Experts question Microsoft's decision to retire XP

But others say the company will 'draw a line in the sand' and stop serving the aged OS with patches

Microsoft will "draw a line in the sand" come April 2014 when Windows XP exits support, security researchers said today, even if millions of customers are still running the aged OS and a zero-day bug threatens the Windows ecosystem.

Or maybe not. Other experts believe Microsoft will have no choice but to continue supporting XP.

Windows XP, now in its twelfth year, is slated for retirement on April 8, 2014. After that date, the ancient OS will receive no further security updates or bug fixes, except to enterprises that pay for high-priced support contracts.

PCs running XP will not suddenly stop working, of course, but they will be at risk to attacks exploiting vulnerabilities uncovered -- and patched for other editions of Windows -- from that point on.

Michael Cherry, an analyst with Directions on Microsoft, a Kirkland, Wash. research firm that focuses solely on Microsoft, posed a scenario.

"Suppose we get to a date post the end of Extended support, and a security problem with XP suddenly causes massive problems on the Internet, such as a massive [denial-of-service] problem?" asked Cherry. "It is not just harming Windows XP users, it is bringing the entire Internet to its knees. At this time there are still significant numbers of Windows XP in use, and the problem is definitely due to a problem in Windows XP. In this scenario, I believe Microsoft would have to do the right thing and issue a fix ... without regard to where it is in the support lifecycle."

Microsoft has already extended XP's lifespan. In early 2007, Microsoft gave XP a reprieve, adding support time to Windows XP Home and XP Media Center to match the date already set for Windows XP Professional.

By the time Microsoft pulls the XP plug, it will have maintained the OS for 12 years and 5 months, almost two-and-a-half years longer than its usual practice and a year longer than the previous record holder, Windows NT, which was supported for 11 years and 5 months.

Cherry isn't the only one who figures Microsoft will again pardon XP.

"I don't think they'll stand firm on this," said Jason Miller, manager of research and development at VMware. "What if XP turns out to be a huge virus hotbed after support ends? It would be a major blow to Microsoft's security image."

In Miller's scenario, like Cherry's, the assumption is that vulnerabilities will continue to be uncovered -- either by legitimate researchers or cyber criminals -- that will affect not only XP, but other, still-supported editions. If hackers roll out successful exploits that hijack XP PCs because a patch was not forthcoming, those machines could, in turn, infect systems powered by newer versions of Windows.

But would Microsoft actually do what Cherry and Miller expect?

Not likely, said several other security experts today.

"I think they have to draw a line in the sand," said John Pescatore of Gartner. "They've supported XP longer than anything else, so they'd be pretty clean from the moral end."

Andrew Storms, director of security operations at nCircle Security, echoed Pescatore. "I don't see them changing their minds on this whatsoever," said Storms. "To do that, and alter their support lifecycle, would remove all credibility. Next, people still running Vista would say, 'They're not going to [end support].' And those people would hold onto Vista forever."

At some point, Pescatore and Storms said, users simply have to upgrade the OS, probably by buying a new PC. XP has had its run, and it's over. And Microsoft won't back down.

"I just don't think they will extend [XP] support again," said Wolfgang Kandek, CTO of Qualys. The case could be made, Kandek noted, that by continuing to supply patches to XP, Microsoft would be working "for the greater good." But he would be surprised if the Redmond, Wash. developer did so.

In any case, it might not even make a difference. "Are the remaining XP machines actually updated? We don't know," said Kandek, referring to the common problem of unpatched PCs, no matter what operating systems they run. "Do they actually install them? Extending patches might not do anything."

In at least one instance, Microsoft stuck to its guns, and refused to patch vulnerable operating systems that had fallen off the support list just weeks earlier.

In August 2010, Microsoft issued an emergency patch -- often called an "out-of-band" update -- for a critical Windows shortcut bug that attackers had exploited with the infamous Stuxnet worm, which most now believe was aimed at Iran's nuclear enrichment facilities. But even though Windows XP Service Pack 2 (SP2) and Windows 2000 had dropped off support the month before, Microsoft did not offer those PCs a patch.

The situation will be different in 2014, however: Users of Windows XP won't have a newer service pack to deploy, and XP will probably account for a still-significant portion of all Windows PCs, unlike Windows 2000 in mid-2010.

According to data from Web metrics firm Net Applications and Computerworld's projections, XP will power more than 25% of the world's Windows PCs in April 2014. That's an enormous number.

And there are other considerations, said Miller.

"One of Microsoft's No. 1 customers is the U.S. government," Miller said. "Things are much different nowadays, it's a new age, with all these worms circulating in the Middle East. Cyber security is a national security matter now, and I wouldn't be surprised if the [U.S.] government didn't have an impact on Microsoft's decision as well."

Even some of those who bet on the "line in the sand" acknowledged that there were factors that might prompt Microsoft to erase that line.

"The only scenario I can see where they would extend support isn't a security scenario," said Pescatore. "The biggest issue facing Microsoft is the declining share of Windows on devices. So they might continue to patch as a business decision, (so) that by offering patches, they at least hold onto those people still running XP."

Cherry closed the circle on the debate, pointing to one of the driving philosophies at Microsoft over the last decade as proof.

"Microsoft has invested significant resources in its Trustworthy Computing initiative and I think that investment and preserving its now-better-reputation in this area would not allow them to have an XP that was doing harm," Cherry said. "They cannot allow a security vulnerability to cause harm."

Sounds simple.

But it's not, said Miller. "It's really a no-win situation for them," he said. "I wouldn't want to be on the committee at Microsoft that decides this."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about windows in Computerworld's Windows Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityWindowssoftwareoperating systems

More about Andrew Corporation (Australia)AppleCherryGartnerGoogleMicrosoftnCircleQualysTopicVMware Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place