The end of support for Microsoft’s 12-year-old operating system Windows XP has garnered a great deal of attention, but for the most part, the risk to the corporate and consumer users of the operating system remains unchanged.
Yet that risk is not small.
Released in 2001, Windows XP is Microsoft’s last operating system developed before the company embarked on the creation of its Secure Development Lifecycle (SDL) as part of its Trustworthy Computing Initiative. Without the benefit of much of the company’s advanced software defenses included in later versions of the operating system, Windows XP has high infection rates. More than 4 computers in every 1,000 scanned as part of the company’s Malware Removal Tool program had malware in the second half of 2012. Those computers were fully updated and running antivirus; for every 1,000 unprotected computers running Windows XP, about 16 had to be cleaned of malware, the company stated in its Security Intelligence Report (SIR) released in early 2013.
“More recently released versions of Windows feature a number of security improvements that are not included in Windows XP, which means that even protected computers running Windows XP face risks from exploitation and malware infection that don’t apply to more recent versions of Windows,” Microsoft stated in the report.
The latest version of Windows, Windows 8 RTM at the time, had only 0.5 infections found per 1,000 updated systems scanned, according to the SIR’s data on 32-bit systems.
Yet there are still reasonable uses of Windows XP. Embedded systems not connected to the Internet can still run the operating systems without running the risk of exploitation, said Wolfgang Kandek, chief technology officer for Qualys.
“You need to not be connecting to the Internet to be safe,” he said. “Just because you have a firewall and antivirus, does not make it safe. Ultimately, you want your endpoint to be as robust as possible.”
Windows XP Embedded Service Pack 3, used in many ATM machines, and Windows XP Embedded for Point of Service SP3, used in computer-based cash registers, will continue to be supported until 2016 under Microsoft’s Extended Support plan. Companies should maintain a strong separation between the Internet and those systems, but the Target breach, which used a contractor’s systems to gain access to the point-of-sale systems, underscored the difficulty in maintaining such a breakwall.
Companies should find and weed out Windows XP systems and prepare for the inevitable discovery of a critical flaw in the system that will go unpatched, Kandek said. While there are business arguments for keeping the systems around for a few months longer, they should be replaced by the end of the year.
The gradual replacement is currently under way, but it’s unclear how quickly it will be complete. Qualys’s customers, arguably more security-conscious than average companies, have reduced the proportion of Windows XP systems to 8 percent in the first quarter of 2014, from 18 percent the same quarter a year ago, according to the firm.
Yet, in general, the Internet as a whole is moving more slowly. Windows XP accounted for 19 percent of all operating systems in March 2014, down from 25 percent the same month a year ago, according to StatCounter, a Web metrics firm.
Rival NetApplications portrayed a slightly grimmer picture: Windows XP still accounts for 28 percent of the operating systems encountered by its clients, down from 38 percent a year ago.
Kandek argued that companies, at least, will have the problem under control by the end of the year.
“By the end of the year, everything will be in the single digits,” he said. “The visibility of the problem has been raised, and we are getting a lot of questions about it.”