back to article Do we need Windows patch legislation?

Microsoft has got off remarkably lightly from WannaCry, as the finger pointing between Whitehall and NHS trusts began. But that might be beginning to change. The NHS had 70,000 Windows XP PCs, but only after the ransomware hit did Microsoft issue a patch. Officially, support had ended in 2014, spurring an upgrade cycle. In a …

  1. Diogenes

    Re: I blame the management....


    More a case of you went the toilet, and turned the tap on, and found that you had no water because you neglected to pay your water bill, and you were out of soap because the beancounters decided it was no longer necessary.

  2. Charles 9 Silver badge

    Re: I blame the management....

    More like you COULDN'T pay the water bill because the captive market jacked up the price beyond affordability. And water is scarce where you are so only experts know where to look: making them unavoidably expensive and risky to go it alone.

  3. plrndl

    Locking the Stable Door

    What's the point of mandating the provision of patches when the users refuse to install then until after there is a problem?

  4. milet

    The legislation should be very simple: software vendor is either obliged to provide security patches for its software or obliged to open source code...

  5. DropBear Silver badge

    Precisely. Either keep fixing your mistakes or GTFO of the way.

  6. Anonymous Coward
    Anonymous Coward

    The NHS should have their own OS based on BSD; highly secure, highly standardized, highly specifified.

    Building critical health systems on Windows is folly.

  7. Charles 9 Silver badge

    Unless EVERYONE is using it, leaving you in a bind.

  8. cmcdev

    Blame custom application vendors that the NHS and other companies use. They unnecessarily tie applications to specific OS releases and refuse to support them on newer OSes. These vendors pretty much hold companies to ransom as consultantcy fees and migration fees are so high

  9. Roger Mew

    You are also forgetting that the vendors are assured by MS that the software they issue is new, however software people may spend 5 years on developing a program to run on say Vista and then another year testing and the programme is put on the market when MS announce the projected new software. No the blame has to be on MS. I have had this discussion with a vendor, and he is as pissed off as the end users.

  10. Charles 9 Silver badge

    If he was so ticked, why does he stick with Windows. Almost sounds masochistic.

  11. bjr

    Somebody should be fired at your NHS

    MS supported XP way longer than they should have and when they did stop support that gave years worth of notice. Anyone who is running 70,000 copies of XP in 2017 should be taken out and shot. If they have some software that is XP dependent that they can't replace then they should be running it on XP VMs, if a VM is compromised you can switch to a backup copy in under a minute. In addition to being resilient to attack a VM can run on modern hardware, it's not limited to antique machine like native XP.

  12. Doctor Syntax Silver badge

    Re: Somebody should be fired at your NHS

    " In addition to being resilient to attack a VM can run on modern hardware, it's not limited to antique machine like native XP."

    You do realise, don't you, that in some cases you're dealing with real time S/W that twiddles bits directly on specialised H/W?

  13. Robin Bradshaw

    You could supply support and updates for 200 years after end of life and it wont make a jot of difference if the end users wont apply those updates.

    If legislation is needed i'd suggest its more of the kind that makes not applying security updates in a timely fashion criminal negligence.

  14. Charles 9 Silver badge

    But what happens WHEN (not IF) a security update breaks your machine? Get pwned or get bricked?

  15. John Savard Silver badge


    As far as I am concerned, a vendor releasing software is obligated to ensure it is free from defects.

    That means there should not be any exploits, any buffer overflows or race conditions or any such thing anywhere in that software.

    The obligation to correct defects in a product that should never have been there in the first place should never expire. Although perhaps some limit, acknowledging that software does eventually become obsolete, might be considered.

    Perhaps 99 years - the same time as the copyright expires? Provided the vendor releases, or has released, the source code by then?

  16. Doctor Syntax Silver badge

    Re: Eternity

    "The obligation to correct defects in a product that should never have been there in the first place should never expire."

    It's also an obligation that might substantially reduce the number of such defects in the first place.

  17. Charles 9 Silver badge

    Re: Eternity

    Except we're only human. You expect perfection out of us, and not even the military and airline industries are spotless.

  18. Steve 114


    My elderly contacts in Russia and China are intensive XP users, never having bought or registered it. Microsoft has no responsibility to them at all, but we all have to note the huge ecosystem for virus propagation of all kinds.

  19. Boris the Cockroach Silver badge


    I've been saying all along whenever the "Upgrade now" or "super whizzy windows" stories come along is

    "What about us who have millions invested in safety critical stuff that runs on WinXp?"

    You cant just 'upgrade' the PC to win10, install the drivers and hope it works because 10 times out of 10, it wont.

    And the price of the kit is such that you need years to get back what you paid, and then make a profit.

    For example, the factory next door to us bought them selves a spiffy new moulding machine , the price... about 500 000 pounds, now imagine that in 3 years time , m$ go fsck you we're not supporting your OS anymore , upgrade or else, and the machine is rendered useless.

    Upgrading your desktop is easy , even throwing it out and buying a new one, but when the control is embedded and has to be proven to work......

    As a side note, we have 4 windows powered machines, the manuals state "If the customer attempts to install updates to these machines, the supplier has no liability for any loss or damage that may result"

    Possibly explains why we make sure the machines either have the Fanuc OS in them or the controls are based on Linux.....

  20. WatAWorld

    Re: What

    "For example, the factory next door to us bought them selves a spiffy new moulding machine , the price... about 500 000 pounds, now imagine that in 3 years time , m$ go fsck you we're not supporting your OS anymore , upgrade or else, and the machine is rendered useless."

    Someone bought a GBP500,000 molding machine that is tied to an obsolete operating system?

    And what did the device manager pay for that operating system? If it were Windows, $25?

    I think the quarrel is with a device maker ripping the customer off by providing an inappropriate operating system to save money.

  21. Robin Bradshaw

    Re: What

    Should FANUC still be supplying replacement bubble memory and paper tape readers? :P

  22. Charles 9 Silver badge

    Re: What

    "Someone bought a GBP500,000 molding machine that is tied to an obsolete operating system?"

    Yes, because the alternative was probably buying a GBP600,000 molding machine tied to an obsolete operating system. IOW, this is what happens when EVERYONE uses commodity stuff to undercut the competition and win contracts.

  23. Number6

    The correct response is for the NHS and other large organisations to require application suppliers to guarantee that they will provide updated versions of their software that will work on newer versions of operating systems for ten or twenty years (or until it's replaced by something else, whichever is sooner), with source code in escrow in case they go bust, so that the base system can be upgraded much more easily. If you're not prepared to play ball then you don't get the contract.

  24. Charles 9 Silver badge

    And if NO ONE agrees, meaning the contract goes unfulfilled and machines start needing to be replaced? Remember there are very few manufacturers of this specialized and very expensive medical equipment. It's a seller's market. They can probably afford to wait it out while customers from other countries ring in.

  25. doug_bostrom

    Fit for purpose?

    When the deployment purposes of commercial software include life safety critical functions, surely it's necessary to have some assurances of integrity that go beyond marketing slogans and porous, permeable warranties?

  26. CentralCoasty

    Re: Fit for purpose?

    As has been pointed out earlier - the vendors are selling this kit either with an OS embedded into the equipment itself, or with a PC sitting beside it to run the software.

    Either way it is an issue for the vendor and not M$ in this case. If I were to build some kit and make sure it only works with Win98 and some sucker buys it - who's fault is that?

    Support contracts need to be in place between the original vendor & the customer with the necessary guarantees of support & upgrades for the appropriate life of the product.

    This will stop lazy vendors selling equipment with a soon-to-be-outdated OS unless they are willing to support it themselves. It forces them to keep their own software up-to-date so they can port it from X to Y and keep their customers satisfied.

    If I buy something that has a 5 year life - then I expect 5 years out of it. If halfway through its life part of the kit dies, then I expect to the vendor to make sure they have the parts (including OS's) necessary to keep it running - and if that means upgrading to a new OS then they should be planning for it!

    This then means that there should be no compatability issues with "well we cant patch/upgrade because the application wont run on OS x"... admins can then ensure equipment is patched to the latest version.

  27. Anonymous Coward
    Anonymous Coward

    Re: Fit for purpose?

    IF you've bought a support contract, yes

  28. Charles 9 Silver badge

    Re: Fit for purpose?

    And IF one is offered, which may not be possible if all the manufacturers refuse as a bloc.

  29. Roland6 Silver badge

    "The NHS had 70,000 Windows XP PCs"

    When and is there a reliable source for this figure?

    I ask as a Google only shows the "70,000" figure surfacing in news articles released within the last 24 hours. Which would seem it is a media misrepresentation, just like the often quoted "90% of NHS Trusts still running XP".

  30. Doctor Syntax Silver badge

    Re: "The NHS had 70,000 Windows XP PCs"

    the often quoted "90% of NHS Trusts still running XP".

    And that in its turn seems to have come from a survey - I think a year or two ago - of trusts running at least one copy of XP. The fact that this might actually be just one is beyond the grasp of our mighty national newspapers.

  31. jake Silver badge

    I'm surprised nobody's mentioned it yet ...

    Why the fuck are we even thinking about using a General Purpose OS to run specific purpose equipment? Quite honestly, I've never seen a need to create a spreadsheet, do a little desktop publishing, or browse TehInterWebTubes when using my Bridgeport CNC; my local small animal vet sees no need to do the above when running bloodwork, and my neighbor (who runs the MRI machine here at a local hospital) says he's never seen a need for the above at work, either.

    And now they are putting full-blown Linux into coffee pots and Windows into Refrigerators? WTF? Where in the hell did this need to"OverOS" machinery come from, anyway? Am I the only one who remembers when small & elegant was considered de rigueur?

    Me, I blame marketing running what should be engineering firms ... ANYway, is it any wonder that this entire conversation is happening? We're quite simply using the wrong tools for the job in the first place! Is anybody really all that surprised that they break?

  32. Roland6 Silver badge

    Re: I'm surprised nobody's mentioned it yet ...

    Why the fuck are we even thinking about using a General Purpose OS to run specific purpose equipment?


    Going back to the 1990's, MS was on the rise and was desperate to become more of an Enterprise IT supplier, hence the development of NT and it's successors, which resulted in the success of XP-SP2/SP3 and WS2K3. Similarly, MS made a big play into embedded, which also paid dividends in XP Embedded.

    Prior to MS and to some extent prior to the consumer IT industry, it was fairly normal to pay for a licence and support and product lifecycles were more about sales than support. Hence why in the mid to late 1990's it was quite common to have businesses running mainframes and other major systems running OS's from the 60's~80's, still being maintained, but not available in the shops.

    I think there was an expectation that once MS had become an enterprise supplier, it also would become more flexible about its product support lifecycle, with pre-existing customers. Instead we've seen MS deliberately take steps that have alienated it from enterprise IT such as releasing a succession of Windows versions since XP that have really been focused on the consumer market and aping Apple (badly) and only belatedly trying to retrofix W10 to the enterprise.

    Which seems to support a stance I took when W8 was released, namely the time between then and EOL of W7 was the best opportunity Linux/open source had to get into the enterprise anytime soon.

  33. DropBear Silver badge

    Re: I'm surprised nobody's mentioned it yet ...

    For, oh, about a million and one reasons, some considerably more legitimate than others. Not that I wouldn't prefer the "no more than the absolute minimum" approach - I would, I'd take a _firmware_ over an _OS_ every time; and that's exactly how it worked as long as embedded electronics - even the smartest embedded electronics - was too small, expensive and resource constrained to do anything else - and more importantly, didn't have graphic terminals and network interfaces hanging off of it left, right and center.

    But these days all constraints are history, and as soon as you have graphics and images to display or configuration data to manipulate or external storage (as simple as an SD card) to access, you'll be wanting a file system implementation to read stuff from files - preferably several, if you need to accommodate different requirements. If your thing uses _any_ kind of networking, you'll want a stack implementation that will probably also include full TCP/IP and/or low power mesh stacks (some of which are already IP-based) and whatever else you might need. If your thing is expected to do several different things at once (as most things should and almost all still fail, even in spite - or maybe precisely because - being OS-driven) you'll be wanting "parallel" execution (and what a joke that still is...) and thread management. Your device might even need to juggle a non-trivial amount of data, at which point you'll be reaching for a gun if you can't use files and a database. Heck, if your hardware is voluminous enough you might even have a need to connect to a variety of peripherals like keyboards or mice / trackballs or USB webcams etc etc etc doing any of which without the benefit of an OS with all of its drivers is guaranteed to make you point said gun away from yourself and towards other people in a fit of homicidal rage.

    Now, sure, any and all that _can_ be compiled into a monolithic firmware, but doing it _properly_ every time is going to be harder than writing that mythically exploit-and-bug-free software; and you'd be duplicating effort that has all been already expended - you'd be building an OS by any other name. So you'll be wanting an actual OS that already has all that instead of vendor libraries reimplementing all that (poorly) for each new product line, an OS with at least a modicum of maturity and periodic maintenance / security updates; an OS that even probably runs on a range of hardware instead of proprietary "support libs" for each.

    And that brings us exactly where we are - and I'm not interested here in debating how and how long support should be done. All I'm saying is - and it pains me very much to do so because it also obsoletes me in the process - the era of making do without an OS in everything except the simplest of LED blinkers is well and truly gone; and worse, it's gone for a good reason.

  34. JamesPond

    Re: I'm surprised nobody's mentioned it yet ...

    "Why the fuck are we even thinking about using a General Purpose OS to run specific purpose equipment?"

    Capitalism. Cost, speed to market, profit margin, market share. Why develop a bespoke o/s that you then have to support yourself, when there's a COTS available?

  35. Roland6 Silver badge

    Poll: If so, how long should Microsoft supply patches?

    Interestingly, the poll didn't ask whether MS should be able to charge for supplying patches beyond their normal product lifecycle EOL. It would seem there is an implicit assumption that MS should provide patches for free to all.

  36. Palpy

    A tidbit from the NY times:

    "The [medical] machines can (as they should) last for decades; that the software should expire and junk everything every 10 years is not a workable solution."


    (Aside: Yes, I believe the proper Brit-sprecht is "titbit" but I'm an illiterate Yank.)

    The opinion piece continues:

    "First, companies like Microsoft should discard the idea that they can abandon people using older software. The money they made from these customers hasn’t expired; neither has their responsibility to fix defects. Besides, Microsoft is sitting on a cash hoard estimated at more than $100 billion (the result of how little tax modern corporations pay and how profitable it is to sell a dominant operating system under monopolistic dynamics with no liability for defects). .... At a minimum, Microsoft clearly should have provided the critical update in March to all its users, not just those paying extra. Indeed, 'pay extra money to us or we will withhold critical security updates' can be seen as its own form of ransomware."

    The author of this particular opinion piece is Zeynep Tufekci. The piece is well worth reading.

    Slam sys-admins for not upgrading to Win 10 even though it breaks million-pound hardware/software packages if you wish. Personally, I believe the problem is far knottier than that.

    You've a hospital with limited funds. Spend those funds on equipment to implement a new cardiac ablation procedure (treating potential fatal heart fibrillation) or spend those funds to replace a perfectly good MRI machine because its software package only works with Windows XP? Hire another nurse practitioner to provide better care in the woefully understaffed terminal ward, or hire an IT specialist to get legacy hardware sequestered from the rest of the hospital network?

    My hat's off to the admin who has to make those decisions.

  37. WatAWorld

    Re: A tidbit from the NY times:

    "The [medical] machines can (as they should) last for decades; that the software should expire and junk everything every 10 years is not a workable solution."

    Can you give us an example of a medical device, CT scanner, MRI, etc. that runs Windows?

    I think you'll find that Windows is run on things like PCs used as PCs, not $50,000+ specialist hardware.

  38. Palpy

    Re: MRI running Windows

    I wrote, "a perfectly good MRI machine because its software package only works with Windows XP". I didn't imply that the machine itself runs Windows OS.

    That said, it's not unusual to find a Windows RT PLC here and there. I think we have one at my facility. The others that I've worked with all show a penguin at boot-up.

    I'm not in medical automation, but I do remember reading trade news about a new oil refinery which was installing a particular plant-wide automation package. That version being installed only runs on XP. And that was in 2014, when XP was already very near EOS. And mind you, the software in this case does not run just one machine but virtually every valve and pump in the plant.

    (In the latter case, installing that version was a very bad decision on the part of the Chinese company building the plant, IMHO. Of course they may have specced that version so it would be fungible with existing installations, but it's still very short-sighted. Says me, who really knows nothing about the situation on the ground.)

  39. WatAWorld

    Not years after launch, years after sale, and not MS, any electronics any operating system

    Not years after launch, years after sale, and not MS, any operating system sold with any consumer electronics.

    So Android, Windows, iOS, MacOS, ChromeOS, etc.

    And this would include Linux if Linux were sold with a consumer device.

    I suggest 10 years in general.

    And 15 years for devices costing in excess of US$500 if there is no follow on OS that can be installed.

  40. WatAWorld

    Let us here from OUTLAW on this. Nothing is sold with a warranty against vandalism

    Nothing is sold with a warranty against vandalism.

    Do you guys think your cars are warranteed against people being able to smash the windows?

    Do you guys think Chrysler Warranteed the M1 Abrams main battle tank against vandalism?

    If this went to a court I think the MS lawyers would be quite rightly saying, "We never promised our software would be vandal proof."

    There would be no case to be brought.


    Is there a case under US law? Under European law?

  41. Allan George Dyer Silver badge

    Proposal: Copyright Ceases when Support Ceases

    Require developers to provide fixes for security and original functionality (but not upgrades) at reasonable cost, say 10% of the original purchase price per annum. They can choose to discontinue this support, but the software becomes public domain.

    This allows the developer to make a commercial choice, and may reduce the amount of electronic junk sent to landfill because it's 'too old' to support.

  42. Timmy B Silver badge

    Perhaps a clear use by...

    On the back of boxes or on installation dialogs.

    "This software will be patched for general use until x date and security patches will be issued until y date". Just to make it plain and clear to the users. After all it's not just PCs that could do with this - Smart TVs, Phones, etc.....

  43. d3vy Silver badge

    Even if my were legally obligated to provide non-ending support for XP most of the affected machines were windows 7&10 machines that had not had the march update rolled out to them. At least the instances I have seen in my dealings with CCGs in the north west.

  44. Anonymous Coward
    Anonymous Coward

    David Omand is not a coward...

    It cannot be said that David Omand is a coward. Being chief of GCHQ (comparable to NSA) and therefor responsible for withholding known security holes to the software manufacturer, he is absolutely not in the position to point his finger to MS.

    I would rather go a step further: he (his organization) facilitated that the real responsible guys (the criminals using the vulnerabilities) could commit their crimes.

    Besides that: MS had made it possible to get security patches when you pay for it. This very much looks like real life: you get what you pay for.

  45. Dan White

    Car Analogy Fail

    "An analogy may be vehicles that develop a dangerous defect. Would we excuse the manufacturer and allow unsafe vehicles on the road?"

    AFAIK, the longest vehicle warranty offered is currently 7 years. This is a 16 year old piece of software that has received thousands of updates during its lifetime. It should have been scrapped years ago for a newer model with the fixes baked in, and that is exactly what has happened, at least three times since XP in fact.

    I'm charitable enough to assume that MS didn't *deliberately* ship with vulnerabilities, and has actually spent a huge amount of resources fixing and updating them where found. To crowbar this back to the car analogy, new vulnerabilities are discovered all the time in software. By definition, they weren't known at the time of shipping. Would you expect a car manufacturer to recall your 16 year old engine because it doesn't meet new emissions standards? Eventually you have to bite the bullet and buy a modern car.

  46. DropBear Silver badge

    Fail Fail

    To illustrate your car-based IT analogy with an IT-based analogy - no, you should not be required to implement SHA1 in an old product when MD5 becomes impractical to use. If your implementation of that existing MD5 is found buggy however, you absolutely should be forced to fix it well into the next millennia or until you acknowledge having abandoned it by fully releasing it as open source.

  47. JamesPond

    Re: Car Analogy Fail

    "AFAIK, the longest vehicle warranty offered is currently 7 years"

    I agree the car analogy is not a like-for-like comparison, although Chrysler had to recall 14 year old Jeeps that had poorly designed fuel tanks that exploded when the vehicle was rear ended.

    However, a car being hit in the rear is totally foreseeable. I'm not sure Microsoft could have foreseen the exponential growth in malicious attacks , especially from nation states, and encrypting the hard drive for ransom when they started developing XP.

  48. Allan George Dyer Silver badge

    Re: Car Analogy Fail

    @JamesPond - I don't know when MS started developing XP, but let's say it was when they released its predecessor, W2K was released in 1999, when the malware threat was well-established and growing fast. There was an encryption attack, the AIDS Diskette, much earlier, in 1989; though that was badly-planned it showed the possibility. The possibility of an asymmetric encryption extortion attack was the subject of nightmare scenario speculation among anti-virus researchers during the 1990's, as I recall. But that, and the possibility of a nation state attack, is not really relevant, the patch fixed a flaw in the SMB implementation, and MS knew their customers would be plugging into public networks so the security of their network protocols was critical.

  49. Mike Richards Silver badge

    So does GCHQ have zero days stockpiled?

    Perhaps Omand could address the question of the morality of security services sitting on piles of zero days for critical software and allowing large parts of the world's economy to go unprotected - when they could fix it.

    So long as security services know about critical weaknesses and don't inform software companies they can't claim to be keeping us safe.

    But Omand won't say anything because we never comment on security matters - apart from when they want to comment on security matters.

  50. analyzer

    I'm no fan of Microsoft.

    I haven't used MS products on a personal level for well over a decade now but the furore over this is just plain ridiculous. This has been caused by upper management not taking IT seriously at all and this is not confined to civil facilities. It should be impossible to manufacture the amount of Teflon that these people have on their shoulders. MS gave 4/5? years of warnings that XP was being deprecated and then a pay extra program that got increasingly expensive to encourage people to do the right thing and deal with the issue.

    At that point upper management should have been asking about the security of their computing estate and how to guarantee its future security and providing the budget for the implementation, not stuffing their snouts in the trough until the money covered their eyes.

    8 years to air-gap or secure access a critical unchangeable system is more than enough time for any properly run organisation. Upper management in this country does not meet the criteria required. MS committed to support XP Embedded systems until 2020 and these patches are a function of that.

    The debacle that has occurred with XP desktop is due to idle, feckless upper management and any prosecutions should start at board level and work down.


POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018