Microsoft Windows XP's lifecycle came to an end today after a tumultuous 12-year reign as the most successful operating system ever.
Despite great market success, Windows XP had been suffering from severe security vulnerabilities almost since birth. XP barely survived major surgery in 2004, emerging as Windows XP SP2, more resilient to attack, but still weak. Having long-since decided to forgo further heroic measures, Microsoft withdrew support today.
I asked my ZDNet colleague, Ed Bott, who literally wrote the book on Windows XP, for a few words on the sad occasion. Choking back a tear, Ed said "Windows XP has been officially supported for more than 12 years. It was a senior citizen five years ago. It’s been on life support since then.".
Windows XP was born in the summer of 2001, being released to manufacturing on August 24, 2001. The formal rollout event for Windows XP in Times Square in October of that year was subdued, owing to the still-fresh ruins of the World Trade Center downtown, but it was still clearly a major event in PC history.
XP was the first version of Windows destined for the consumer market to be based on the Windows NT kernel. This made it far more resilient, even more secure, than Windows Me and Windows 9x versions it replaced. It brought many other advances to combat common Windows problems, such as measures to combat "DLL Hell," an improved user interface, and better performance than earlier consumer Windows versions which ran a much less sophisticated kernel architecture.
Product activation was also born with Windows XP. In an attempt to combat what they termed "casual piracy," Microsoft created a copy-protection system for Windows which was later extended to Office. Determined and even modestly competent pirates were able to get past Activation in Windows XP. Microsoft has made the technology much more difficult to bypass in later versions, but the ability to get cheap or free versions added to XP's popularity, particularly in the far east.
security bulletin MS01-059 (warning: shockingly, the page only seems to work correctly in Internet Explorer), which announced that an unchecked buffer in the UPnP (Universal Plug and Play) subsystem could allow anyone on the network to take control of a Windows system just by sending some malicious traffic.
This is the worst kind of vulnerability and, while it wasn't the first and also affected earlier versions of Windows, it also wasn't the last. Very shortly afterwards, on Jan. 15, 2002, Bill Gates sent a memo to all Microsoft employees outlining the need for "Trustworthy Computing". Microsoft products had been written with little, if any effective concern for the reality of the security situation on the Internet. This had to change.
Gates's memo gave the company permission to delay the development of important products in order to get security right in them. It led to the creation of the SDL (Security Development Lifecycle), a set of practices to make security an important concern through the entire development process.
But all this came too late for Windows XP, which was already out and selling in spite of being a hacking magnet. New products would be built with security as a far higher priority, but what about Windows XP which was, after all, brand new? For a time there was little Microsoft could do but to patch vulnerabilities as they were found.
On August 25, 2004 Microsoft released Service Pack 2 for Windows XP. It contained some new user features and rolled up all updates since Service Pack 1, but was more significant for substantial security changes, mostly under the covers:
- The Windows Firewall was beefed up and set to run by default before the networking code was started.
- SP2 was recompiled to add support for (DEP) Data Execution Prevention, a technique that prevents many buffer overflow attacks. Support for the "NX" (no-execute) bit in many CPUs, also used for DEP, was added.
- Many of the core Internet-facing utilities: Outlook Express, Windows Messenger, and Internet Explorer were updated to be able to recognize potentially malicious files and warn the user of them.
- Additional warnings were added for ActiveX code and scripts.
- A Windows Security Center was created to coordinate security information for the user.
- Internet Explorer got a pop-up blocker.
- The Manage Add-Ons dialog was added to IE to show what code was installed in the browser and to allow users to disable it.
- Automatic Updates was improved.
Service Pack 3 was released several years later, rolling up more fixes and adding a few more security features.
The work that went into SP2 and the change of approach forced by the SDL meant that Windows XP's successor was not going to come out on schedule. To appease business customers, many of whom had bought Software Assurance subscriptions in order to get access to updates which were presumed to come regularly, Microsoft extended the support lifecycle of Windows XP an extra two years from the scheduled 2012 date to today.
But, in spite of all the complaints and problems, the last decade belonged to Windows XP. Helped immensely by poor customer reaction to XP's successor, Windows Vista, Windows XP's presence in the corporate world — in fact, in the entire world — grew to a huge proportion, only to drop with the release of Windows 7.
Windows XP is survived by Windows 7, Windows 8 and, barely, by Windows Vista. We attempted to reach Windows Vista for comment but couldn't find it anywhere.