Yesterday, Microsoft introduced a minor change to its Lifecycle Support policy:
Support for products traditionally has ended at the end of a calendar quarter – Dec. 31, March 31, June 30 or Sept. 30, mere days before the second Tuesday of the following month, when Microsoft issues security updates. For some customers, that timing has meant they have not been able to take advantage of potential fixes for products for which support has just ended.
Effective today, Microsoft is changing that by matching the date the product-support lifecycle ends with the regular, monthly security update release cycle. Specifically, products for which support ended Dec. 31, 2005 — namely Microsoft Exchange Server 5.5 – are supported until today, when Microsoft is issuing a security update for the server, company officials say.
And apparently the change was just in time for Exchange 5 users:
The change most impacts Exchange 5.0 and 5.5 users, who were to be cut off from all support — including critical security updates — as of the end of 2005, but who received a patch for a critical vulnerability Tuesday.
“This is a very good thing for our customers in terms of our Trustworthy Computing initiative,” Vargas added.
It may have more to do with the severity of the vulnerability than with any Microsoft initiative.
“This bug has massive financial implications,” claimed Mark Litchfield, co-founder and director of NGS Software, the U.K.-based security company credited with discovering the flaw. “If enterprises didn’t patch yesterday, they’d better be patching today,” he added.
The vulnerability affects older editions of Microsoft Exchange, from the now-obsolete 5.0 and 5.5 through Exchange 2000 Server. Microsoft Exchange Server 2003, however, is immune.
The changes haven’t been reflected on the various lifecycle information pages yet.