42 days to go for XP - 8 tips if you aren't going to make it

Filed Under: Featured, Microsoft, Security threats, Vulnerability, Windows

In a tip of the hat to the late Douglas Adams, we'll ask, "How many days has XP really got left?"

If you include today - April Fool's Day, no less - the answer is, "42."

Here's my reasoning.

The last Microsoft-issued patches come out for XP in one week's time, on 08 April 2014.

(If that date is a surprise to you, you probably need to get out more. Or perhaps to stop going out so much.)

After that, as my friend and colleague Chester Wisniewski pointed out in our Sophos Techknow podcast, The End of XP, you've got about a month of security normality.


(Audio player above not working for you? Download or listen on Soundcloud.)

If we optimistically but reasonably assume that Microsoft won't need to issue any unscheduled patches in the month following, your XP systems will enjoy one last full lap of the security stadium, until May's Patch Tuesday.

On that day, 13 May 2014, all the other runners will keep forging ahead in the security race, but you will be forced off the track.

You will not be allowed back; your race will be over; you will officially be behind; and you will stay behind forever.

So, ignoring any emergency fixes that might leave you behind slightly earlier, you will be on an even footing to users of more recent versions of Windows for the next 42 days, including today.

There you have it: 42.

What if you plan on going past 42?

We're not going to argue the point that you should change your mind at the last minute and upgrade all your remaining computers at once - not today, at any rate.

We shan't try to browbeat you into admitting that you'd probably end up saving yourself time and money if you simply retired that XP-only $2000 printer you bought 13 years ago, and replaced it with a smaller, faster, lighter $100 model with 16 times the pixel resolution, and 128 times the memory.

We'll leave out the guilt trips about how your ever-weaker security will put the rest of us at ever-greater risk.

And we'll skip over our surprise if your objection is that you don't like the fact that Microsoft is asking you to pay to upgrade, but you aren't willing to put your mouth where your money isn't, and switch to a free alternative. (There are many, including Linux and various incarnations of BSD.)

Eight tips

Instead, we'll assume there are unavoidable reasons why you have to keep sailing on the Steam Ship Windows XP for a while longer, and simply present you with a list of eight tips.

  1. Get up to date in April 2014, and check you have every patch that Microsoft has ever offered you. 08 April 2014 will be your last Microsoft patch, so you probably won't be revisiting Windows Update.
  2. Keep updating other software that you may be using, such as Flash, Java, your anti-virus, and more. Sophos Anti-Virus, for example will be supported on XP SP3 until at least 30 September 2015. (See tip [8].)
  3. Consider tightening up the restrictions imposed by your anti-virus and your endpoint firewall (if you use one). If you must keep XP computers going, try to shrink their operational universe, so that they get used only when necessary, rather than whenever it's convenient.
  4. Remove all software and drivers you are not using. In fact, make an active effort to minimise the set of applications you permit on your XP computers. Even software that is still being patched depends on operating system components that aren't, and it simply may not be possible for your vendor to work round lower-level holes in Microsoft's code.
  5. If your anti-virus has an Application Control feature, use it to enforce any software restrictions you decide upon in tip [4]. Application control lets you set rules like, "Skype and other instant messaging clients aren't allowed at all, so we don't need to worry about any data they might leak."
  6. Put your XP computers on their own network, and limit access into and out of that network as strictly as you can. If you are a Sophos UTM user, you can add UTM gateways to set extra, stricter network filtering for your XP computers, such as blocking email and instant messaging traffic, and preventing the use of social networks.
  7. Urgently get rid of administrator-level user accounts if you have any left. You should have done this years ago, throwing out any desktop software which required administrator privilege to work. It's now more important than ever to do this, in order to reduce the scope of an attack if hackers do manage to get in.
  8. Get on with your personal or organisational efforts to get rid of XP. Tips [2] to [7] don't really buy you more time - they just reduce the risk while you catch up. Don't be in this position again when 01 April 2015 comes around.

Some examples

Here are some examples of the limitations you might enforce for your XP computers:

• On a computer used to control specialised hardware, e.g. a lathe.

No browsers, no Microsoft Office, no Flash, no Java and no PDF reader installed. Application Control blocking on all unnecessary software. Internet access limited to known-and-needed sites for security updates.

• On a computer used for general office purposes, including browsing and email.

Upgrade it. It'll end in tears if you don't. You have six whole weeks!

• On a computer used online with legacy business apps.

Stick to a non-IE browser that is still getting security updates. All unneeded plugins removed. Application Control blocking on all unnecessary software. Internet access limited to known-and-needed sites for security updates and the legacy apps.

Where to?

You may not like the fact that Microsoft is forcing you to upgrade.

But you've had years of warning, so don't fall back on the excuse that the deadline took you by surprise: if you're going to miss it, be practical about it.

Set yourself a new deadline, as close in time as you possibly can, and stick to it.

We promised no guilt trips, so take this as an objective and unjudgemental statement: "The rest of us are counting on you."

, , , , , ,

You might like

32 Responses to 42 days to go for XP - 8 tips if you aren't going to make it

  1. Richard Hughes · 172 days ago

    It is actually 7 days until the support for Windows XP ends!

    • Paul Ducklin · 172 days ago

      But there are 42 days to go. Honestly. (It's all explained in the article - as Chester explained it to me in the podcast shown above :-)

    • Hugh Richards · 172 days ago

      You didn't actually read the article, did you? :)

      • I didn't really read it either. I figure if my computer suddenly starts not functioning I will just go buy another used computer from Amazon.jp for like 100 bucks. Have all my real important stuff stored on memory sticks, external hard drives, and various places on the net, so I am so totally unconcerned.

    • RR · 169 days ago

      Why do people comment on everything no matter how silly the response might be?
      Personally i'm still using OS2 version 3 and it works great!

  2. Don't forget Office 2003. The recent Word RTF zero day was discovered only two weeks before it ends support at the same time.

    • Paul Ducklin · 171 days ago

      Fortunately (cold comfort, but a factoid nevertheless) the only known attacks so far rely on Office 2010. But then in a targeted attack, the crooks probably know what they have to target and can save time by not bothering with other versions...

      Let's hope that bug gets fixed before this "last lap," eh?

  3. Author, #6 will literally be impossible for the vast majority of old-school enterprises.

    • Paul Ducklin · 171 days ago

      If a company finds it *literally* impossible to segregate its network, perhaps it might like to identify itself so that the rest of us can avoid it, or at least avoid entrusting any of our personal information to it?

    • Alan · 171 days ago

      If this is 'literally' impossible for any enterprise, then since they're not replacing XP maybe they should replace their network guy(s).

  4. Too many old enterprises have custom intranets written solely for IE. Newer versions of IE won't work nor will non Microsoft browsers.

    • Paul Ducklin · 171 days ago

      That's an excuse. See the conclusion of the article :-)

    • An intranet built on such terrible foundations had failure baked in from the start.

      That said, IE-only intranets can be dealt with as legacy business apps. Turn the XP machines into dumb intranet terminals and follow the example above.

  5. LGV · 171 days ago

    Swap out for Linux / Ubuntu

    • Boom · 171 days ago

      Good idea, but what about all of that pesky legacy software? Not to mention support costs, retraining staff, find and/or replace software, etc.

      Linux is good for some people and some businesses but it is not good enough for the majority who need ALL software and hardware to be compatible and supported by the OS

    • Peter B · 171 days ago

      That's what I'm doing. I have no funds available to buy a new computer (necessary if I want to go even with just Windows 7) or to buy replacements for the legit copies of XP that I have, or to buy replacements for my other hardware or software (such as Office 2003).

      So my XP systems will go dark for much of the time - I am usually online 24/7, researching, handling email (most of which consists of reports like this from Paul), developing concepts and software based on them, and I will pursue what I'm investigating now (Linux Mint, initially as a test on a memory stick, and eventually as a multiboot entry alongside the XPs when I have confidence that I can do everything I need to for now).

      I've been involved with Microsoft products since the 1980s, both as a user and providing support to others trying to cope with the immensely bugged software, and it's sad in a way that it has to come to an end like this.

      Once I've made the transition I won't be going back. Indeed, I may operate a consultancy advising others stuck with XP and no funds to buy stuff that isn't really necessary. Every cloud has a silver lining, after all.

  6. MikeP · 171 days ago

    Some AV companies are spreading the myth that merely installing a different browser, usually they are hyping Chrome, will resolve the problem. It actually makes things worse as they are encouraging the misconception that not using IE resolves the problem. In fact, IE remains on the system and remains a major vulnerability plus the alternative browser may well have its own weaknesses too.
    XP can only use up to IE8 so cannot benefit from any later version. IE8 has known vulnerabilities and I'm sure there will be others not yet admitted within the code. So no matter what other software is present, IE8 is still there and cannot be removed - XP doesn't work without it!
    Many of Paul's 'solutions' may help in the short term in some cases, but updating to W7 or W8 or W8.1 is the only way to go.
    Some suggest using a VM with XP but that can still be vulnerable.

  7. Troy · 171 days ago

    will widows 7 or 8 run on a computer that came with xp or vista?

  8. Frederik Walthard · 171 days ago

    Hi people

    I think now is a great time to get rid of Microsoft update messes. Killing XP gives me the very best reason to change to OSX /Apple. the fact that lots of things like printers, scanners, software, games, etc. will fall dead is indeed a great chance to change the intire platform.
    thanx Microsoft, you made the decision eay for me.

    • Mang · 166 days ago

      Apple are much worse for not supporting 'out dated' software, so good luck! They do have some tempting shiny whizz-bangs, but it's even more locked down than Windows, and the hardware is redonculously expensive.

      I'm non too keen on Microsoft, or their products, but at least they do look after their old products surprisingly well.

  9. Anonymous · 170 days ago

    You obviously missed the great Mavericks discussion last week

  10. Anonymous · 170 days ago

    I dunno....I think that criminals have been patiently sitting on malware to attack vulnerabilities in XP that have not been exploited yet and therefore have not and will never be patched. I think they will get busy next week. They've had two years to write their malware and sit on it. They won't wait 6 more weeks to attack!

  11. "You should have done this years ago, throwing out any dekstop software"
    Should be desktop, not dekstop.

  12. Dan · 165 days ago

    In 2010 my updater broke during an install of SP3 (which failed to install). I went 4 years with NO MICROSOFT UPDATES AT ALL. (Although I kept up to date with flash, java, browser addons etc).

    Last week I thought I'd better do something so I downloaded a new installer as one site recommended and got it going again. Installed SP3 and 109 updates. FUN FUN FUN. In fact I needn't have rushed to beat the April 8 deadline as the old updates will continue to be offered, but it's done now.

    But I had no updates from 2010 to 2014. No viruses either.
    Just to say it's good to keep up with the updates and make sure you're secure, but COMMON SENSE goes a long way.

  13. Don't take the very last updgrade from MS. Switch off auto upgrades, disconnect your machine from the Internet. Never use external media unless you scan them before and after using them with your isolated XP machine. Back it up regularly.

    • Paul Ducklin · 165 days ago

      Fair enough...but why skip the last patches? Amongst the fixes is one to plug a known zero-day hole. Why would you refuse that update?

      • Dan · 165 days ago

        The last update is simply a popup that warns you upgrades are stopping on April 8th. You can tick a box "please don't show me this again" and you'll never see it again. The ridiculous thing is I've seen people post on forums asking how to stop the popup. JUST TICK THE BOX!

  14. dac3uk · 165 days ago

    A segment about this on the BBC Today Programme last week (Saturday - can't remember) was very hokey and suggested that the whole thing was another computer scare story that people could safely ignore and having no updates in future would make life easier and less disruptive for everyone still using XP. I can't imagine why they took that line given that they have very good technology correspondents like Rory Cellan-Jones - but it wasn't him.

  15. Evelyn · 164 days ago

    I love the info in this article and will be sharing it with others, as I have several in my life who are still using XP. But I will say that I think your tone is a bit harsh towards those using XP. You seemed to imply that laziness or stinginess is at the root of it all. My hunch, based on my personal observations, is that a large percentage of those on XP are overwhelmed at the idea of switching. Many more may be dealing with financial restrictions or technical limitations which make it seem impossible.

    My parents, for example, would have no way of paying for a $100 printer, and they certainly never shelled out $2k for one. The idea of finding enough money to buy a new computer capable of supporting anything other than XP is laughable. The idea of using Linux terrifies them. Yes, I know Linux isn't that hard. But it is intimidating to them, and probably to many others. They don't have many options, and I'll be putting Linux on their system the next time I'm in town. They're going to have to get used to it, even though it will be a rough road for them initially.

    So I'm not criticizing your advice, merely the undertone of condescension which seemed to be present. It sounded not merely as if you don't understand the realities of living on a very strict budget, but as if you were mocking those who do. However, if I'm reading into things, I sincerely apologize. Again, your advice was excellent and greatly appreciated.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog