In a blog post, a senior Microsoft executive has warned users of Windows XP to get a move on and upgrade to shinier, newer versions of Windows.
The post, by Microsoft’s Trustworthy Computing Director Tim Rains, points out that after the end of official support for XP, on 08 April 2014, the company will be basically forced to pass on details of likely XP vulnerabilities to potential attackers, without providing users with the means to defend themselves.
One risk is that attackers will have the advantage over defenders who choose to run Windows XP because attackers will likely have more information about vulnerabilities in Windows XP than defenders.
The problem is, of course, that once patches stop being provided for newly-discovered vulnerabilities, any problems that are found for more recent versions may well be backwards-compatible with XP.
As details of these issues will be widely publicised, for very good reasons, there’s bound to be plenty of research going on into which ones can be used to penetrate the systems of anyone still clinging on to XP.
Indeed, some people have already speculated that the bad guys will soon be stockpiling newly-found bugs until after the patch deadline, building up an arsenal of woes to unleash on those too lazy, poor, or stuck in their ways to upgrade.
Once the April 2014 deadline has passed, the world of Windows XP will be a perpetual zero-day, with no hope of relief from danger.
It’s clearly in Microsoft’s interest to spread maximum fear, to squeeze as much revenue as they can out of Windows users who will have to pay to step up to Windows 7 or 8. But their warnings do carry considerable weight.
In operating system terms, XP is pretty ancient, having been released in 2001 and reaching the end of its standard back in 2009. When the five-year extended support phase ends the platform will have very nearly reached its teens.
It remains remarkably popular though, with the best available stats putting it on anywhere from 13 to 30% of systems browsing the web – well overtaken by Windows 7 nowadays, but still streets ahead of Windows 8. Its stability, simplicity and familiarity will make it hard to dislodge from a huge residual user base.
This has led to some speculation that Microsoft might relent and extend the support period further, but this seems unlikely. As Rains also points out in his blog piece, even with regular patching, the security provisions in XP just don’t cut it any more, leaving its users open to all sorts of dangers they would be immune from out-of-the-box with less creaky platforms.
In general, we always recommend keeping everything fully patched and updated. So, when that is no longer a viable option, I guess the advice will have to be to upgrade to something which is actually patchable.
That’s not going to be easy though, and not just for sentimental reasons.
The financial impact of mass upgrading is likely to play a major factor here. In the home user world, a lot of people upgrade their operating systems by default when they upgrade their hardware.
Those on more limited budgets may have been keeping the same rickety old machines wheezing along for years though. If all you’re doing is browsing Wikipedia, emailing and occasionally Skype-ing the grandkids, you’re not going to need the latest super-speedy machine with 8GB of RAM and 2TB of storage.
The same goes for business users too; if something has been doing the job just fine for years and shows no sign of needing replacing, there’s got to be a considerable reason to spend money replacing it. With a lot of businesses struggling to survive in tough markets, these additional costs are going to have very low priority.
Bigger firms may have policies in place to ensure legacy systems are updated promptly, but even some of them are likely to lag in places, to say nothing of the huge numbers of smaller, less organised firms running from a few to a few hundred PCs with only the most basic IT skills to support them.
It seems almost certain that there will be a large number of people left exposed to all kinds of threats once the patches run out. Their infected systems may be old and creaky, but they’ll contribute all they can to a glut of spamming, DDoS and other botnet activity and thus impact the rest of us.
Until the last die-hard users fade away, it looks like the world’s going to be a little bit grimmer for us all.
So, if your IT department isn’t showing any signs of getting a move on upgrading, give them a nudge to make sure they’re on the case.
And if you’re at a loss what to get granny for Christmas, and you don’t think a Macbook would suit her chintzy pad, maybe a copy of Windows 7 (or some help installing and learning to use Ubuntu) would be just the ticket.Follow @NakedSecurity