Come April 2014, organizations that are still running Windows XP will face not only a support cutoff, but a security nightmare, cautions Microsoft. And the company’s warnings are growing louder.
“There is a sense of urgency because after April 8, Windows XP Service Pack 3 (SP3) customers will no longer receive new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates,” explained Tim Rains, director of Microsoft Trustworthy Computing, in an Aug. 16 Microsoft Security Blog post.
In essence, enterprises with Windows XP machines in their PC fleets will be left to fend for themselves, and given XP’s continued popularity, a good number of PC users may be at risk.
According to the latest desktop operating system market statistics (July 2013) from Net Applications, Windows XP commands 37.19 percent of the market, second only to Windows 7 with 44.49 percent. Next year, unless XP’s share of the market drops considerably, hackers and malware coders will be setting their sights on a big new target.
“One risk is that attackers will have the advantage over defenders who choose to run Windows XP because attackers will likely have more information about vulnerabilities in Windows XP than defenders,” Rains said. XP stands to lose a major defender in April, namely the Microsoft Security Response Center (MSRC).
To combat vulnerabilities across several versions of the company’s software, MSRC typically releases security updates that encompass multiple products simultaneously. This tactic lessens the chances that malware creators will exploit underlying similarities between Microsoft’s operating systems and applications. Next year, Windows XP will be left out of the loop.
“Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a ‘zero-day’ vulnerability forever,” stated Rains.
Don’t count on the security precautions built into Windows XP SP3, which were state-of-the-art when it was released in 2008, to last long against today’s exploits, warned Rains. He stated that “attackers have refined their tools and techniques over the past decade to make them more effective at exploiting vulnerabilities. As a result, the security features that are built into Windows XP are no longer sufficient to defend against modern threats.”
Rains joins a chorus of Microsoft executives that are sounding the alarm on the Windows XP sunset.
On April 8, a year before Microsoft is scheduled to pull support, Windows senior director Erwin Visser detailed the potential financial disadvantage of putting off an upgrade. “While end of support for Windows XP is still one year away, the migration process can take some time and may be costlier the longer you stay on Windows XP, ultimately putting your business at risk,” he blogged.
Echoing the data security considerations of sticking with XP after April 2014, Visser added that it “is critical that businesses ensure they protect their data and IP against the latest threats by deploying a modern Windows platform.”