Microsoft still earning millions from Win XP support

The US Navy has revealed it will pay Microsoft at least US$9 million ($11.6 million) to provide custom support for its Windows XP operating system.

The Navy has signed a three-year deal to continue to receive critical hotfixes and patches for Windows XP, Office 2003, Exchange 2003 and Server 2003, IT News reported.

Microsoft ended support for the ageing Windows XP last April, but still offers customised support at a price doubling per year for companies still operating mission-critical applications on XP systems.

The Navy will be able to elect to renew the contract at the end of the three years, in which case the price will expand to around US$31 million.

In Australia, Microsoft is asking organisations for $200 per user per year to provide custom support for XP, with this price also doubling each year. A number of government agencies including Queensland Health have yet to upgrade their systems.

Microsoft is gearing up to launch Windows 10 on 29 July as a free upgrade to all users of Windows 7 or later.

Meanwhile, HP has published details of a series of zero-day vulnerabilities in Microsoft's Internet Explorer after learning that Microsoft has decided not to issue a patch.

Researchers from HP's Zero-Day Initiative (ZDI) team have uncovered vulnerabilities in the web browser that potentially allow attackers to bypass the address space layout randomisation (ASLR) and data execution protection (DEP) functions of Windows.

After being informed that Microsoft does not intend to address the ASLR flaw involved, HP decided to publish full details of the exploit and a white paper with technical details of the attacks.

In a blog post, HP researcher Dustin Childs said the company did not take the decision to publicise the vulnerability lightly.

"To be very clear, we are not doing this out of spite or malice. We would prefer to release this level of detail only after the bug is patched. However, since Microsoft confirmed in correspondence with us they do not plan to take action from this research, we felt the necessity of providing this information to the public," he said.

HP researchers received a US$125,000 ($161,767) bounty for discovering the exploit and other vulnerabilities with the isolated heap and memory protection functions of the latest version of IE.

At the time, the 120-day disclosure timeline had passed, but HP did not provide full details of the discovery to give Microsoft more time to patch, Childs said. But the company has since learned that a complete fix will not be developed, because Microsoft does not believe that a significant number of users will be affected.

Microsoft has stated that ASLR is more effective on 64-bit versions of Windows due to the far higher address space. But Childs noted that HP researchers have determined that the exploit also affects the millions of 32-bit systems running Windows.

"[We are therefore] releasing the PoC information to the community in the belief that concerned users should be as fully informed as possible in order to take whatever measures they find appropriate for their own installations," Childs said.

"As I wrote in my earlier Security Briefing, in order to effectively protect a system, defenders must fully understand the threat. We feel it's important to let everyone know about the threat so that they could better understand the actual risk to their network."

Image courtesy Microsoft.