Steven J. Vaughan-Nichols: Here comes the black market for XP patches

For most people, XP patches will be unobtainable through legitimate channels. Sounds like a market to me.

"Hey buddy."


"I've got what you're looking for."

"What do you think I'm looking for?"

"XP SP 4."

"Jeeze. Really?"

"Yeah, but it will cost you..."

I expect conversations along those lines to happen in real life on, say, May 13, 2014. Why that date? It will be the first Patch Tuesday when Microsoft will no longer be releasing patches for Windows XP -- unless you're one of those big XP customers, such as the IRS, that didn't leave themselves enough time to get off of XP. If you're one of those, then Microsoft will allow you to buy XP support for at least another year via its Custom Support plan.

Custom Support isn't cheap. Estimates are that it will cost you at least $200 a PC.

Well, it used to anyway. Microsoft appears to have decided that it wasn't getting enough customers for the program, so it cut the price. Companies have told Computerworld about great deals that Microsoft agreed to at the last minute, including one said to have gotten its XP patches for the bargain price of $25 per machine.

I know what you're thinking: "There's no way I could afford $200 a PC for patches. But $25? Sign me up!"

Too bad. Odds are you can't get Microsoft to accept your corporate credit card.

A Microsoft spokesperson told me that "Custom Support is provided to large enterprise customers whose migration from Windows XP was not completed by April 8, 2014. It is a temporary measure designed to help large customers with complex migrations. It should be considered as a last resort for customers who are in the process of migrating from Windows XP to a modern operating system. Custom Support costs vary depending on the specific needs of the customer. Customers should work with their Microsoft Account Representative to determine pricing."

I rather doubt Microsoft will want your business unless you have at least 10,000 XP PCs. But Daryl Ullman, co-founder and managing director of the Emerset Consulting Group, a firm that specializes in helping companies negotiate software licensing deals, said that the new Custom Support minimums were 750 PCs, with a minimum payment of $150,000 for a year's worth of support.

What you'll get for that $150 grand is patches for critical vulnerabilities. Important bugs that are the next step down in Microsoft's four-level threat scoring system will not be automatically patched. You'll have to pay extra for those. Flaws pegged as "moderate" or "low" will not be patched at all, at any price.

Even at the bargain basement price of $25, many large companies can't afford Custom Support. But plenty of them are in need of it. Even now, Windows XP is the third most used desktop operating system in the United States, with 11.79% of users, according to StatCounter.

That's a lot of users. And we know what happens when you have something that's in short supply and with limited access with a large potential market, right? We're going to see a black market in XP patches.

Unless, of course, someone "generously" puts XP patches on BitTorrent. The problem with BitTorrented patches is that you can't really know whether you're getting the real patch or malware.

(Microsoft did not respond to a request to comment on the prospect of a black market for XP patches.)

Oh, I see just wonderful times ahead for people who've insisted on sticking with XP. Maybe it really is time to put XP to pasture and find a real alternative. Chromebooks, anyone?

Steven J. Vaughan-Nichols has been writing about technology and the business of technology since CP/M-80 was cutting-edge and 300bit/sec. was a fast Internet connection -- and we liked it! He can be reached at

Join the CSO newsletter!

Error: Please check your email address.

Tags patchesMicrosoftsecurityWindowssoftwareoperating systems

More about CustomIRSIRSMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steven J. Vaughan-Nichols

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts