When Microsoft ends support for Windows XP on Tuesday, a security sinkhole will likely open and gradually widen, threatening hundreds of millions of PCs worldwide in homes, companies, government agencies and schools.
Along with the Y2K bug, Windows XP’s support termination is one of the computer industry’s most publicized — and most ignored — deadlines, toward which many business and IT managers have taken a curiously casual attitude.
The implications could be dire for those organizations that continue to use Windows XP, a decrepit OS Microsoft launched in 2001, and whose bugs and security vulnerabilities it will no longer patch.
Microsoft hasn’t minced words painting doomsday scenarios of malicious hackers and cybercriminals having a field day with Windows XP PCs, unleashing a barrage of malware, carrying out ransomware attacks, and stealing sensitive personal and financial data stored in those machines.
“Once support ends and the OS is no longer patched, the PC is at risk,” said Tom Murphy, Microsoft’s director of communications for Windows.
Microsoft set the fateful date almost seven years ago, and since then has been telling consumers and commercial customers with increasing urgency to upgrade from Windows XP, warning them that missing this deadline would put their PCs in serious danger.
And yet, while estimates vary, it’s widely acknowledged that Windows XP still runs a substantial percentage of desktop and laptop PCs, and of other specialty computing devices, such as bank ATMs.
NetApplications recently said that as of February, Windows XP was on almost 30 percent of PCs, second only to Windows 7 with about 47 percent, and towering above the shiny new Windows 8 and 8.1 versions, with a combined 10.6 percent.
Surprisingly, the problem isn’t exclusive to clueless home users.
“There’s a pretty sizable installed base of Windows XP in the commercial sector,” said Al Gillen, an IDC analyst.
IDC’s latest estimate is that 30 percent of PCs in businesses of all sizes are on Windows XP. By the end of 2014, the percentage will be down to 20 percent, still a very large number, according to Gillen.
And the problem isn’t limited to small companies with little to no IT knowledge and resources. In businesses with more than 500 employees, Gartner estimates that between 20 percent and 25 percent of PCs are on Windows XP. One-third of these medium-size and large companies have 10 percent or more of their PCs running the aging OS.
“There’s a pretty large number of Windows XP machines in enterprises,” said Michael Silver, a Gartner analyst.
Some had assumed that given the massive Windows XP installed base, Microsoft would budge and extend its support another year or two, but the vendor has stood firm, saying that the OS is simply too old and vulnerable to today’s security threats, for which it wasn’t architected.
“XP has been supported for a long time. We need customers to move off of it because of the security. XP gets less secure every year,” Murphy said.
The Microsoft official also points out that, beyond the security dangers, businesses also sacrifice productivity. More and more, third-party software vendors will stop supporting the XP versions of their applications, while fewer and fewer hardware devices — PCs, printers, peripherals — will work with it. Windows XP also lacks the substantial technology improvements for end users and IT departments Microsoft has delivered with the OS editions that came after it. “XP was great in its day, but its time has passed,” Murphy said.
Options for mitigating the risk
There are a variety of reasons why Windows XP remains in businesses, including ignorance about the risk, unwillingness to spend to upgrade and the existence of important applications that haven’t been ported to newer versions of the OS.
David Johnson, a Forrester Research analyst, said he has been fielding many inquiries from companies that are struggling to move completely off of Windows XP because they need it to run custom applications built in-house for the OS or by software vendors no longer in business.
Gartner has also been hearing from many frazzled IT chiefs. “We have a lot of organizations calling us every day asking us what to do,” Silver said.
Whatever the reasons, businesses that will have PCs on Windows XP for the foreseeable future must take steps to reduce the risk of using an unpatched OS. “Organizations that haven’t done anything regarding their Windows XP PCs could be in serious trouble,” Silver said.
Large organizations with deep pockets have the option of buying extended support from Microsoft, but this alternative is affordable and available only to a small number of companies.
For most other businesses, recommendations from experts such as Directions on Microsoft and from Microsoft’s security team focus on two main areas: securing Windows XP itself as much as possible, and limiting what these PCs can do within corporate networks and on the Internet.
Securing Windows XP includes making sure that it’s on the most recent SP3 version, that all available patches and updates have been applied to it, and that a full-featured security suite with antivirus and firewall is installed and current on the PC. User rights on these PCs should be downgraded, so that they don’t have administrator privileges.
It’s also important to use Windows XP with browsers that still support it, such as Google’s Chrome and Mozilla’s Firefox, and not with IE8, which is also falling out of the update cycle. Unnecessary and insecure browser add-ons, controls and plug-ins should be uninstalled.
Businesses should also consider disabling or blocking access to the USB ports on these PCs to prevent malware infections via external peripherals such as flash drives. “Connecting removable storage devices to Windows XP systems should be avoided,” wrote Tim Rains, a director in Microsoft’s Trustworthy Computing group, in a blog post in late March.
It’s also key to place limits around Windows XP machines so that they can only access specific applications, data and resources on their business’ internal network, and can only be used to visit hand-picked external websites. One way to constrain and isolate Windows XP is to run the OS in virtualized environments. End users shouldn’t be allowed to connect to the corporate network using home Windows XP PCs.
This containment strategy should significantly reduce security risks, according to most experts.
It’s hard to predict the extent and intensity of the fallout. “A year from now, we’ll either have seen a massive set of attacks after support ended, or it all may end being a yawner because nothing happened,” Gillen said.
However, the security trend for Windows XP isn’t encouraging. In February, security firm Secunia reported that Windows XP security flaws doubled to 99 from 2012 to 2013.
What’s clear is that any business with one or more critical applications that required special security precautions had time to either move off of Windows XP or take precautionary measures, Gillen said.
Should Microsoft be doing more?
Whether fairly or unfairly, Microsoft will find itself pelted with negative publicity if in the coming six months or a year malicious hackers ravage the large community of home and work Windows XP users.
“I wouldn’t be surprised if the hacking community has been reserving exploits until after support ends,” Forrester’s Johnson said. Microsoft itself has predicted that crafty hackers will try to parse out future Windows patches and updates, attempting to identify equivalent vulnerabilities in XP.
It’s clear the threat against Windows XP machines will grow with each passing day after the deadline. “This isn’t Y2K, where that day passed and everything was fine,” Silver said. “Here the risk increases as hackers have more and more time to discover vulnerabilities.”
Asked about this, Microsoft’s Murphy said the company cares about the potential impact to Windows XP customers, which is why it has been aggressively creating awareness about the deadline for years. “We’re concerned and we want our customers to be safe,” he said.
The backlash from that worst-case scenario could lead individual customers, and small and medium-size businesses in particular, to become disgruntled with Microsoft and seek non-Windows options, such as desktop Linux alternatives, the increasingly popular Chromebooks that run Google’s Chrome OS, Apple’s Mac OS laptops or desktops, or Android tablets and iPads.
So should Microsoft adopt drastic measures to accelerate the migration off of Windows XP? The company has tried a few tricks, including offering credit at its stores for users trading in XP PCs and buying new ones with Windows 8.1. How about going further and giving away Windows 7 to users who don’t want to buy a new PC but rather upgrade their current one?
Microsoft could take such steps, but ultimately, there is no stopgap measure it could offer, short of extending full-fledged support for another year, that would entirely satisfy and be useful for Windows XP holdouts, Silver said, adding that the best way for companies to protect themselves is simply to upgrade from Windows XP.
And at this point, it’s hard to criticize Microsoft for sticking to a deadline that it announced in 2007 and has been diligently reminding people about since then, according to Gillen. “If you don’t have plans to move at this point, it’s your own fault,” he said. “I find it difficult to have sympathy for companies that haven’t done anything yet.”