Microsoft issues five month countdown for Windows XP support

Microsoft introduced Windows XP in 2001, and it became an instant success. It combined the well-received consumer user interface from Windows 98 with the stability of Windows NT, was out-of-the-box Internet capable with an excellent browser -- Internet Explorer (IE) -- and quickly took over the market.

[Start isolating critical XP systems now, experts warn]

In terms of security, XP was immediately the target of attacks. In 2004, Microsoft hit a milestone in this area, when it unveiled Windows XP SP2, which featured a built-in, always-on firewall that effectively ended the era of the large-scale Internet worms, such as Blaster, Sasser, and Slammer. As a result, Windows XP became a huge hit with over 600 million installations worldwide.

But in April of next year, 2014, Microsoft will execute on its long published maintenance plan and stop commercial support for Windows XP. Starting in May, Windows XP will stop receiving security updates, even for highly critical security flaws such as September's and November's IE zero-day that targeted Windows 7 and, you guessed it, Windows XP. By mid-2014, new and (by then) unfixable security flaws for XP will be well-known and freely traded in the cybercriminal underground.

To illustrate this certainty, let's take a look at this year's IE security bulletins. There have been fourteen updates so far, one each month through November, plus additional updates in February, May and November to cover zero-days, addressing a total of 117 vulnerabilities. Windows XP was affected by 75 of the vulnerabilities, including 68 rated critical, which accounts for 64 percent of total vulnerabilities and 90 percent of critical vulnerabilities this year alone.

This pattern will not simply stop in April 2014. We can be certain that vulnerabilities will continue to affect Windows XP, and given that it is unlikely that Windows XP will be replaced 100 percent by April 2014, we will see reverse engineering of vulnerabilities for XP and the development of exploits as well.

Networks that include Windows XP computers used for normal office activities, such as e-mail, web browsing, word processing, etc., will become undefendable and will invite attackers inside. There are certainly steps one can take to lower the risks, such as switching to supported browser, e-mail, and office programs, and hardening Windows XP (by using Enhanced Mitigation Experience Tool, for example), but these are band-aids that can only prolong XP's useful life by a few months.

[Despite looming end of life, study shows XP remains primary OS]

The only way to address the situation and to ensure your network and assets are secure is to migrate to a supported operating system. In the Windows line, your options are Windows 8 with its radical user interface change with currently under 10 percent market share or Windows 7, which has seen growing enterprise adoption and has a market share of over 50 percent and has the additional benefit of being familiar to users who might have it installed at home.

In a pinch, you may still have Windows Vista licenses around from when that operating system was first delivered and you preferred to install XP instead. There are other alternatives; you could follow the lead of the French Gendarmerie which migrated 40,000 desktop computers to an open source platform based on the Firefox browser, Thunderbird e-mail client, OpenOffice word processing and spreadsheet, all running on the Ubuntu variant of the Linux operating system.

If you are still running Windows XP, you are not alone. Figures for the currently installed base data varies widely, though, ranging from low teens to almost 50 percent, according to some sources. Our data indicates that more than 20 percent of all enterprise users are still using Windows XP machines, so it is probable that you can reach out to your peers and see what strategies they are planning to take. One thing is clear: the risk is real and there is little time left, so you need to act now.

Wolfgang Kandek is the CTO for Qualys.

Join the CSO newsletter!

Error: Please check your email address.

Tags Microsoftsecurity

More about LinuxMicrosoftOpenOfficeQualysUbuntu

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Wolfgang Kandek

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts