Software // Operating Systems
News
4/8/2014
10:46 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Windows XP Plug Pulled: 5 Questions

After 12 years, Windows XP officially becomes an unsupported OS. Here's what you need to know, from old PCs to dicey ATMs.

Windows XP Game Over: 9 Upgrade Options
Windows XP Game Over: 9 Upgrade Options
(Click image for larger view and slideshow.)

Windows XP has been around for more than 12 years and has hundreds of millions of users. But the operating system receives its last Patch Tuesday updates this week. A relatively light bundle of four fixes, the patches unceremoniously retire the still-popular OS, which, as of last month, had more than twice as many users as Microsoft's newest flagships, Windows 8 and 8.1

A few banks, governments, and other large-scale XP customers will still get support from Microsoft, albeit for millions of dollars each. Until 2015, Microsoft will additionally supply antimalware definitions to those who have its Security Essential software installed. Many antivirus companies will also provide support for at least the next couple years.

[Microsoft is dropping XP, but is it heading in the right direction? Read Does Microsoft Have Its Mojo Back?]

But without official security patches, updated antimalware signatures might not keep XP users safe, especially if, as some have speculated, cybercriminals have stockpiled zero-day attacks in anticipation of this week's deadline. To some, every XP user represents a potential Pandora's Box of botnets, malware proliferation, and even hacked ATMs. But to others, such worst-case predictions represent the biggest hyperbole this side of Y2K.

Which side has it right? Here's what you need to know to about XP's end-of-service deadline.

1. Is the risk real?
Yes, though it depends how the PC is used. Windows XP is already more malware-prone than newer systems, and it will only grow more vulnerable now that Microsoft has dropped support. That said, savvy users who can't or don't want to upgrade have a number of options to make their systems more secure, including disconnecting it from the public Internet, employing firewalls, and removing programs and plug-ins that are known to be risky.

2. Why is Microsoft abandoning such a popular product?
To be fair, Microsoft has supported Windows XP for a long time. The company boasts "one of the broadest and most transparent support policies out there," Gartner analyst Michael Silver told us in an interview last month. "You're not going to get that from other vendors."

Moreover, Windows XP was built for a different era of computing, a point Microsoft sometimes makes when explaining the OS's security risks. For more than a decade, the company has dedicated resources to XP triage, and it probably wants to use those resources for others projects -- you know, the kinds that actually generate new revenue.

Image: cooling999, deviantart.com
Image: cooling999, deviantart.com

That brings up the more cynical side of XP's retirement. The OS's licensing worth has run its course, and XP isn't an ideal platform for the cloud-based apps and services around which the company is now hedging its bets. Windows XP might be popular, in other words, but it doesn't represent the same revenue growth that newer systems do. Some have argued that Microsoft could turn XP into a revenue source by making extended support widely available as a subscription service, but the company has shown no interest in such tactics.

3. Why have people waited so long to upgrade?
Windows XP has persisted for a number of reasons.

It helped that Windows Vista, XP's follow-up, was dismissed as bloated and buggy. Without a compelling need to upgrade, many users stuck with Windows XP longer than normal, allowing it to build up an enormous user base that's been slow to erode.

For many people, XP remains adequate. Not everyone needs the fastest processors or all the newest bells and whistles, and for this crowd, XP has been reliable enough to keep around.

Others would happily upgrade but cannot afford to do so, though the research firm IDC last year said companies would end up paying three times more if they delayed upgrades. Others still need XP for old applications that won't run correctly, or at all, on new platforms.

4. Do I need to worry about using an ATM?
Probably not, but there is some risk. As of earlier this year, around 95% of ATMs reportedly ran on Windows XP, and many of them haven't been upgraded yet. That's unsettling, but not all of them pose equal risk.

Large banks obviously have the most financial flexibility to update their machines and have been doing so over the last several months, though the job is ongoing. Many of them are also paying Microsoft for extended support, no doubt mindful of the PR fiasco that will ensue if hackers find a way to steal customers' cash.

Moreover, not all XP-based ATMs are vulnerable in the first place. Some run a version of XP that will lose support this week, but others run a version of Windows XP Embedded that Microsoft will continue to support for the next several years. Unfortunately, ATMs that run the retired version can be indistinguishable from those running the supported one.

Granted, ATMs are pretty locked-down to begin with. They're not connected to the public Internet, and it's not as if criminals can walk up to a unit, plug in a USB drive, install malware, and start collecting cash. Even so, security researchers have already identified XP-based flaws that could compromise an ATM's security.

The risks are likely to be highest among older units, many of which cannot receive software upgrades and will need to be replaced wholesale. Given that new units can cost tens of thousands of dollars, it's not clear how quickly these replacements will occur. So while bank customers probably won't be affected, you might want to think twice before inserting your debit card in an ancient-looking ATM crammed in the corner of a liquor store.

5. I'm still running XP -- am I doomed?
Don't worry. Unless you're particularly unlucky, and likely also a little careless with email attachments or suspicious links, no one is going to steal your identity or hijack your computer before you finish reading this article. But every day, the risk will get greater.

As mentioned, tech-savvy users are employing a variety of tactics to stick with XP. Some have moved their XP-based PCs to private networks or offline use, which should eliminate almost all threats. Others have disabled Java and Adobe Flash and switched from Internet Explorer to Chrome, strategies that should mitigate but not necessarily eliminate dangers.

Silver, the Gartner analyst, compared continued XP usage to driving an old car: With enough work, it will keep running. But one day, you might find yourself stranded.

But if you don't want XP's risks and aren't interested in frequent security maintenance, you still have a variety of options. Microsoft hopes many XP users will buy new Windows 8.1 machines, which, thanks to this week's update, will be more familiar to non-touch users. But XP systems can also be repurposed for Linux or upgraded to Windows 7 with an OEM license. Relatively new XP machines might also run the updated Windows 8.1, though Microsoft reps have assiduously avoided any promises in this regard. Other options include switching to a tablet, Mac, or Chromebook.

Emerging standards for hybrid clouds and converged datacenters promise to break vendors' proprietary hold. Also in the Lose The Lock-In issue of InformationWeek: The future datacenter will come in a neat package (free registration required).

Michael Endler joined InformationWeek as an associate editor in 2012. He previously worked in talent representation in the entertainment industry, as a freelance copywriter and photojournalist, and as a teacher. Michael earned a BA in English from Stanford University in 2005 ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Matt Healy
50%
50%
Matt Healy,
User Rank: Apprentice
4/8/2014 | 12:26:13 PM
Lab machines
My company has some XP boxes running lab equipment that cannot be upgraded because they need custom hardware drivers.  These will be locked down so they cannot access the Internet, and USB drives cannot be used, the only way to move data off them will be to servers on our internal network.

 
Michael Endler
50%
50%
Michael Endler,
User Rank: Author
4/8/2014 | 12:04:55 PM
Re: fair and balanced reply.
Thanks for the comments. Here are a few additions and clarifications:

1.The hyperlinked portion in the sentence you've singled out included a link to the citation, but here it is again: http://www.informationweek.com/windows-xp-malware-6x-as-bad-as-windows-8/d/d-id/1112122. The source is a Microsoft researcher, which, given the obvious potential for ulterior motives, you can choose to interpret how you wish. The linked article includes a healthy debate about whether Microsoft's claim is a scare tactic or a legitimate warning.

2. I don't think we totally disagreed here. The article states that XP machines can be made more secure if the user implements certain safeguards, disables certain applications, and adopts certain behaviors. But with 100 million+ XP users still out there, we can't quixotically expect everyone will be proactive. Fewer services only means tighter security if those few services are used in a solid way, and XP's retirement makes it easier for some users to run into trouble.

4. There are a lot of ATMs out there. I talked to Michael Silver at Gartner about this one, and he agreed that a lot of ATMs are probably running the now-unsupported OS. Dean Stewart, Senior Director at ATM manufacturer Diehold, has also discussed (citation) that many ATMs run the standard XP Pro edition with embedded restrictions, which is different than Window XP Embedded itself (though that is, as noted, used on ATMs too). Granted, he's selling new ATMs, so I guess you could take his word with a grain of salt, but other sources corroborate. We have an inquiry in to Microsoft about this, but haven't received a comment. If they can share any specific breakdowns, we'll update the article.
Laurianne
50%
50%
Laurianne,
User Rank: Author
4/8/2014 | 12:01:12 PM
Re: fair and balanced reply.
It will be interesting to see how the ATM situation plays out. I suspect many readers are already more cautious of where they use their debit cards, following the Target breach. Are you? Weigh in.
WarlordGM
50%
50%
WarlordGM,
User Rank: Apprentice
4/8/2014 | 11:32:29 AM
fair and balanced reply.
1. Windows XP is already more malware prone than newer systems?  Citation needed. In 2013 windows 8 had more vulnerabilites than XP.


2. Windows XP was built for a different era of computing, a point Microsoft sometimes makes when explaining the OS's security risks.?  Windows XP has far less services and software as newer versions of windows do.  Less services running means tighter security.  In fact a user can disable almost all of XP serves except about 5-6 and still have a functional operating system.

3.  Thats right PC sales are down simple becasue or Moores law.  Core2 Archtecture was too good and it meets the needs or exceeds the average person.  XP run great on that hardware.

4.This is flat out false.  ATM are running POS Ready 2009 which is set to recive updates atleast until 2019.  POS Ready 2009 and XP embeded based on XPSP3.

5.  True people still run DOS for some things.
<<   <   Page 2 / 2
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.