As Microsoft's April 8 deadline approaches for ending support of its Windows XP operating system, one of its largest group of users, the federal government, appears behind schedule in making the transition to new operating systems, leaving an estimated 10% of federal desktop computers more vulnerable to attacks. After that date, government computers using the operating system will continue to function, but they will become "five times more vulnerable to security risks and viruses," even if anti-virus software is in place, Microsoft said on its website.
Since 2007, when Microsoft announced its intentions to stop supporting XP, the company has worked with the federal government to check its progress, eventually on a monthly basis, and identify issues that may cause a delay in deployments of newer operating systems. Most agencies have moved from XP to the latest versions of Windows, and more than 90% of them are expected to have made the transition by April, Susie Adams, chief technology officer for Microsoft Federal, said in an email to InformationWeek.
That's better than the market at large: As of last month, more than 29% of the desktop market, or roughly a half-a-billion active users worldwide, still use XP, according to Web-tracking firm Net Applications.
[Are you prepared for the end of Microsoft support for Windows XP next month? Read: Windows XP Security Issues: Fact Vs. Fiction]
"We see significant momentum in agencies moving to Windows 7 and Windows 8.1 across the federal government," said Adams. "The same holds true for agencies moving to a cloud-based productivity suite with Office 365. The vast majority of cabinet-level agencies are moving or have moved to Office 365 in whole or in part." It's less clear how many agencies are replacing desktops with tablets that use Android or Apple's iOS operating systems.
The remaining 10% still relying on Windows XP, in part to sustain various legacy applications, will no longer get security updates or technical support for the outdated operating system. Even the National Institute of Standards and Technology, which published the "Guide to Securing Microsoft Windows XP Systems for IT Professionals" for federal agencies, issued its last update in October 2008.
Those agencies that haven't made the switch will be susceptible to attacks by hackers looking for new flaws in the unpatched machines. These include thousands of computers on classified military and diplomatic networks that hold sensitive information, according to the Washington Post.
Organizations that will experience problems once Microsoft stops releasing patches for Windows XP fall into two categories. There are those with computers that are part of larger systems, performing specialized tasks with certain control components on Windows XP. Owners of those systems won't be able to upgrade, although this situation for the most part won't apply to government agencies, Dave Frymier, chief information security officer at Unisys, said in an interview.
Federal agencies fall into the second category: organizations with numerous Windows XP workstations that haven't been upgraded for budgetary reasons, and continue to run XP because newer operating systems won't work on the antiquated hardware they have.
"We've talked to organizations that have thousands of these workstations, and the magnitude of this problem is large," said Frymier. "The longer a Windows XP machine sits there unpatched, the more vulnerable it will become to zero-day attacks that exploit an unknown vulnerability. It's been speculated that there are thousands of zero-day attacks against Windows XP."
There is also the issue of long-term support. Eventually, new hardware and software will stop working on the old operating system. As manufacturers switch to newer versions of Windows, many devices such as cameras and printers won't be compatible with Windows XP, according to Microsoft.
If CIOs cannot afford to pay for a refresh, the best alternative is segregating the XP systems into their own environment, Frymier said. They will have to replicate parts of their infrastructure, such as domain controllers, printers, and DNS servers -- a process that varies in difficulty. One way to compartmentalize an XP environment is by using network technologies like firewalls, switches, and routers.
The other alternative is isolating applications so that only authorized users can see and access the data in these applications. Unisys offers a software-based product called Stealth Solution Suite, which allows multiple user groups to share the same IT infrastructure in a secure way. Unisys launched a mobile version of the product in October.
Frymier said organizations should take Microsoft's warnings to upgrade to newer operating systems seriously. He said, "I think the Windows XP event could possibly be what Y2K wasn't."
What do Uber, Bank of America, and Walgreens have to do with your mobile app strategy? Find out in the new Maximizing Mobility issue of InformationWeek Tech Digest.