The End of Patching is in Sight for Windows® XP
You can’t claim you didn’t have plenty of warning: Microsoft™ announced way back in 2011 that the end of extended support for Windows XP would come in 2014. Full mainstream support ended in 2009, but security updates have kept on coming. Even so, according to a recent IDC study, XP gets 27 percent more virus attacks than Windows 7 and the average time to repair a malware attack is over 7 times as long. Supporting an aging operating system is expensive, and the price will go up next April, when security fixes stop (for all but a few select organizations with very deep pockets).
There are a number of reasons that some companies have made the decision to hang onto XP until the very end. Change is never easy; in the IT world, it often means hidden costs, a steep learning curve (for both admins and users) and unexpected bumps in the road in the form of hardware and software incompatibilities. No wonder the philosophy of “if it’s not broke, don’t fix it” is popular. The problem is that a Windows XP that’s frozen in time in terms of security is going to be irretrievably broken.
Some XP users have been in denial, even speculating that there would be a last-minute “bailout” to extend support if only enough individuals and companies are still using XP when the deadline arrives. Even some experts believed, less than a year ago, that Microsoft would “have no choice but to continue supporting XP.” However, Microsoft has made it clear that they are serious about XP’s end of life date. Critical updates will be provided only to companies with Premier Support contracts who also purchase a Custom Support option. Few companies can afford that, with fees reportedly starting at more than half a million dollars per year.
What does this mean to everyone else? To hackers, it means a golden opportunity. To Windows XP users, from home to enterprise, it means no more patches. It means any new vulnerabilities that are discovered will be wide open for attackers to exploit, unless third parties take it upon themselves to create fixes. That may not be possible even if there are third parties who want to take on the expense (and possible liability) of doing it. Because Windows source code is closed, those outside the company can’t legally modify it without Microsoft’s permission.
Although security companies such as Symantec have announced that they will continue to release antivirus definitions for XP “for the current product cycle,” they also caution that the lack of OS and application patches will still negatively impact the security level of Windows XP systems. McAfee says they will continue to support XP SP3 after April “for a limited time, as long as it is technically and commercially reasonable.” In the security ecosystem, AV, antimalware, vendor-provided updates and other security mechanisms must work together in a multi-layered security approach.
All of this means the potential for huge hits to the bottom line due to downtime and lost productivity when (not “if”) unprotected XP systems are compromised. And it’s not only about direct monetary loss. If unpatched systems result in exposure of client data, companies may find themselves not only losing business, but in violation of the law. In regulated industries, companies have a legal obligation to reasonably protect such data and not doing so could subject you to fines or even criminal charges. In any industry, failure to secure systems could be viewed as negligence, resulting in civil lawsuits.
Statutory requirements in some countries, such as the U.K., explicitly impose a duty to have “modern and up-to-date software” as part of privacy laws. In other countries, such as the U.S., the standard is based on what would be considered reasonable and prudent and thus is open to interpretation by the courts. Even if a company escapes legal repercussions in the wake of an XP-related breach, media attention can drive customers away. Trust is a big factor in the business/customer relationship and a major security breach can damage a company’s reputation in ways from which it may never recover.
According to the August statistics from NetMarketShare, slightly more than a third of PCs worldwide (33.66 percent) were still running Windows XP and the Washington Post reported that Microsoft’s own statistics show about 30 percent of SMB customers haven’t yet upgraded. It’s time for the companies in that position to develop a plan – sooner rather than later.
GFI Cloud™ is offering free asset tracking which will help you start your plan by finding out which workstations are still using Windows XP.
About the Author: Debra Littlejohn Shinder
Debra Littlejohn Shinder has been working and writing in the field of IT security since 1998. She’s an author of and contributor to over 25 books on computer technology, including “Scene of the Cybercrime,” based on her previous experience as a police officer and police academy instructor. Deb is owner and CEO of TACteam and has contracted with Microsoft, Intel, HP, Prowess Consulting, Sunbelt Software, GFI Software, ConfigureSoft, 2X Software and other software and hardware companies. She currently writes articles and blogs for Windowsecurity.com, WindowsNetworking.com and ISAserver.org and has published more than 1500 articles for web sites and print magazines. Deb has been a Microsoft MVP in the area of enterprise security for the past ten years.
I am in my early eighties and hope XP lasts out my time. I cannot catch on with hyper new things!
So . . what can I do best??
It’s not as if, on the day after support ends, all the XP machines will suddenly be invaded by an army of attackers – but the bad guys WILL have a field day, knowing these machines are vulnerable and won’t be fixed so there is no way around the fact that you’re taking a big risk if you continue to use XP after support ends.
If you insist on doing so, best practice would be to ensure you’re using a firewall, up-to-date antivirus and anti-malware, etc. Become extra diligent about opening attachments, clicking links, visiting web sites with which you aren’t familiar, all the other ways that attackers deliver their exploits to you. Minimize exposure to the Internet. If you normally leave your computer on and connected all the time, start turning it off when you aren’t using it. You might even go as far as to disconnect from the network when you’re using it for non-Internet activities, such as composing a document in a word processing program.
It’s likely that when most people do upgrade and XP becomes a tiny percentage of operating systems in use, it will become a less attractive target and maybe the bad guys will lose interest. So even if you refuse to upgrade, you should hope that everyone else does.
Windows is the biggest virus in the world. My original xp installation still runs fine. I used norton ghost when I first install it, and never installed any updates at all the last installation ran for 6 years now.
if you never upgrade, it is a beautiful stable system.
dont need you
go away