Yesterday my colleague David Gewirtz delivered a fire-and-brimstone sermon on the coming XPocalypse, the date early next year when Microsoft stops supporting Windows XP.
Here’s Pastor Gewirtz, in a passage replete with Biblical references:
If you don't think that cybercriminals have marked April 8, 2014 on their calendars with a big star, you're crazy. If you don't think they're holding back on launching some of their bigger exploits until after the patching ends, you're naive. For cybercriminals intent on skinning our 500 million sheep, April 8, 2014 is D-Day.
By abandoning XP on April 8, 2014, Microsoft will cease being a good shepherd of its most loyal customers. Microsoft is just leaving them out there, exposed, and unprotected. On April 8, 2014, those millions of remaining XP users will be like lambs being led to the slaughter. To paraphrase Jeremiah 11:19, they do not know that plots have been devised against them.
Can I get a “Hallelujah!” I said, Can I get a “Hallelujah!”
OK, my turn at the pulpit. Spoiler alert: I don't plan to cite chapter and verse.
First of all, this should not be a surprise to anyone. If you use Windows XP, you are not sheep, you are a paying customer. You got one of the best deals ever, because Microsoft has been running this route, the XP local, for more than a decade. No one is being left at the station. This train has had a “going out of service” sign on it for two years.
The support lifecycle is a contract between Microsoft and its customers, one that’s been clearly described for many years. It is ridiculous to think that a software company should support a product indefinitely. That’s economically silly and technically unsustainable. In early 2014, Microsoft will be delivering security patches for five—count ‘em, five—major releases of its operating system that are still in mainstream or extended support.
Perhaps that is why Microsoft’s reliability record with patches has been getting a bit dicey lately.
If you thought you were getting a lifetime guarantee, you weren’t paying attention. XP’s end-of-support date was actually already extended once.
And how many other computing products from that era are still supported? Seriously, when April rolls around, it will have been more than seven years since Windows XP was a current product from Microsoft. XP was officially replaced in November 2006. To put that in perspective, here’s what the world looked like then:
- Google Chrome did not exist.
- Gmail was in beta.
- The first generation of Macs using Intel chips had just appeared.
- The operating system on those Macs was OS X Tiger.
- The iPad was science fiction.
- Twitter had been in existence for a few months.
- Facebook had opened to the public two months earlier.
- Robert Scoble had been a Microsoft evangelist just a few months earlier.
- Firefox version 2 was only a few weeks old.
- The iPhone was only a rumor.
- Android was not yet in beta.
- Nokia and BlackBerry were duking it out for the top two spots in the smartphone market.
- Steve Jobs was alive.
And at that time, Windows XP was already five years old, a senior citizen in software terms.
Windows XP is a relic from another era. No one expects modern software to be supported for 10 years or five years or, in many cases, for even a year. Web services like Facebook and Google roll out big changes every month. Apple drops support for releases that are less than four years old. By modern standards, that's generous. Ten years? That's insane.
When it reaches its end of life in April 2014, Windows XP will have been officially supported for more than 12 years. It deserves retirement.
Microsoft says 13 percent of the PCs in use next April will still be running Windows XP. It’s logical that the decline in usage will steepen as procrastinators realize that, oh crap, yes they have to do something about this. That means come Q2 next year, roughly 150-190 million PCs will be running XP. That's still a big number, but far less than the 500 million number that has the Reverend Gewirtz so alarmed.
So who will those laggards be? I think they can neatly be divided into three groups:
The largest group is businesses that have mission-critical apps that run on Windows XP and can’t easily be upgraded. My dentist still has one of those apps. That PC can be locked down pretty hard, and the fact that it’s not connected to the Internet means it’s not really at risk. In big enterprises that have IT staffs and IT budgets, there are ways to virtualize those apps so they run in a session on a PC running a modern operating system, usually Windows 7. Those are the best available options. On small businesses stuck with old apps, upgrades are almost always available. If not, disconnect from the Internet.
The next largest group is cheap consumers who have an old PC that’s still running but is too underpowered to upgrade. Even if we concede these are all senior citizens and Microsoft takes David’s suggestion to give them all free Windows 8 upgrades, this bunch won’t be able to do it. An old Pentium 4 with 512 MB of RAM isn’t eligible to upgrade.
And then there are the clueless, the ones who just don’t know any better, the “lambs being led to the slaughter.” I’m afraid that bunch was mostly pwned long ago. After all, they don’t have up-to-date antivirus software, they didn’t update Java or Flash for years, and they’ll click just about anything if it has naked pictures embedded or dollar signs attached.
And oh, by the way, the security software industry isn't abandoning XP. For XP diehards who keep their security software up to date, it should be easy enough to avoid all but the most sophisticated targeted attacks.
The idea that crafty cyber criminals are just itching to exploit zero day vulnerabilities is a common myth. The reality is that most computers are pwned using exploits that would have been blocked by even a casual patching policy. Most successful exploits target vulnerabilities that were patched years earlier. Zero-day exploits are for spy novels (and actual spies). People who can't be bothered to update their antivirus software or turn on automatic updates are going to be victims, even if you convince them to wake up for a day or two and upgrade their operating system
In short, when April 2014 rolls around, most of those who are still running Windows XP are doing it either in full knowledge of the consequences or in absolute disregard for the risks. There's no middle ground. And neither group is likely to change just because someone offers them some free or cheap software.
I’d love to see Windows XP die with dignity. But I expect to see it hanging on in airport and hospital signage and point-of-sale apps and on netbooks for at least a few more years before sightings of XP in the wild become truly rare.
Let it go, people. Let it go.