Please, let Windows XP die with dignity

Please, let Windows XP die with dignity

Summary: Early next year, when Microsoft finally, officially, and unreservedly drops support for Windows XP, it won't mark the beginning of a new XPocalypse. XP is a relic of a bygone era. It's time to let it go.


Yesterday my colleague David Gewirtz delivered a fire-and-brimstone sermon on the coming XPocalypse, the date early next year when Microsoft stops supporting Windows XP.


Here’s Pastor Gewirtz, in a passage replete with Biblical references:

If you don't think that cybercriminals have marked April 8, 2014 on their calendars with a big star, you're crazy. If you don't think they're holding back on launching some of their bigger exploits until after the patching ends, you're naive. For cybercriminals intent on skinning our 500 million sheep, April 8, 2014 is D-Day.

By abandoning XP on April 8, 2014, Microsoft will cease being a good shepherd of its most loyal customers. Microsoft is just leaving them out there, exposed, and unprotected. On April 8, 2014, those millions of remaining XP users will be like lambs being led to the slaughter. To paraphrase Jeremiah 11:19, they do not know that plots have been devised against them.

Can I get a “Hallelujah!” I said, Can I get a “Hallelujah!”

OK, my turn at the pulpit. Spoiler alert: I don't plan to cite chapter and verse.

First of all, this should not be a surprise to anyone. If you use Windows XP, you are not sheep, you are a paying customer. You got one of the best deals ever, because Microsoft has been running this route, the XP local, for more than a decade. No one is being left at the station. This train has had a “going out of service” sign on it for two years.

The support lifecycle is a contract between Microsoft and its customers, one that’s been clearly described for many years. It is ridiculous to think that a software company should support a product indefinitely. That’s economically silly and technically unsustainable. In early 2014, Microsoft will be delivering security patches for five—count ‘em, fivemajor releases of its operating system that are still in mainstream or extended support.

Perhaps that is why Microsoft’s reliability record with patches has been getting a bit dicey lately.

If you thought you were getting a lifetime guarantee, you weren’t paying attention. XP’s end-of-support date was actually already extended once.

And how many other computing products from that era are still supported? Seriously, when April rolls around, it will have been more than seven years since Windows XP was a current product from Microsoft. XP was officially replaced in November 2006. To put that in perspective, here’s what the world looked like then:

  • Google Chrome did not exist.
  • Gmail was in beta.
  • The first generation of Macs using Intel chips had just appeared.
  • The operating system on those Macs was OS X Tiger.
  • The iPad was science fiction.
  • Twitter had been in existence for a few months.
  • Facebook had opened to the public two months earlier.
  • Robert Scoble had been a Microsoft evangelist just a few months earlier.
  • Firefox version 2 was only a few weeks old.
  • The iPhone was only a rumor.
  • Android was not yet in beta.
  • Nokia and BlackBerry were duking it out for the top two spots in the smartphone market.
  • Steve Jobs was alive.

And at that time, Windows XP was already five years old, a senior citizen in software terms.

Windows XP is a relic from another era. No one expects modern software to be supported for 10 years or five years or, in many cases, for even a year. Web services like Facebook and Google roll out big changes every month. Apple drops support for releases that are less than four years old. By modern standards, that's generous. Ten years? That's insane.

When it reaches its end of life in April 2014, Windows XP will have been officially supported for more than 12 years. It deserves retirement.

Microsoft says 13 percent of the PCs in use next April will still be running Windows XP. It’s logical that the decline in usage will steepen as procrastinators realize that, oh crap, yes they have to do something about this. That means come Q2 next year, roughly 150-190 million PCs will be running XP. That's still a big number, but far less than the 500 million number that has the Reverend Gewirtz so alarmed.

So who will those laggards be? I think they can neatly be divided into three groups:

The largest group is businesses that have mission-critical apps that run on Windows XP and can’t easily be upgraded. My dentist still has one of those apps. That PC can be locked down pretty hard, and the fact that it’s not connected to the Internet means it’s not really at risk. In big enterprises that have IT staffs and IT budgets, there are ways to virtualize those apps so they run in a session on a PC running a modern operating system, usually Windows 7. Those are the best available options. On small businesses stuck with old apps, upgrades are almost always available. If not, disconnect from the Internet.

The next largest group is cheap consumers who have an old PC that’s still running but is too underpowered to upgrade. Even if we concede these are all senior citizens and Microsoft takes David’s suggestion to give them all free Windows 8 upgrades, this bunch won’t be able to do it. An old Pentium 4 with 512 MB of RAM isn’t eligible to upgrade.

And then there are the clueless, the ones who just don’t know any better, the “lambs being led to the slaughter.” I’m afraid that bunch was mostly pwned long ago. After all, they don’t have up-to-date antivirus software, they didn’t update Java or Flash for years, and they’ll click just about anything if it has naked pictures embedded or dollar signs attached.

And oh, by the way, the security software industry isn't abandoning XP. For XP diehards who keep their security software up to date, it should be easy enough to avoid all but the most sophisticated targeted attacks.

The idea that crafty cyber criminals are just itching to exploit zero day vulnerabilities is a common myth. The reality is that most computers are pwned using exploits that would have been blocked by even a casual patching policy. Most successful exploits target vulnerabilities that were patched years earlier. Zero-day exploits are for spy novels (and actual spies). People who can't be bothered to update their antivirus software or turn on automatic updates are going to be victims, even if you convince them to wake up for a day or two and upgrade their operating system 

In short, when April 2014 rolls around, most of those who are still running Windows XP are doing it either in full knowledge of the consequences or in absolute disregard for the risks. There's no middle ground. And neither group is likely to change just because someone offers them some free or cheap software.

I’d love to see Windows XP die with dignity. But I expect to see it hanging on in airport and hospital signage and point-of-sale apps and on netbooks for at least a few more years before sightings of XP in the wild become truly rare.

Let it go, people. Let it go.

Topics: Windows, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Said it before, and I'll say it again...

    ... XP users deserve nothing. Nada. No service pack rollup, no patches, nothing. Users who stubbornly held on this long have no one to blame but themselves if things go wrong. Microsoft has been more than generous in helping people off the ancient OS, and if you haven't bothered with the previous deals by now, offering new ones won't help.

    Good riddance. Here's to the future of Windows, and not the past.
    The one and only, Cylon Centurion
    • The one and only, Cylon Centurion......Please, let's NOT LET Windows XP die

      like The one and only, Cylon Centurion want to happen.

      He dosen't care about the 500 million users that still FAVOR W-XP over all the dribble that Microsoft keepsa pushing out every three years as the next latest and greatest.

      Microsoft is only interested in the 85 BILLION Dollar WIN fall when they KILL off W-XP next April.

      GREED is the word that motivates Microsoft. to kill of W-XP and don't be fooled by any babble coming out of Redmond to the contrary.

      Like 'The one and only, Cylon Centurion" say's Good riddance. the future of Windows is a Metro UI that everyone loves in Windows 8................BOY Windows 8 sure is a hoot.................its so bad that Microsoft is giving a FREE upgrade to Windows 8.1.................ask yourself this.......when was the last time Microsoft gave anything to anyone?...............answer NEVER.
      Over and Out
      • XP SP2

        XP SP2 was an upgrade to XP that is analogous to the Win 8 to 8.1 upgrade. And they gave it away for free, when, as many commentators have pointed out, it was actually a big enough change to be a major new retail release.

        Ed makes some very good points in his article. XP won't hang around much longer, there will only be the diehards and those idiots who fell for the anti-Vista hype.

        It's possible to get Windows 7 discs from places like Amazon still - and it's insanely good, and familiar to XP users in operation - certainly not the new learning curve presented by the 8/8.1 software.
        • Yeah, and so?

          ...and in a couple of years, this story will be about Windows 7. Microsoft wants to push everybody to spend hundreds of dollars every three years to buy another new version. I can't speak for the pointy-heads, but for the rest of us regular people, we don't need it. I can edit video, gigantic image files, and record and edit audio. I can download anything and add enough storage to store whatever I want. I can rip blu ray, dvd, and cd. Why in bujeezus do I need a new OS every 3 years for? Why doesn't Microsoft understand that if they're going to MAKE me learn a new OS, it just might not be theirs I bother with?
          • Windows 7 Extended Support ends 1/14/2020

            Just FYI. That will be 10 years, their (ridiculous) standard policy, far longer than anyone else.
          • Then don't upgrade?

            Just don't expect support past next year. The OS isn't going to cease working.
            The one and only, Cylon Centurion
          • Time to upgrade to Linux

            And leave the backdoors to the NSA behind you.

            Spoiler: It's free!
          • Think Linux really stops the NSA?

            Think again.
            The one and only, Cylon Centurion
          • Linux and the NSA

            The Linux kernel is the only common attack point between distros. If the NSA can not put a backdoor into the kernel it would be harder to hit all Linux users (different GUIs, tools, and configurations, etc.). Note not impossible.

            Also, the NSA appears to be more interested in crippling cryptography and traffic analysis. Both are OS independent activities. The focus on backdoors, which I suspect are rarely used, keeps people from focusing on crippled cryptography and the capture of all (or the vast majority) of traffic.
          • Linus Torvalds is not a US Citizen and therefore ...

            ... he cannot be compelled to put a "back door" in the Linux kernel. Whether or not he has (or will) is an entirely different question.

            This can be said of any OS vendor, though.

            The NSA could, of course, build a virus that inserts itself into Linux code and creates such a backdoor in the Linux kernel. If anyone has that capability, they do - and that would be a lot easier, I am sure, than convincing Linus to do it for them.
            M Wagner
          • A Trojan Root Certificate

            Seems like a good way to go... Jsut sayin
          • Re: This can be said of any OS vendor, though.

            Nope. Linux and any other Open Source UNIX (or non UNIX) OS can have it's source code examined by everyone. There is no way the NSA puts backdoors there, because they will be caught. There is only one thing spooks fear and that is being exposed.

            Funny enough, even Apple's OS is open source (Darwin/XNU), so it too gets a good deal of peer preview.

            That leaves Microsoft in the cold.

            PS: A Trojan Root Certificate

            That certainly does not affect the OS. It might affect a browser in that it would threat an malicious site as legitimate. This however has nothing to do with root certificates. It is an inherent flaw in SSL's current PKI. There is an Internet technology, known as DANE, which together with DNSSEC fixed this ... and in the process destroys the business of the commercial CAs... so we might see some battle here (it was already removed from Google's Chrome)
          • Many eyes is a myth..

            See the obfuscated C contest for why, with those you KNOW there is malware and its nearly impossible to spot by anyone who isn't a programming genius. Just because something CAN be done does NOT mean it HAS been done, by that logic since there could be werewolves there are werewolves but I don't think I need to carry silver bullets with me, do you?

            For "many eyes" to work you'd have to have 1.- People with enough years in security, encryption, and software analysis do a software audit on ALL the code, 2.- Those people would have to do an audit on ALL changes and see how it interacts with other software, 3.- they would have to have the technical skill to chart hundreds of subsystem interactions between the software and OS and be able to spot anomalies.

            Show of hands, how many here have done a code audit of Firefox? Libre Office? Chromium? Thought so. many eyes assumes that just because the code is there the work will magically be done by SOMEBODY while ignoring that there is zero evidence that the majority of Linux code has been looked at by any but the ones maintaining it.
            PC builder
          • Re: because something CAN be done does NOT mean it HAS been done

            You obviously have no idea how the NSA (and friends) work. They do not care if you audit your code or not. All they care is no trace leads back to them. Still pretending open source is no problem for the NSA?

            As for obfuscated C contests.. I have been winner in few of these, so what is your point ? The prize is not that you cannot trick them, but how "elegantly" did you do that... Boring!
          • Indeed.

            I find this time and again - the phoney sense of security that open source code seems to engender, yet when you ask questions, nobody seems particularly familiar with the code. It's just a collective yet nonspecific warm fuzzy feeling.

            God knows what sort of subtleties professional state-sponsored outfits could slip past the neckbeards whilst they're arranged in a circle pleasuring each other.

            No? Ask the folks at NIST. I imagine they were quite cocky until recently.
            Flawless Cowboy
          • read Ken Thompson's Turing Award lecture

            He shows how it's possible to put anything into compiled code as long as the original compiler used adds it.
          • Yes...

            ...and Wikipedia's information is always, 100% correct because it is open source.
            Ehsan Irani
          • Really

            Seriously, you think any OS will stop the NSA? I certainly do not think any OS is immune. They have more computing power than any other organization on the planet, more bandwidth, and more highly skilled folks figuring how to crack everything. Believing your free operating system is immune is the equivalent of sticking your head in the sand and saying that you are safe because you cannot see danger approach.
          • None of you understand Open source

            If there was a backdoor in Linux then the Open source community would have found it and released a patch or they would have released an unofficial patch for it. Its that simple(assuming that NSA is forcing them to put a backdoor)
            That is the beauty of open source the source i made available so if anyone tries to inject anything it will quickly be found by the community
          • You don't get it.

            The NSA hypothetically works in the network level not in the OS level. So Linux / OSS is nothing close to being immune.