Don’t get too excited.
Windows XP will still officially fall off the edge of the world in April 2014 when Microsoft ends support.
Strictly speaking, of course, once you have applied the April 2014 Patch Tuesday updates to your XP computers, you’ll be no less secure than usual for another month.
But when 13 May 2014 rolls around, being the second Tuesday in May, all other versions of Windows will get patches, and you won’t.
The bad news about that is that many of the vulnerabilities that can be exploited in recent versions of Windows are also present in – indeed, were probably inherited from – the Windows XP codebase.
As a result, cybercriminals may be able to work backwards from information that has been innocently disclosed about bugs in Windows 7 and 8 – bugs that no longer matter very much once they’ve been spotted and patched – and to use that information to help them attack XP computers.
Why not keep XP going?
“Why then,” you might ask, “doesn’t Microsoft simply retrofit all the new security features from Windows Vista, 7 and 8 into XP, and keep churning out the patches?”
Part of the answer is that it would be a big economic burden to Microsoft, which can hardly be said to have a moral imperative to keep on sinking time and money into an operating system for which most users paid less than $100, and from which many users have already extracted ten years of life.
But the most important part of the answer is that continuing to patch XP would be like trying to cross a technological chasm for Microsoft.
Many of the deep internal changes that Microsoft made in its more recent operating system versions were put there precisely to create a better security substructure than XP – in other words, to bring a touch of software revolution in order to bypass the crevasses that evolution alone wouldn’t be able to cross.
Some of us who want to get rid of XP have made it clear that we just aren’t going to make it by April (or May, if we allow ourselves that bonus final month).
Microsoft has therefore caved in just a bit, and announced that it will still provide updates to its various anti-virus tools on XP after the deadline.
Let’s be clear: no new security updates, no non-security hotfixes, no free or paid assisted support options, and no online technical content updates from Microsoft.
But Microsoft Security Essentials on XP, and various other Microsoft antimalware tools, will keep ticking over: support will continue until 14 July 2015. (Yes, that’s a Patch Tuesday – the latest day of the month it can happen.)
Note. Sophos Endpoint Security and Control (SESC) will officially support Windows XP Service Packs 2 and 3 until at least 30 September 2015. SESC will support Windows Server 2003 until at least 31 Jan 2017. (Our support knowledgebase has a complete platform support list.)
Does this mean I can postpone the inevitable?
Is this a signal from Microsoft, or, for that matter, from Sophos, that it’s perfectly OK to keep using XP past the deadline?
There are some good reasons (and plenty of bad ones) why you might need to keep XP alive, but if you do so then there are various steps you should take to reduce the risk of having weak spots in your network.
For some practical advice on the subject, why not listen to our informative podcast, The End of XP?
As mentioned above, if you are a Sophos customer then your legacy XP computers will be covered by Sophos Anti-Virus until late 2015 (early 2017 for your 2003 servers).
That means you can use Sophos’s Application Control features, allowing you not not only to regulate malware, but also to prevent the use of software that might put your already-risky XP computers even further into harm’s way.
That way you can keep those old XP lathe controllers alive, for example, while making sure they are used only to run the lathes, and not used “off shift” for tasks such as browsing, reading PDFs or watching cat videos!