Microsoft Issues Five Month Countdown for Windows XP Support
Microsoft introduced Windows XP in 2001, and it became an instant success. It combined the well-received consumer user interface from Windows 98 with the stability of Windows NT, was out-of-the-box Internet capable with an excellent browser -- Internet Explorer (IE) -- and quickly took over the market.
Tue, December 10, 2013
CSO — Microsoft introduced Windows XP in 2001, and it became an instant success. It combined the well-received consumer user interface from Windows 98 with the stability of Windows NT, was out-of-the-box Internet capable with an excellent browser -- Internet Explorer (IE) -- and quickly took over the market.
In terms of security, XP was immediately the target of attacks. In 2004, Microsoft hit a milestone in this area, when it unveiled Windows XP SP2, which featured a built-in, always-on firewall that effectively ended the era of the large-scale Internet worms, such as Blaster, Sasser, and Slammer. As a result, Windows XP became a huge hit with over 600 million installations worldwide.
But in April of next year, 2014, Microsoft will execute on its long published maintenance plan and stop commercial support for Windows XP. Starting in May, Windows XP will stop receiving security updates, even for highly critical security flaws such as September's and November's IE zero-day that targeted Windows 7 and, you guessed it, Windows XP. By mid-2014, new and (by then) unfixable security flaws for XP will be well-known and freely traded in the cybercriminal underground.
To illustrate this certainty, let's take a look at this year's IE security bulletins. There have been fourteen updates so far, one each month through November, plus additional updates in February, May and November to cover zero-days, addressing a total of 117 vulnerabilities. Windows XP was affected by 75 of the vulnerabilities, including 68 rated critical, which accounts for 64 percent of total vulnerabilities and 90 percent of critical vulnerabilities this year alone.
This pattern will not simply stop in April 2014. We can be certain that vulnerabilities will continue to affect Windows XP, and given that it is unlikely that Windows XP will be replaced 100 percent by April 2014, we will see reverse engineering of vulnerabilities for XP and the development of exploits as well.
Networks that include Windows XP computers used for normal office activities, such as e-mail, web browsing, word processing, etc., will become undefendable and will invite attackers inside. There are certainly steps one can take to lower the risks, such as switching to supported browser, e-mail, and office programs, and hardening Windows XP (by using Enhanced Mitigation Experience Tool, for example), but these are band-aids that can only prolong XP's useful life by a few months.