for the following:

  1. Vulnerabilities identified in Internet Explorer for all versions of Windows in May 2014.
  2. Vulnerability leveraged (Read more...)