Windows XP is just a few short weeks away from coming out of support from Microsoft. And that means no more updates for security vulnerabilities. So, what's that mean for businesses? Can they just carry on as if nothing has changed or will retaining Microsoft's most popular OS create new risks for the enterprise?
"There are security risks. It has been widely reported that some attacks are being stockpiled to the lead up to XP going out," said Joe Sweeney, an Advisor with IBRS.
Gartner Analyst Nik Simpson added "The risk of security breaches on systems running Windows XP beyond April 2014 is high. Malware developers are almost certainly saving Windows XP exploits until the end of life (EOL) deadline to make them more effective. In addition, malware developers will use future patches issued for later Windows operating systems as a "road map" for discovering exploitable holes in Windows XP. Therefore, maintaining security of Windows XP once Microsoft stops issuing security patches will be challenging".
"As a result those businesses that retain Windows XP will have a system that will be only able to be secured through third party solutions. The decision by many vendors of antivirus and anti-malware packages — including Microsoft — to continue support for Windows XP beyond 2014 should not be seen as an excuse to avoid migration from Windows XP," said Simpson.
Sweeney said "As a result vendors will be able to charge what they want. In short, yes, it's an increased risk, the real risk is that the cost of maintaining that XP resource will increase dramatically. If you think that the cost of running Xp will stay the same – you're fooling yourself".
Sandeep Joshi, the Country Leader for Australia-New Zealand and Oceania at Dell SonicWALL said that "XP is vulnerable and it has been targeted by malicious attackers for a long time. Since it is coming to end of support it is definitely a more vulnerable target.
His advice is to migrate to an updated operating systems that is fully supported.
Dell SonicWALL's recent security report found that Windows XP was one of the top 15 affected products in 2013 and they expect that it will continue to realise a surge of attacks as its support life cycle is ending in 2014.
Simpson said "Leaving Windows XP unsupported will expose the company to growing risk as the number and severity of security exploits grow, and continued support from Microsoft will be costly. The number of serious security exploits for Windows XP is likely to increase rapidly as soon as Microsoft stops delivering security updates. Therefore, organisations should start the migration process as soon as possible".
Sweeney told us that there are three circumstances under which retaining XP might be an option. The first is simple inertia – IT departments have been lax in their preparations and aren’t prepared for the change. But there are some more valid reasons.
"There are situations where you are locked into using XP. There's command and control equipment, or scientific equipment, that is locked to the hardware that can only run XP. In those cases, XP really needs to be considered like XP Embedded. When that piece of equipment fails it's a single point of failure– that's a very different problem," said Sweeney.
This highlights another element of the risk associated with retaining Windows XP systems. If an application requires specific hardware that can only operate with Windows XP then businesses will be caught in a situation where they may not be able to run critical applications.
The third case is legacy applications according to Sweeney. "The way that MSFT has allowed you to deal with this in the past has been to downgrade to XP and use virtualisation," he said. "There's now no way to do that unless you're under Software Assurance".
Businesses in this position will find that their licensing costs will increase significantly as they will require both Software Assurance and virtualisation.
"Anybody who is currently running legacy applications and thinking that they can simply downgrade to XP without Software Assurance is out of compliance with Microsoft licensing. Being out of compliance is a serious risk," said Sweeney.