back to article Do we need Windows patch legislation?

Microsoft has got off remarkably lightly from WannaCry, as the finger pointing between Whitehall and NHS trusts began. But that might be beginning to change. The NHS had 70,000 Windows XP PCs, but only after the ransomware hit did Microsoft issue a patch. Officially, support had ended in 2014, spurring an upgrade cycle. In a …

LDS
Silver badge

"but I do think they should be obligated to fix faulty code"

Do you know how many products in later production batches get fixes which are not present in the earlier ones, often fixing faults that may be not so noticeable? A recall happens only when the fault is so risky or anyway causing enough bad marketing they can't do otherwise (or tell you you're holding it wrong).

For example I never run to but a new camera model as soon as it is released. Despite the tests, there still could be many little issue that went unnoticed, or introduced by the start of mass production. Often they get fixed later without saying anything to previous buyers. Those products that need repairing sometimes may get the fixes without even telling you (to avoid more request, especially under warranty). Better to wait enough months, and usually you got an improved model...

1
1
LDS
Silver badge

"If they had included 16 bit support in 64 bit"

They couldn't. AMD decided to remove Virtual86 mode when the CPU is running in 64 bit mode, so it wasn't possible (but in a VM, with all the VM requirements). The culprits is AMD, not Windows.

Besides NetBIOS, do your also need IPX and maybe something older? <G> Do you know how many vulnerabilities could lurk in those protocols, and their implementation?

6
0
Anonymous Coward

Re: All products have a support life

>How much only works in IE or IE6?

IE6 still gets regular (almost monthly) security updates on Win CE 6 - and will (without additional support contract) until late 2018.

0
0
Anonymous Coward

Re: All products have a support life

> MS did fix the bug. Recent versions of Windows are safe.

If a car manufacturer found a fault in the braking system of a car so that they knew it wouldn't work under certain circumstances and decided that they'd only fix the problem for new cars how do you think people would react?

3
2

Re: All products have a support life

Ford Pinto -

A friend of mine had a Pinto and a Corolla wagon back then. He was an engineer, and said that the Corolla had the same problem as the Pinto. So he made a modification to his Corolla that was similar to the one Ford provided to the Pinto.

0
0
Bronze badge

Re: All products have a support life

I'd say a maximum of 12 years support for OS's, with subscription-only security-only support after 10 years, because 10 years is the longest even slower upgrading business should try to maintain machines, because computer technology design does age, and the physical hardware can age too and become increasingly more costly to maintain, if you can still get compatible parts!

Maybe require an audit of the age of computer hardware and software in a business, with warnings issued for too old equipment which is not planned and scheduled for replacement.

2
3
Gold badge

Re: All products have a support life

Good analogy, but it doesn't lead to your desired conclusion.

Cars are built from components. If the company that makes the brake sub-assembly finds the fault and notifies the car manufacturer, it is up to the car manufacturer to issue the recall because it is the car as a whole that has to meet consumer trading standards.

Likewise, the MRI scanner vendor can say "Don't attach my scanner to the internet" and then any vulnerability in the component (XP) is not relevant to whether the whole (scanner) is deemed to be working correctly.

3
0

Re: All products have a support life

"WinXP is still widely deployed - and security fixes (NOT increased functionality, new drivers etc) should be maintained for a *very* long time."

Car manufacturers don't continue to produce spares or provide other support for models sold over 10 years ago. Nor do manufacturers of phones, PCs, fridges, washing machines or pretty much anything you care to mention. The military often demand long service lives for their equipment - but this is for bespoke equipment and the longevity doesn't come cheap. MS and other their ilk are quite open about the life cycle of their products - users cannot expect to ignore this, just because they feel their work is important.

Back in the 80s and 90s, if one phoned for software support on mini computers, the first question would be about your support contract and the second would be to ask the patch level of the system in question. If the system was not up to a recent level of critical patches, the support folk would suggest that the system was updated to a supported level and to call back if the problem remained. Software support was always contingent on keeping systems up to date. This seems even more worthwhile with the Internet and rapidly changing security threats.

8
1
Silver badge

Re: All products have a support life

"OTOH should we also be looking at the suppliers of MRI scanners etc which are often blamed for being the cause of 'staying on a known OS'. They ought to be obliged to release software for newer versions of their chosen OS (whether that's MS/OSx/*nix/*BSD/....) for the expected lifetime of the machine (probably more than the expected life actually)"

A recent post by an engineer who's worked on such kit suggests that this is by no means straightforward and you could actually brick the instrument by getting it wrong. At the very least you'd have to re-certify the new combination.

1
1
Silver badge
Stop

Re: All products have a support life

"But MS have forced the adoption of XP past its natural life."

If your customers are married to XP because of NetBEUI/NetBIOS the reason most likely is the 3rd party vendor and obsolete & unsupported software that forced them to use XP. Not MS.

"Vista killed full screen command prompt (VGA DOS programs) and 7 32bit NETBIOS."

Vista can run full screen text mode just fine if you use WinXP drivers.

Perhaps you mean NetBEUI which was dropped from Vista? It was pretty much obsolete back in 2006 when Vista premiered. Windows XP dropped Appletalk and DLC protocols. I'm sure there were a few complaints too, but to quote Spock: “The Needs of the Many Outweigh the Needs of the Few”

2
0
Silver badge

Re: All products have a support life

@jpo234 - "You wouldn't claim that a car maker is at fault if a car explodes when somebody maliciously shoots it with a gun."

I would if the car was an Armoured Personnel Carrier. MS has marketed each new version of Windows (from as far back as NT) as 'the most secure Windows ever', during a period that has included all sorts of malware and vulnerabilities, so MS knew they were designing for a hostile environment. They released the code with this vulnerability, ideally, they should have fixed it before release. So, by releasing an XP patch, they are merely fulfilling their obligations 16 years late.

1
0
Silver badge

Re: All products have a support life

@JohnG it is still the same today, we have support agreements on all critical hardware and software and if something breaks down, the first question is the support agreement number / they check to see if support has been paid and the second is to check what firmware / software version number is in use and if it is old, the first step is to get it on a current version, to see if that fixes the problem.

(We had that with a server, a SAN and our SuperLoader recently)

1
0
Bronze badge

Re: All products have a support life

Cjatcti wrote "Possibly you should have made a better choice than "y" or ensured it would run in a broader environment."

You are assuming that there are options. There are some very niche NHS software requirements with only two or three suppliers, sometimes only one-man-bands.

Some time ago I worked at a Manchester trust and the IVF department were fed up with the supplier of their software. He had moved to Egypt and if the application crashed or gave a wrong result, it could take days to get him on the phone. But researching other suppliers, there were only a couple of alternatives. One had sold to 6 IVF clinics in the U.K. ie the majority at that time. He was an IVF consultant at an NHS trust in London, and he charged £200k for the software and £50k per annum for support. But wasn't available 9-5 because he had his day job!

I'm not sure whether he would have had much inclination to redevelop his software for Windows10.

0
0
MJI
Silver badge

Re: "If they had included 16 bit support in 64 bit"

The applications were written in a big selling database compiler and the best database for it used native DOS IPX, there was no IP layer in DOS.

It used NETBIOS to talk to a Windows IP interlayer to talk to the server with IP, this worked perfectly with 2000 and XP, 98 we used IPX as 99% of the servers then were NETWARE.

MSes aggresive attack on Novell caused all customers to go Windows server, and MSes depreciation of IPX forced the tool we used.

Search for ADSDOSIP and Windows 7.

And the server engine can work with all Windows languages I have come across, so at least data is safe.

The graphics mode though this was games mainly, I remember Wolf3D.

As to AMD removing 16 bit support, why not leave in for Intel and let them use it as an advertising feature. It would be nice to allow my home PC to run my favourite text editor in 7 (64) as well as XP (32).

Mind you I raised a laugh today when a customer asked us to check the specification for a server and I said my 10 year old XP PC is more than twice as powerful.

0
0
Anonymous Coward

Not just Windows, the whole hardware/software industry.

However one thing that does need legislating against is windows update, such a slow resource chewing pig it's untrue. The last round of updates for W10 had my Xeon/SSD machine crippled for ages awaiting a reboot for bloody ages pissing about applying patches. Meanwhile on same dual boot machine huge updates for Suse Tumbleweed are a quick and painless pleasure.

Microsoft , WU has been broken for years and is not fit for purpose.

16
13
Anonymous Coward

Windows update is a disgrace. After watching it fail to finish updating for 5 consecutive days with no explanation why, I downloaded the update package and manually updated. Which is par for the course with this steaming POS.

Today I noticed my network printer wouldn't print. No panic, that's happened repeatedly after allowing Win update to run, a quick driver uninstal/reinstall/reconfigure usually fixes it. 2 hours wasted while that repeatedly failed, never showing an error, lying to me that it was actually printing while otherwise happily talking to the printer. Still don't know what actually fixed it this time. I doubt Windows installing the wrong drivers helped much.

Yet people still wonder why so many of us block updates? It's broken beyond belief, uncontrollable and deliberate withholding essential information about what it's doing and why it fails. Needs putting down with extreme prejudice.

19
10
Silver badge

My last Windows Update for Windows 10 took around 20 seconds, on an HP Spectre x360 with a Skylake Core i5 processor, I think there is something seriously wrong with the configuration of your machine if it is taking more than a couple of minutes.

8
9

This post has been deleted by its author

Silver badge

No, if you skip updates or go for a time without updating as many people last year did thanks to GWX and telemetry, it can utterly screw itself up.

I'm trying to sort a Windows 7 machine out, I can't even install the relevant patches manually because when you run them they search for the currently installed patches and then it just sits there for hours.

1
2
LDS
Silver badge

Download and install first manually the latest Windows update client. But there are issues with CPU with only one or two cores (even in a VM)

2
0
Gold badge

@big_D: I have, for many years, maintained a small collection of VM images with different versions of Windows. Whenever I work on them, I snapshot them first and revert afterwards, so as far as each VM is concerned, the only thing I have ever done to it is wake it up once a month, let it update and then put it back to bed.

Several machines (two Vistas and two Win7s) have actually just updated themselves into oblivion under this "cruel regime". That is, they reached a state where they blue-screened at startup and this was repeatable if I reverted to the previous image and let them try eating that month's updates a second time.

Of the survivors, the XP machines were taking several hours each month by the end (2014-ish) and the Win7 boxes that remain are taking quite a while each month now as well.

1
1

Lucky you. On my good kit Win10 updstes take half an hour. On cousins' XP POS embedded they can take all night, or not at all.

1
0

"I'm trying to sort a Windows 7 machine out, I can't even install the relevant patches manually because when you run them they search for the currently installed patches and then it just sits there for hours."

There are some fixes for this issue and a specific standalone update from MS. The latter worked for me.

1
0
Silver badge

Found the solution on ghacks in the first comment. A little bit more than one standalone update but at least it works.

And now I'm uninstalling the telemetry, again.

No, I will not be 'upgrading' to Windows 10.

1
1
Silver badge

@Dan 55 - Glad to see you resolved your Win7 update problem [ref: https://forums.theregister.co.uk/forum/containing/3178008 ]

I've added the ghacks article to my Win7 maintenance useful information file.

0
0
Silver badge

The most important thing was to turn off Windows Update and disconnect from the Internet before installing the patches in the right order.

1
0

No. The concept of doing so is ridiculous. The blame here is firmly on those still using an operating system that is 16 years old. Microsoft gave them plenty of warning, offered specialised upgrade programs and eventually resorted to nagware to try and get people to upgrade.

If anything, the vendors of the bespoke software holding back OS upgrades should be held accountable, as well as the inept IT management that think CAPEX savings outweigh OPEX savings. In IT, they almost never do.

27
10
Silver badge

All very well in theory but when the vendors of the bespoke software have been acquired by multiple orgs and their inept management don't even know what they've bought (not as unusual as you might think) and decide to shitcan these products you rely on...

Being able to upgrade your drivers between versions of operating systems would be a marvellous ability but the upgrade path from Win XP just doesn't work for many hardware and software solutions.

Isolating the Win XP off "the net" would be a nice option except of course the x-ray machine needs to send its output to a server and the lack of IT resources means the simplest solution is to keep it connected rather than come up with a bespoke air-walled solution...

The real world is much more complex than all these "simple" solutions everyone keeps coming out with can handle.

13
2
Silver badge

I am not so sure.

I am very firmly coming around to believe that the current approach, which for now I will term a throwaway approach to both hardware and software, is not sensibly sustainable.

We tout 'Progress' for progresses sake. But stability, especially in something that has come be deeply rooted (snigger) in most of our lives and certainly on a day to day basis, should really be a core tenet of the design approach.

Maybe it is time to think about OS stability being more of a concern in consumer, and certainly in business and definitely medical, terms and not just in the terms of where they seem to really hold it in high regard: The Military.

11
0
Silver badge

@ m0rt - I would tend to agree. But isn't that a buyer beware problem.

Theres numerous solutions to this. Lets take the example of that big capital investment in an MRI scanner. How longs that supposed to last? 30 years - maybe more. Long beyond any OS support lifecycle I know of.

So how do we deal with the inevitable obsolescence of the control software:

- You could do it with the support agreement when you buy with the kit. Put clauses in there around ensuring software updates are made available for a supported OS. Get some Escrow in there so you get the source code if they fail to deliver on that. And ideally get some decent penalty clauses in so they pay if you need to address this on their behalf.

- In addition I would like the control software separated from the OS its running on. A platform agnostic architecture though that's probably easier said than done in a 30 year timescale.

Just thinking out loud. Best get back to work.

9
0
Silver badge

> - You could do it with the support agreement you buy with the kit.

Yup and then you get a moronic Minster for Health some years down the line who cancels the support contract to save a minuscule amount of money in comparison to the overall budget and then you are back to square one and screwed.

7
0
Silver badge

The blame here is firmly on those still using an operating system that is 16 years old.

Today is some 16 years after Windows XP was first released, but the important date is when machine were last sold with Windows XP - this was some time near 2010; so for those machines XP is only about 7 years old, but support ended in 2014 - when those machines were 4 years old. It seems to me that a computer that is 4 years old is still quite young, support should have continued longer.

9
4
Anonymous Coward

"support ended in 2014 - when those machines were 4 years old"

If you wanted your new computer to last a long while, you shouldn't buy it when there's only 4 years of support left.

6
8
Silver badge

AFAIK a MRI has a 10 year life time.

1
0
Silver badge
Paris Hilton

@BoldMan

But then they only have themselves to blame, when it all goes pear-shaped.

The same is true with Windows XP. They were told a couple of years ago, that if they hadn't moved to Windows 7 or later, they would need to pay annual support to keep Windows XP patched. They decided not to cough up and now they are paying the price.

They could have paid and they would have received the patches to keep them safe from this exploit months before it was put in the wild. They decided to save a few pounds and now they are crying fould.

5
2
Silver badge

@alain williams

I would agree with you, that the PCs were "only" 4 years old, when support for XP stopped, IF they hadn't been warned 10 years before that of when the end date for support was.

Those PCs were sold with Windows 7 Professional + downgrade rights to Windows XP, so there weren't even any licensing issues about upgrading and getting continued support. And if they were using Enterprise licensing with SA, versioning is irrelevant, they could have upgraded directly from XP to Windows 10, if they had wanted.

As it is, they ignored the warnings, still installed XP/ bought downgraded PCs and then, when the support period ended, they didn't take Microsoft up on the offer of extended, paid support. As the Germans say, selber Schuld.

7
2
Silver badge

@big_D

> The same is true with Windows XP. They were told a couple of years ago, that if they hadn't

> moved to Windows 7 or later, they would need to pay annual support to keep Windows XP

> patched. They decided not to cough up and now they are paying the price.

They did cough up but that paragon on Ministerial competence Jeremy C-Hunt cancelled the contract to save £5 million which in comparison to the NHS budget is the loose change you find down the back of the sofa.

1
0
Gold badge

"the x-ray machine needs to send its output to a server"

So it sends it to a cheap linux box containing two network ports. One port goes to the x-ray machine and the other goes to the wider network. Run a script on the linux box to move files onward as required. As far as the x-ray machine is concerned, nothing has changed. As far as malware on the wider network is concerned, it now has to break into a linux box before it can even see that there is an x-ray machine on the other side.

Yes it is slightly more complicated, but once you've worked out the details you can semi-isolate lots of similarly challenged pieces of kit. (Perhaps the chaps at http://www.nhsbuntu.org could help you set it up.) Yes, it isn't perfect isolation, but it is a perfectly valid component in a layered defence. Yes, it is a pain in the butt, but if it were my job to protect the IT of an entire hospital and I had the constraint of accomodating an XP-driven device, I'd reckon that something like this was what I was being paid for.

7
2
Silver badge

The real world is much more complex than all these "simple" solutions everyone keeps coming out with can handle.

Another characteristic of the real world is that evaluating each "simple" solution for each individual case takes time. Half a dozen individual installations with unique, complex requirements could take a lot longer to update than a large office of routine desktops with a common build.

1
1
Silver badge

Re: @alain williams

"Those PCs were sold with Windows 7 Professional + downgrade rights to Windows XP, so there weren't even any licensing issues about upgrading and getting continued support."

The PC and its OS in such a situation is likely to have been only a component in a larger system, a system which required XP because some client/server application were the client end won't run on a later version.

You inevitably end up having to consider a more complex situation where simple solutions don't work. Yes, tou could argue that the original system shouldn't have been put together that way. Maybe it wouldn't have been if the original developers only knew what a later OS version was going to break.

1
1
Silver badge

"Yes it is slightly more complicated, but once you've worked out the details you can semi-isolate lots of similarly challenged pieces of kit. (Perhaps the chaps at http://www.nhsbuntu.org could help you set it up.) Yes, it isn't perfect isolation, but it is a perfectly valid component in a layered defence. Yes, it is a pain in the butt,"

And yes, it it impinges on any certification the original machine requires than either you've got to hold off for a few months while that's sorted out or simply shut down for that period.

0
1
Gold badge

If your x-ray machine's certification depends on certain machines being present or absent elsewhere on a network then I have to question whether the certification is sane, but even so, you just provide the network environment required by the certification and then place my device outside of that.

There is simply no way that a need to transfer data from A to (eventually) B requires that A be placed on the same network as B.

3
0
Silver badge

Re: @Doctor Syntax

But that isn't Microsoft's problem, per se. The user has been warned that support is running out and they either have to upgrade to a newer version (for free in many cases as the hardware will have had a valid license for a newer version of Windows) or they pay for ongoing support.

In this case, they did neither. They only have themselves to blame.

1
1
Silver badge

Your average punter has zero clue about EOL date when they buy a computer, in 2010 an XP machine would have been a cheap but functional option for people on a budget (and if replacing old XP PC, chances are they would go for XP again as could guarantee all their existing software would work OK)

By that only 4 years support argument why buy Windows 10?

https://support.microsoft.com/en-gb/help/13853/windows-lifecycle-fact-sheet

Mainstream support ends 2020...

1
0
Silver badge

@tiggity - "Your average punter has zero clue about EOL date when they buy a computer"

I think you have accidentally hit-the-nail-on-the-head!

The real problem with software and Microsoft is that MS support policy is based on the date of first release and not 10 years from the date of sale, which is the case with white goods, cars etc.

I buy a new washing machine from the high st. I don't care if the OEM has ceased production, it still comes with a 1~10 year manufacturer's/store warranty commencing on the date I purchased it.

To keep things simple, I suggest changing MS's product lifecycle so that it provides support until 10 years after the date of last official retail sale, which in the case of XP was October 22, 2010.

1
0
Gold badge

"By that only 4 years support argument why buy Windows 10?"

Well, yes. Why? It's not a foregone conclusion.

On the other hand, if MS stick to their stated aim of Win10 being the last Windows you will ever buy, they've adopted essentially the same model as Linux:- No given release is supported for more than a few years, but an upgrade to the latest release is free and usually runs all your stuff.

(Possibly this is why Win10 is now so annoying. MS aren't making any money out of it so they might as well use it as a public beta for all their crazy ideas. The distinction between "current branch for consumers", which makes no money and gets all the shitty experiments, and "current branch for business", which makes money and perhaps skips the experiments that didn't work, would suggest that this is exactly how MS now feel about their former cash cow.)

1
0
Silver badge

@tiggity - in 2010, you could only get XP as a "downgrade" on new hardware, and only for Professional and Enterprise variants of Windows, so that excludes "your average punter".

Any business buying XP would have to order that extra, or they received a Windows 7/Windows 8 PC and an XP recovery CD. Either way, they had to know that XP wasn't the wisest option.

0
0

Minimum life..

Microsoft maintains product for far longer than, say, Google (running at 3 years for fondleslabs, less for phones?) or Samsung (no updates issued ever). Of course, they need to...

The danger with a minimum life, though, is that it becomes a kill switch, but that can be legislated too.

And no, Microsoft should be under no obligation to release fixes to cheapskates that it has developed for paid customers. There are surely many more critical fixes that it has for paid customers that also aren't released.

7
5

Let's look at other operating systems from the same era:

Solaris 8 - released Feb 2000 - support ended March 2012

Solaris 9 - released May 2002 - support ended October 2014

AIX 5.2 - released October 2002 - support ended April 2009

HP-UX 11i - released December 2000 - support ended 2015

All seem to run to a similar end of support timeline, although AIX is considerably shorter and HP-UX is slightly longer. All in all, the XP end of support timeline isn't unreasonable, there has been plenty time and warning about migrating off of it.

16
5
LDS
Silver badge

Add the support policies of Ubuntu (a LTS gets unsupported after five years) or Debian... only RedHat has longer support cycles, comparable to Microsoft. Apple macOS is also not better.

6
2

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018