Software // Operating Systems
News
4/8/2014
10:46 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Windows XP Plug Pulled: 5 Questions

After 12 years, Windows XP officially becomes an unsupported OS. Here's what you need to know, from old PCs to dicey ATMs.

Windows XP Game Over: 9 Upgrade Options
Windows XP Game Over: 9 Upgrade Options
(Click image for larger view and slideshow.)

Windows XP has been around for more than 12 years and has hundreds of millions of users. But the operating system receives its last Patch Tuesday updates this week. A relatively light bundle of four fixes, the patches unceremoniously retire the still-popular OS, which, as of last month, had more than twice as many users as Microsoft's newest flagships, Windows 8 and 8.1

A few banks, governments, and other large-scale XP customers will still get support from Microsoft, albeit for millions of dollars each. Until 2015, Microsoft will additionally supply antimalware definitions to those who have its Security Essential software installed. Many antivirus companies will also provide support for at least the next couple years.

[Microsoft is dropping XP, but is it heading in the right direction? Read Does Microsoft Have Its Mojo Back?]

But without official security patches, updated antimalware signatures might not keep XP users safe, especially if, as some have speculated, cybercriminals have stockpiled zero-day attacks in anticipation of this week's deadline. To some, every XP user represents a potential Pandora's Box of botnets, malware proliferation, and even hacked ATMs. But to others, such worst-case predictions represent the biggest hyperbole this side of Y2K.

Which side has it right? Here's what you need to know to about XP's end-of-service deadline.

1. Is the risk real?
Yes, though it depends how the PC is used. Windows XP is already more malware-prone than newer systems, and it will only grow more vulnerable now that Microsoft has dropped support. That said, savvy users who can't or don't want to upgrade have a number of options to make their systems more secure, including disconnecting it from the public Internet, employing firewalls, and removing programs and plug-ins that are known to be risky.

2. Why is Microsoft abandoning such a popular product?
To be fair, Microsoft has supported Windows XP for a long time. The company boasts "one of the broadest and most transparent support policies out there," Gartner analyst Michael Silver told us in an interview last month. "You're not going to get that from other vendors."

Moreover, Windows XP was built for a different era of computing, a point Microsoft sometimes makes when explaining the OS's security risks. For more than a decade, the company has dedicated resources to XP triage, and it probably wants to use those resources for others projects -- you know, the kinds that actually generate new revenue.

Image: cooling999, deviantart.com
Image: cooling999, deviantart.com

That brings up the more cynical side of XP's retirement. The OS's licensing worth has run its course, and XP isn't an ideal platform for the cloud-based apps and services around which the company is now hedging its bets. Windows XP might be popular, in other words, but it doesn't represent the same revenue growth that newer systems do. Some have argued that Microsoft could turn XP into a revenue source by making extended support widely available as a subscription service, but the company has shown no interest in such tactics.

3. Why have people waited so long to upgrade?
Windows XP has persisted for a number of reasons.

It helped that Windows Vista, XP's follow-up, was dismissed as bloated and buggy. Without a compelling need to upgrade, many users stuck with Windows XP longer than normal, allowing it to build up an enormous user base that's been slow to erode.

For many people, XP remains adequate. Not everyone needs the fastest processors or all the newest bells and whistles, and for this crowd, XP has been reliable enough to keep around.

Others would happily upgrade but cannot afford to do so, though the research firm IDC last year said companies would end up paying three times more if they delayed upgrades. Others still need XP for old applications that won't run correctly, or at all, on new platforms.

4. Do I need to worry about using an ATM?
Probably not, but there is some risk. As of earlier this year, around 95% of ATMs reportedly ran on Windows XP, and many of them haven't been upgraded yet. That's unsettling, but not all of them pose equal risk.

Large banks obviously have the most financial flexibility to update their machines and have been doing so over the last several months, though the job is ongoing. Many of them are also paying Microsoft for extended support, no doubt mindful of the PR fiasco that will ensue if hackers find a way to steal customers' cash.

Moreover, not all XP-based ATMs are vulnerable in the first place. Some run a version of XP that will lose support this week, but others run a version of Windows XP Embedded that Microsoft will continue to support for the next several years. Unfortunately, ATMs that run the retired version can be indistinguishable from those running the supported one.

Granted, ATMs are pretty locked-down to begin with. They're not connected to the public Internet, and it's not as if criminals can walk up to a unit, plug in a USB drive, install malware, and start collecting cash. Even so, security researchers have already identified XP-based flaws that could compromise an ATM's security.

The risks are likely to be highest among older units, many of which cannot receive software upgrades and will need to be replaced wholesale. Given that new units can cost tens of thousands of dollars, it's not clear how quickly these replacements will occur. So while bank customers probably won't be affected, you might want to think twice before inserting your debit card in an ancient-looking ATM crammed in the corner of a liquor store.

5. I'm still running XP -- am I doomed?
Don't worry. Unless you're particularly unlucky, and likely also a little careless with email attachments or suspicious links, no one is going to steal your identity or hijack your computer before you finish reading this article. But every day, the risk will get greater.

As mentioned, tech-savvy users are employing a variety of tactics to stick with XP. Some have moved their XP-based PCs to private networks or offline use, which should eliminate almost all threats. Others have disabled Java and Adobe Flash and switched from Internet Explorer to Chrome, strategies that should mitigate but not necessarily eliminate dangers.

Silver, the Gartner analyst, compared continued XP usage to driving an old car: With enough work, it will keep running. But one day, you might find yourself stranded.

But if you don't want XP's risks and aren't interested in frequent security maintenance, you still have a variety of options. Microsoft hopes many XP users will buy new Windows 8.1 machines, which, thanks to this week's update, will be more familiar to non-touch users. But XP systems can also be repurposed for Linux or upgraded to Windows 7 with an OEM license. Relatively new XP machines might also run the updated Windows 8.1, though Microsoft reps have assiduously avoided any promises in this regard. Other options include switching to a tablet, Mac, or Chromebook.

Emerging standards for hybrid clouds and converged datacenters promise to break vendors' proprietary hold. Also in the Lose The Lock-In issue of InformationWeek: The future datacenter will come in a neat package (free registration required).

Michael Endler joined InformationWeek as an associate editor in 2012. He previously worked in talent representation in the entertainment industry, as a freelance copywriter and photojournalist, and as a teacher. Michael earned a BA in English from Stanford University in 2005 ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
4/15/2014 | 8:24:43 PM
Re: Reminds me of Y2K
Good points on the key messages, Michael. I agree that 4/8/14 is not the end of computing as we know it. However, there does need to be an awareness that if something happens after 4/8/14, Microsoft isn't going to release a security patch.
Michael Endler
50%
50%
Michael Endler,
User Rank: Author
4/12/2014 | 11:57:53 AM
Re: Reminds me of Y2K
Fair enough. But I think a certain amount of uncertainty and doubt is intrinsic to the situation. When you're talking about such a large user base, one can't be certain what risks apply to one user versus another. The large user base does allow us to be certain of one thing, however: Some sets of risks applies to thousands if not millions. (I admit that something like the reverse is also be true; that is, certain XP risk vectors are not applicable to millions of XP users-- but that doesn't negate my point.) Consequently, in attempting a thorough discussion, one has to hit several points, not all of which are equally applicable to all readers:
  • Your machine will still work and is unlikely to become an incubus of malware right away (this point might not get highlighted in headlines, but I've seen it made many times, often in unequivocal terms);
  • Certain risks are real (and they are. Do we know that hackers are stockpiling zero days, or that they'll reverse-engineer exploits using future Windows 7 and 8/8.1 updates? No. But is there a reasonable chance? Yes, which makes the risk worth mentioning.)
  • Certain risks are overblown (such as ATMs, or the millions of locked-down XP boxes running on private corporate networks)

And so on. I'll grant you this: If someone's XP knowledge comes solely from headlines flashing across Google News, that person might have an exaggerated sense of the risks. But if someone is truly concerned, I expect they'd research a tad more than that, and if they do, I've seen more than a few articles that I consider fair. For a mass audience, the situation isn't as simple as "Yes, keep using XP" or "No, you must upgrade now," and I think people who've read beyond the headlines can get an accurate sense of the shades of gray.

No one's denying that many people will continue to run XP without incident, but it would irresponsible to tell people to simply not worry. If I were speaking to an individual and could ask about his/her computing habits, software needs, and security precautions, perhaps then I could endorse continued XP use. But writing for a wide audience, that kind of insight is impossible-- so again, the conversation needs to be approached from several angles. Objectively, Windows XP probably won't destory the Internet, but individual users also face objective risk considerations, some of which are likely to grow more severe over time.
BruceB093
50%
50%
BruceB093,
User Rank: Strategist
4/12/2014 | 11:23:42 AM
Re: Reminds me of Y2K
"Fear, uncertainty and doubt."  The majority of customers who have called me thought that after Tuesday their PC was now wide open to all malware.  That they had "lost something" on that day.  That their PCs would be soon overrun by malware. 

The problem is that we don't have an objective situation.  We just have uncertainty. I have a customer, a professional photographer, who still runs Windows 2000.  Works fine. The XP update delivered Tuesday was the most up to date XP that ever existed.  Anti-virus software is still running and being updated but Microsoft now shows a red icon on Security Essentials even though everything is fine. These PCs will probably have hardware failures before the OS risks are realized (but see the W2K example). 

The whole approach "we are warning you for your best interest, watch out, look out, here it comes!" appears self serving and unobjective.  I had a tire shop "cram" my bill with an extended warranty.  I asked him to remove the charge.  His response: "but you will be all alone if your tire fails!"  That was an emotional appeal, not an objective one of which approach was a better value given the risks.

Only time will tell, but I think a year from now we'll be talking about the disaster that didn't happen.

 

 
Michael Endler
50%
50%
Michael Endler,
User Rank: Author
4/11/2014 | 6:39:57 PM
Re: Reminds me of Y2K
"The hype is that 'something new might happen!' after 4/8/14.  This appears to just be marketing FUD."

I'm not certain by what objective standard it can be dismissed as pure FUD. I mean, sure, some of the commentary is over-the-top. Windows XP hasn't made ATMs particularly vulnerable, for example. 

But by and large, XP's retirement poses some legitimate security considerations, most of which has been objectively reported by the tech media. Whether one absolutely must act on these considerations is debatable, but the considerations themselves aren't FUD.

In the articles I've written, the perspective has generally been: "If you know what you're doing, you don't have to upgrade, but if you have to ask whether you'll be safe, XP might be more trouble than it's worth." I think this is a pretty responsible and fair assessment. Yes, some people will keep using XP without incident. The ratio of victims to potential victims is usually pretty small, even when we're talking about major cyberthreats. But I think it would be irresponsible to broadly encourage people to keep using XP. Even if only a minority of users get victimized, the consequences can be pretty terrible for the unfortunate few. IT professionals and tech-literate consumers are one thing. But XP's user footprint is huge, and we can safely assume it includes millions who could blithely stumble into a trouble-- and who might unwittingly spread the problem to other machines. Words like "might" and "could" set off alarms for some people-- but in this case, I think they're a necessary part of comprehensive discussion.
Michael Endler
50%
50%
Michael Endler,
User Rank: Author
4/11/2014 | 6:27:45 PM
Re: XP users will eventually migrate, but to what?
I can understand why some people have taken the "How can Microsoft abandon 200 million+ customers?!" perspective. But Microsoft obviously can't support XP indefinitely. It takes resources to do so-- and those resources aren't necessarily adding much to Microsoft's bottom line at this point. In fact, they might be detracting from Microsoft's bottom line, since we're talking about resources that might have gone to, say, Azure or something promising, instead of being lavished on ongoing XP maintenance.

I'm a big proponent of companies considering customers over profits, but at some point, Microsoft has to move on to new technologies. If not after 12 years, how long would be appropriate? If Microsoft had decided that 200 million active users was too many, would 100 million have been acceptable? What about 10 million? I think Microsoft could probably have done some things differently to help with XP's EOL deadline, but I have trouble arguing that Microsoft should have kept XP on life support for another five years.
BruceB093
50%
50%
BruceB093,
User Rank: Strategist
4/9/2014 | 9:30:16 AM
Reminds me of Y2K
1. With the 4/8/14 update, this is arguably the "best" XP in its lifetime -- better than it was say 5 years ago as to safety and stability, yet the world didn't end then because XP was in use.

2. The hype is that "something new might happen!" after 4/8/14.  This appears to just be marketing FUD.  I ask customers how often their anti-virus has reported stopping an attack or how often they've had to have someone come in and clean out a virus.  If they say rarely to never - which is the vast majority, then their risk of a world ending event after 4/8/14 is low.  If they do get malware the impact is no different than if they got it before 4/8/14. Clean it up and move on.  

3. 've worked on PCs that hadn't had an update in months to years but were used daily and while I find lots of software bloat I only get a few virii.  This is true on both XP and Win7.  How agressively the individual interacts with the internet appears more relevant to picking up issues than does the choice of virus checker (if any) or the condition or version of their OS.  Retired church ladies often get lots of software bloat but few viruses.  The youthful (30s and below) seem to get the most malware, at least in my experience, and they more often have the newest OS (i.e, win7).

MS stopping updates to XP makes news and the induced fear generates a lot of business, but there is so far no reason to belive that today is any risker than yesterday was -- nor will next year logically be any more riskier than last year was. 

It feels like Y2K all over again. Maybe we should call it YXP?

 

 
Li Tan
50%
50%
Li Tan,
User Rank: Ninja
4/8/2014 | 10:01:32 PM
Re: XP users will eventually migrate, but to what?
Frankly speaking, MS did more than enough to support Windows XP in these years. The OS architecture was designed one decade ago and it's becoming more and more difficult to adopt new technologies. It's indeed time to upgrade. Many users stay with XP since it's rather stable. Furthermore, they may not have strong demand that needs to facilitate the power of new Windows OS. But now the time finally comes - without continuous support/patch, you are prone to higher and higher risk without upgrade.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
4/8/2014 | 7:31:03 PM
XP users will eventually migrate, but to what?
If software companies can't set a date for when their product will no longer be supported, they end up carrying forward an ever growing deadweight of baggage. Microsoft has been better than most about signaling its intentions. On the other hand, I'm not sure if I were Microsoft that I would spur so many customers to migrate. If they wanted to migrate to Windows 7 or Windows 8, they would have done so by now. If their existence becomes tenuous on XP, then they will migrate. I'm just not sure where.
Michael Endler
50%
50%
Michael Endler,
User Rank: Author
4/8/2014 | 1:00:47 PM
Re: fair and balanced reply -- Official word on the Windows XP ATM issue
Microsoft Director of Communications Tom Murphy confirmed to me that some ATMs are running Windows XP Pro Embedded, which loses support today, whereas others are using Windows Embedded SP3, which is supported until 2016. He said Microsoft has been working with banks since 2007, and that all of them have taken appropriate measures, from updating machines to paying Microsoft for extended XP support while they finish migrations. He said, "With banks, trust and security is front and center. ATMs are something they put a lot of thought and investment into." He added he's still going to use ATMs.

I asked about the "old ATM in the corner of a liquor store" scenario, and he said that it's hard to speak specifically, but that those ATMs are operated by companies whose business is to ensure that customers are kept safe. He also said that the vast majority of Microsoft's large customers have moved off of XP, though he said some complex migrations are still ongoing.
Michael Endler
50%
50%
Michael Endler,
User Rank: Author
4/8/2014 | 12:31:38 PM
Re: Lab machines
Thanks for sharing your experience. It's easy to play up the number of active XP systems, and for consumers, I think the hoopla about risks has some merit. But a lot of professionals need to keep using XP and know how to keep it secure, with or without Microsoft, as your story demonstrates. The upgrade urgency isn't the same for everyone, and unfortunately, neither is the upgrade simplicity.
Page 1 / 2   >   >>
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 24, 2014
Start improving branch office support by tapping public and private cloud resources to boost performance, increase worker productivity, and cut costs.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.