Steven J. Vaughan-Nichols: You can keep using XP for another year, but do you really want to?

While clinging to the 11-year-old OS after Microsoft issues its last security patch in April is defensible, the security risks are going to keep mounting

On April 8, Microsoft will pull the plug on Windows XP SP3 when it issues the final security patch for the 11-year-old operating system. So it's high time to switch to Windows 7, right?

Probably. But it's still going to be possible to hang on to XP for another year or so, and given the number of users still clinging to it, I'd guess a significant chunk will do so. But is that wise? Not really. Security risks are just going to keep mounting.

About those numbers: Net Applications states that in December, XP was still running on 29% of all desktop and laptop PCs. By some counts, XP still accounts for 32% of all Windows systems. That's a heck of a lot of users.

One reason users haven't switched is that Windows 8.x is garbage. There are others. One is that XP machines simply still do their job. I'm a big believer in the maxim, "If it ain't broke, don't fix it," and many XP users believe that too.

Of course, Microsoft wants you to move to a newer version of Windows. If it can't talk you into Windows 8.x, it'll be OK with you moving to Windows 7. To help this process along, it's trying to scare you into moving by publicizing claims such as the one that XP-specific malware is going to jump by two-thirds. As for the OEMs, they'd like you to abandon XP too, but they'd be just as happy to see you shifting to Android PC or Chromebooks. They're not proud; they just want to sell new units.

Unsurprisingly, Microsoft hasn't been quite so loud about what it's doing to make XP viable for another year. But it's going to continue to support its Malicious Software Removal Tool (MSRT) on XP until July 14, 2015. The company will also be offering antivirus signatures for Security Essentials until mid-July 2015.

Meanwhile, most antivirus companies are going to continue to support XP for years to come. The top three Windows antivirus companies, by AV-Test's count, Kaspersky, BitDefender and Avira, have pledged to support consumers until 2018, January 2016 and April 2015, respectively.

It's true that Microsoft has already given up supporting its latest software on XP, but many other companies haven't. For example, while Internet Explorer 8 is the most recent Web browser Microsoft will give you for XP, Google will be supporting the newest versions of Chrome on XP until at least April 2015. Indeed, as far as I've been able to tell, no major company currently producing XP software plans on ending support for its programs anytime soon.

That's a good thing, since these days many malware programs attack third-party programs instead of XP itself. After all, with 13 years of endless hacking, Microsoft finally has nailed shut most of XP's holes.

One favored third-party means of attack is Java. Oracle's most recent patch set for it had no fewer than 36 security patches for Java alone. Java just isn't worth the risks it exposes you to. Unless you absolutely must use it -- on any operating system, not just XP -- you'll be much safer removing it from your system.

You can also protect your aging XP PC by putting it behind a firewall. Well, you should have been doing that all along, but if you're going to continue to use it and you don't have it behind a firewall, now is the time to take that step. You'll need all the protection you can get.

Another useful XP security trick is to set up users with limited accounts. Installing new software or hardware with a limited account can be a pain, but how often are you going to be doing either with your old XP box? A good deal more defense for a little trouble is a trade well worth making.

So should you try to eke another year of life out of XP? I wouldn't.

Keeping XP safe is only going to get harder as months go by. Eventually, someone will craft a new XP crack that's going to break XP security like an egg.

Come that day, I expect Microsoft to reluctantly issue an emergency fix if there are still, say, 10% of users running XP at the time. But, it won't do it with dispatch, and the new security hole may not become known for a while. Do you want your PC to be ransacked by vandals during the zero-day period? I wouldn't.

Still, if you can't bring yourself to switch quite yet, you can keep running XP for now. Just don't think that you're going to be able to keep doing it safely. You may have years instead of weeks, but XP's end of life really is in sight.

Steven J. Vaughan-Nichols has been writing about technology and the business of technology since CP/M-80 was cutting-edge and 300bit/sec. was a fast Internet connection -- and we liked it! He can be reached at

Read more about windows in Computerworld's Windows Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags net applicationsMicrosoftsecurityWindowssoftwareoperating systems

More about AviraBitDefenderGoogleKasperskyMicrosoftOracleTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steven J. Vaughan-Nichols

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts