Windows XP Security Issues: Fact Vs. Fiction

Are you prepared for the end of Microsoft support for Windows XP next month?

Michael Endler, Associate Editor,

March 12, 2014

6 Min Read

Windows 8.1 Update 1: 10 Key Changes

Windows 8.1 Update 1: 10 Key Changes

Windows 8.1 Update 1: 10 Key Changes (Click image for larger view and slideshow.)

In less than a month, Microsoft will stop supporting Windows XP, still the second most widely used PC operating system in the world. The company announced the OS's April 8 termination date years ago, but with as many as 500 million XP systems still active last month, not everyone is going to make a move in time.

XP users have vocally protested Microsoft's abandonment of such a popular product. Objections include upgrade costs, application compatibility concerns, and whether customers should be effectively forced to leave a product that they are happy with. Despite Microsoft's increased efforts, which now include daily pop-up notifications on XP systems, almost one in three computers still ran the 12-year-old OS in February, according to web-tracking firm Net Applications. More alarming for Microsoft, Windows XP's market share hasn't decreased since last year and Windows 8.1's has barely grown. Both trends imply the company's escalating messaging has fallen largely on deaf ears.

[Will Microsoft win back users with Windows 8.1 Update 1? Read Microsoft Windows 8.1 Update Surfaces.]

So what will happen when April 8 passes and millions of people are still running Windows XP?

"We're into panic time," Michael Silver, a VP at the research firm Gartner, said in an interview. He said the amount of risk depends to some extent on what XP laggards can accomplish in a hurry.

"The ones we're speaking to now are the ones that have done barely anything." If companies haven't already taken action, Silver said, they probably don't have time to even replace XP systems with virtual machines, let alone migrate their operations to Windows 7. Silver told us many late-comers are removing admin rights, restricting permissions, and otherwise locking down any XP systems that can't be retired.

Figure 1:

"The reality is, the absence of patches for Windows XP just exposes companies to risk," Forrester analyst David Johnson said, noting that companies must be mindful, not only of security concerns, but also of compliance obligations.

For its part, Microsoft has been trumpeting for months that Windows XP is six times more likely than Windows 8.1 to contract malware. Some InformationWeek readers labeled the statistics as a scare tactic, pointing out that Microsoft has newer products it wants to sell. This cynicism isn't without merit-- but don't be too quick to label Microsoft a fearmonger. Security experts agree: You stick with XP at your own peril.

"It appears a lot of organizations don't realize or don't care how porous Windows XP will become after it ceases being patched in April. It isn't a war-hardened OS, as some customers believe," Wes Miller, research VP with IT consulting firm Directions on Microsoft, said last fall in a blog post. "XP systems will be ripe for an ass-kicking beginning next spring, and they can, and will, be taken advantage of."

Indeed, zero-day exploits are a major IT headache even today, with Microsoft supplying patches and support. The situation could get worse after April, especially if criminals are stockpiling new exploits in anticipation of the deadline, as some have speculated. Silver warned that attackers might also be able to use future Windows 7 and Windows 8 patches to reverse-engineer

XP vulnerabilities, and that those who continue to run XP should not use it for web-browsing and email.

Security researcher Graham Cluely described other threats last year. In a blog post, he wrote: "Anyone connecting a Windows XP computer to the Internet after Microsoft drops its support in April 2014 is not only putting themselves at risk, but also endangering all of us on the Internet -- as their computers may be hijacked into botnets and used to spread malware and spam attacks."

Microsoft announced in January that it will continue to deliver anti-malware support to XP users through July 14, 2015, provided customers have Security Essentials installed by April 8. Microsoft will also maintain System Center Endpoint Protection, Forefront Client Security, Forefront Endpoint Protection, and Windows Intune for enterprise customers. Most security vendors also plan to support Windows XP for at least the next several years. All of these efforts could mitigate XP's potential risk after April, but Johnson said the protection will be more reactive than proactive.

Miller agreed. "Antivirus simply cannot protect you from every kind of attack," he said in a January blog post, comparing XP to a "rotting wooden boat."

XP poses a threat, not only to conventional PC users, but also to a variety of industrial systems, ATMs, and healthcare products. A February report by the SAN Institute identified Windows XP's prominence as a potential liability in the healthcare industry, for example. The OS also reportedly supports the majority of the world's ATMs, and Michael Assante, former VP and security chief for the North American Electric Reliability Corporation, told The Wall Street Journal that XP workstations are used in virtually all electric and gas utilities in the United States.

With such systems, "the issue is really: How connected are they to the public Internet, and how locked down are they?" Silver noted. He said single-application machines should be locked down to begin with, which will "hopefully make them less vulnerable."

But regardless of how many additional customers move on from XP by April, the most apocalyptic predictions could be overblown for a simple reason: IT admins aren't stupid. Yes, on the consumer side, some XP holdouts will surely fall victim to some scam or another, and it's probably inevitable that at least a few businesses suffer setbacks as well. But most IT admins have known about the April deadline for a long time, and many of those who cannot easily abandon XP have taken precautions to keep their data safe and secure.

A recent survey by Redmond Magazine, for example, found that only 35% of respondents run an XP system connected to the Internet; the others have already confined XP to protected networks or single-application use. Of more than 3,000 participants, only 28% had completely purged XP from their infrastructures. Nearly one in four said they have no plans to retire XP systems, and only one in six said they were scrambling to upgrade before April. Almost 40% blamed application compatibility for their failure to upgrade.

Johnson said Forrester has fielded "considerable inquiry" from XP holdouts, and that "most companies have started working on some kind of containment strategy." Tactics range from revoking admin rights on XP machines to paying Microsoft for extended support, which is generally only available to large organizations and can cost millions of dollars.

But whatever the tactic, the risks cannot be ignored. IT admins "might not be stupid, but they have a lot of XP machines left," said Silver. "In some cases, those machines are still doing important things and are connected to the Internet."

Incidents of mobile malware are way up, researchers say, and 78% of respondents worry about lost or stolen devices. But although many teams are taking mobile security more seriously, 42% still skip scanning completely, and just 39% have MDM systems in place. Find out more in the State Of Mobile Security report (free registration required).

About the Author(s)

Michael Endler

Associate Editor,

Michael Endler joined InformationWeek as an associate editor in 2012. He previously worked in talent representation in the entertainment industry, as a freelance copywriter and photojournalist, and as a teacher. Michael earned a BA in English from Stanford University in 2005 and, pending the completion of a long-gestating thesis, will hold an MA in Cinema Studies from San Francisco State.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights