Shona Ghosh examines the security threat posed by Microsoft’s decision to end support for its 12-year-old OS in April
The final deadline for Windows XP support will act as a starting pistol for hackers, as they target hundreds of millions of users on unpatched systems.
Microsoft has already granted the 12-year-old OS several stays of execut1on, but the firm has said it will finally end extended support on 8 April 2014 – despite the fact that XP remains the second-most popular OS, with almost a third of PCs running it.
These hundreds of millions of desktops and laptops will be vulnerable to hackers once XP stops receiving security updates, with Microsoft warning earlier this year that hackers could use patches issued for Windows 7 or Windows 8 to scout for XP exploits.
"The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse-engineer those updates, find the vulnerabilities and test Windows XP to see if it shares [them]," wrote Tim Rains, the director of Microsoft’s Trustworthy Computing group.
"If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP," Rains added. "Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a zero-day vulnerability forever."
Microsoft noted that XP shared 30 security holes with Windows 7 and Windows 8 between July 2012 and July 2013, giving hackers ample opportunity to reverse-engineer vulnerabilities.
Ed Shepley, solutions architect at migration specialist Camwood, said users don’t seem convinced by the threat. He added that he’s surprised Microsoft’s warning didn’t lead to "hundreds of people phoning us that day". According to Shepley, the end of XP support poses a "significant risk".
Failure to migrate could leave [Only registered and activated users can see links. ] open to infections, denial-of-service attacks and data theft, according to Camwood. Aside from the inconvenience and costs to address the attack, companies can also face fines.
For example, American regulators have warned that banks that fail to upgrade their [Only registered and activated users can see links. ] from XP will be liable if, for example, customer credit-card data is stolen. In the UK, the Information Commissioner’s Office hasn’t issued such clear-cut guidance, but it has the power to fine institutions that don’t hold credit-card information securely in their systems under data-protection laws.
There are also "soft problems" for companies that don’t migrate to the most up-to-date software, added Shepley. "Companies run the risk of being left behind the rest of the industry," he said. "If you’re using a 32-bit version of XP, all the new tools and software that allow your competitors to be competitive won’t be available to you."
Despite the real security risks, analysts have suggested that corporations are reluctant to budget for the time and money required for a full migration. Many won’t even be able to upgrade before the cut-off date.
According to IHS iSuppli analyst Craig Stice, most [Only registered and activated users can see links. ] have tried to avoid a full IT refresh amid the economic uncertainty, with managers "hanging on" to the hardware they already have.
"They’re extending the life of [hardware] as best they can, through internal upgrades or additional memory – doing anything to increase performance without having to upgrade," he said. "Traditionally, PCs are refreshed every four years. We’re seeing that extended pretty dramatically to five or six years."
According to Shepley, it’s been so long since most businesses have conducted a wholesale migration that many have simply forgotten how long it will take. Microsoft states that corporations should leave up to 30 months to complete their migration.
"Some of our clients think it can be done over a few weekends. They don’t understand how many applications they have," said Shepley. "One [Only registered and activated users can see links. ] we’re working with believes they have 1,000 applications; we’re doing an inventory for them, and our number is somewhere north of 4,000. People don’t realise how much app proliferation has gone on since they put XP in."
It hasn’t helped that Microsoft has, in some instances, been undermined by its rivals continuing to support products on XP.
One such company, Google, recently announced that it will continue to support Chrome on XP until April 2015 – a year after the deadline for extended support expires. "We recognise that hundreds of millions of users, including a good chunk of current Chrome users, still rely on XP," said Google.
"Many organisations still run dozens, or even hundreds, of applications on XP and may have trouble migrating."
Security experts condemned Google for "facilitating" unsafe internet use. "Yes, maybe Google can keep a handle on bugs and security holes in Chrome running on Windows XP," said security analyst Graham Cluley, "but it’s powerless to fix vulnerabilities in Windows XP itself."
Given the hundreds of millions of users potentially at risk, many are expecting Microsoft to relent and release patches. "People are hoping they can get away with it, and that Microsoft will issue a patch of some kind," said Shepley. "It will be interesting to see if something comes onto the internet that affects XP in a bad way quickly. Where Microsoft can deliver a fix, will it? Otherwise, it’s forcing an awful lot of people to be significantly impacted."
However, Shepley isn’t optimistic that Microsoft will perform a U-turn. "Personally, I don’t think it will push back," he said. "XP arrived in 2001, so we’re talking about producing a fix for something that [will be] around 13 years old."
There is some comfort for businesses that are likely to miss the April deadline: they have the option of switching to Windows Server 2003, which is based on the same kernel as Windows XP, but won’t be terminated until 14 July 2015. "All the people we know who will miss the April 2014 deadline will easily hit April 2015," said Shepley.
One mitigation strategy being employed by those who are set to miss the deadline is disconnecting vulnerable PCs running XP from the internet – but this isn’t without risks, either. "Even if a device is only a on private network another device – even one running a supported product – can be infected with malware outside and can bring it onto the private network, infecting other devices," Gartner said earlier this year.
Nonetheless, both Cluley and Shepley agreed that Microsoft should send out a "strong message" to warn more users off XP before the April deadline.
"Microsoft has done well communicating through partners, even if it isn’t quite so doom and gloom itself," said Shepley. "Part of me wishes it would say, ‘Right, we’re going to remotely turn off every XP box on 9 April’, because everyone would then pay attention."
Read more: [Only registered and activated users can see links. ] [Only registered and activated users can see links. ]