Windows XP: What to expect once Microsoft shuts down support

Windows XP: What to expect once Microsoft shuts down support

Summary: Even though the world won't end because of Microsoft's withdrawal of support for Windows XP, those left clinging to the OS after April's deadline still face a number of issues.


Some twelve-and-a-half years after Windows XP first went on sale, Microsoft is turning off support for the operating system. From 8 April there'll be no further free updates or security patches.

There's nothing new about software reaching the end of its commercial life. But the trouble with Windows XP is that it's still reckoned to run between a quarter and a third of the world's desktops.

The sheer scale of XP's legacy means many organisations and individuals now find themselves in the same boat, perhaps because of the difficulty of migrating certain apps, the cost, or simple inertia.

Given that XP users have already shrugged off the arrival of Vista, Windows 7 and Windows 8 without shifting operating system, they may think their first option is just to stay put. After all, Microsoft has had more than 12 years to patch the OS, so surely most vulnerabilities will have been found by now?

"I'm not a believer that you're not going to see anything else," said James Lyne, global head of security research at Sophos. "There's been a healthy supply of [vulnerabilities] for many years now. It would be a turn-up for the books if all of a sudden that ceased to be a problem and the operating system magically became secure," added Lyne.

In fact, criminals may have been stashing away exploits to use once Microsoft has departed the scene, leaving the OS open to unpublished lines of attack, according to Gartner Research vice-president and research director Michael Silver.

"There's certainly a possibility of some vulnerabilities that were already known that haven't been exploited yet. From 8 April or 9 April you could see a number of attacks that people have been holding back," he said.

This pattern of behaviour has certainly been seen before, Sophos' James Lyne points out.

"For example, I remember with Mozilla Firefox — back in the days before Firefox would just update to the latest versions — we would see cybercriminals specifically targeting the versions that were no longer updated," Lyne said.

"They knew a significant number of people would still be running them. So in microcosm — it's a small example by comparison — that behaviour has been seen, but this is going to be somewhat of a first in terms of such widespread use of a platform."

A more sophisticated threat landscape

That high level of continued XP use will certainly attract the attention of criminals, but Gartner's Michael Silver believes that changes to the nature of security threats will compound the problem.

"Whether this is the most machines or not really doesn't matter. The seriousness of the issue is going to be way higher because of the threat environment that we have today," he said.

"It's broader and more targeted — there's just a lot more going on. If you look back at when Windows 2000 support ended — that would be the last time this happened with this magnitude and that was in 2010.

"In 2010 there certainly weren't as many devices running Windows 2000. You might even have to go back to Windows 95 or something like that. The threats then were more to create a nuisance rather than targeted at certain people, or organisations or monetary goals."

The issue is the threats are more sophisticated, yet XP dates from an earlier generation of technology, according to Sophos' James Lyne.

"Undoubtedly these XP devices already represent a significantly higher risk from a security standpoint than more modern operating systems like Windows 7 and Windows 8," he said.

"That's already the case and will only become exponentially more so over time past when Microsoft stops maintaining it."

Criminals can reverse-engineer patches for supported operating systems issued by Microsoft and apply the vulnerabilities they uncover to no-longer-updated Windows XP devices.

As Microsoft Trustworthy Computing director Tim Rains pointed out last August, the company's own security updates for supported operating systems such as Windows 7 and Windows 8 involuntarily provide attackers with intelligence about flaws in older operating systems.

Criminals can reverse-engineer patches for supported operating systems issued by Microsoft and apply the vulnerabilities they uncover to no-longer-updated Windows XP devices.

Reverse-engineering a patch can be an incredibly helpful indicator of how to go about writing an exploit for an unannounced vulnerability, according to Sophos' James Lyne.

"While security researchers are going to move to the new platforms and Microsoft will be focusing on patching the new stuff, their work in those spaces is likely to reveal flaws in the no longer patched and maintained Windows XP," Lyne said.

Lyne also stresses that although Windows XP and, say, Windows 7 are very different operating systems in terms of security, they still share a massive code base.

"Looking at, for example, lots of the common libraries and DLLs that you call when writing applications, just from my experience producing some of this stuff, there is a lot of commonality between the platforms — and indeed there must be to maintain backwards-compatibility. So it's somewhat by design."

Lock down your XP machines

So what can organisations do in the short period remaining before Windows XP's end of life?

Even last April, when there was still one year of support to go, Ovum principal analyst Roy Illsley argued that insufficient time remained for substantial migrations using traditional methods, which — depending on size — he reckoned can take anything from two to three years.

Certainly, the experience of budget airline easyJet supports that estimate. It started migrating an estate of 2,500 laptops and desktops from XP to Windows 7 in 2010 and completed the project last year.

Sophos' James Lyne believes one of the key measures that companies running Windows XP in some form should still undertake is to work out the extent of the problem by surveying the IT estate.

"A lot of organisations will have these devices here there and everywhere, hidden in corners, connected to projectors in meeting rooms — you name it, these desktops have got around. Discovering them is the key to being able to manage and assess that risk," he said.

At this late stage it is important for businesses to focus on measures that are not only effective, but also relatively cheap and easily accomplished, such as limiting XP use to approved applications, according to Gartner's Michael Silver.

"Whitelisting software in a lot of cases is actually included in a lot of organisations' anti-malware suites but most probably aren't using it," Silver said.

"In a typical environment it's hard to understand what everyone needs to run, and you don't want to affect their jobs. But when security starts becoming an issue, the organisation may have a bit more clout to be able to implement that sort of thing," he said.

Measures that Silver classes as simple but effective include ensuring anti-malware software will continue to be supported under Windows XP, switching the browser to a supported one, locking down the workstation — and taking away admin rights if users have them.

The browser issue

Given figures suggesting just under five percent of desktops worldwide are still running Internet Explorer 6 — potentially representing a significant number of XP desktops — the browser issue remains a priority area.

"With the browser and email being the two predominant vectors where security issues are going to come through, limiting the use of that sort of thing and using a supported browser where the vendor is watching for security issues and trying to repair them is certainly a good thing," Silver said.

"So take away the browser as much as possible, don't do email on the machine as much as possible, restrict the machine to running only specific software that you know is compatible and safe," Silver advised.

"You could also have the machine reimage itself every time it boots so that it goes back to the last known good clean image. Schools do that all the time. For an organisation, that's a bit harder," he added.

Having XP clients actively browsing the internet on outdated browsers is a recipe for disaster, Sophos' James Lyne says.

"The exploits that are already in these older browsers are fairly hideous. You're talking about connecting a system that you could effectively sneeze on and get backdoor access," he said.

"So I would definitely be particularly cautious of the likes of internet-connected XP systems where it's going to be very difficult to control the risks."

If not migration, what?

Assuming that the best option — migration away from XP — is not viable in the short term, Lyne says that limiting the role of the devices in question is the next best thing.

"I'd be looking at ways to isolate those devices and minimise the risk of them getting infected in the first place or passing that infection on to others," he said.

Lyne suggests a focus on, for example, heightened network security, and filtering the traffic going to and from XP devices more aggressively, along with a more rigorous monitoring and incident-handling policy on those platforms.

"It's all about building enclaves. You want to put these systems of higher risk into isolated network zones and use network security and firewall technology to do heightened inspection on those devices," he said.

Putting XP applications on separate networks is a popular, short-term approach to the migration problem, according to Gartner's Michael Silver.

"You could be moving applications to supported versions of servers and running them remotely, trying to turn whatever machines are in the users' hands into really thin clients so that they can't get infected or that if they do they are really easy to switch out and clean," he said.

"It's all about building enclaves. You want to put these systems of higher risk into isolated network zones and use network security and firewall technology to do heightened inspection on those devices"
— James Lyne, Sophos

"Windows Server 2003 is supported until July 2015. So if you're looking at a server version that's similar to XP, that would be the release.

"Looking to try to run applications on Terminal Services for an application that requires Windows XP, Server 2003 may be the way to go and it does buy you 15 months. Of course, it only buys you 15 months but it certainly could be a decent short-term fallback."

Last year, Ovum principal analyst Roy Illsley said many of those organisations that have still to make the move from XP would look to desktop virtualisation for a solution.

"If they do a desktop virtualisation-type approach, whether they go fully desktop-virtualised or whatever, they can still get some useful tools to help get over 80 to 90 percent of the problem," he said.

Gartner's Michael Silver is wary of the idea that cloud-based productivity suites, such as Office 365, could provide a short-term answer to XP problems.

"Switching to a cloud-based Office product is not a trivial sort of thing. There are a lot of things that won't work. Certain users may be able to use it, others users may not. That project really requires a year, a year and a half, of investigation and testing before you would implement it," he said.

"For an organisation that's trying to scramble and do things quickly, probably if they're trying to do Windows XP and Office at the same time and they are so far behind, I would probably try and get them not to do the Office product and save that for a little bit later because you can do that remotely and the risk is a bit lower.

"But if people were to make a decision in haste and try to move to something really quickly, that just has disaster, loss of compatibility, loss of productivity written all over it."

Custom support: a costly option

For large organisations with legacy XP systems, Microsoft's Custom Support represents another option — albeit a costly one, according to Silver.

"If I had $200 per PC to pay for Custom Support, I'd probably be better off upgrading my existing machines. But even at that price they'll still go for Custom Support because it's the easier short-term way out," he said.

"If you have one machine, it's not like it's going to cost you $200. It's going to cost a lot more because there's a minimum payment. Organisations have told us about a ceiling but typically the list pricing has been $200 for the first 12 months, $500 for the second 12 months, and $1,000 for the third 12 months.

Arkoon is one of the few third-party companies offering extended support for Windows XP.

"Certainly Microsoft uses that as a bit of a stick to try to get organisations to move rather than sign up."

Silver thinks third-party support, such as that offered by Arkoon, is in surprisingly short supply, especially given the scale of the XP user base.

"I'm surprised that there aren't any other folks out there that are targeting that because it's going to be a fairly big market — although the window of opportunity is probably pretty small," he said.

"We may be in the 20 percent range on 8 April in terms of PCs running Windows XP but probably down to the mid-single digits by the end of the year."

Other companies have set out Windows XP support plans for their products. For example, Google has announced its Chrome browser will support Windows XP until at least April 2015.

Antivirus is not the answer

There will be an extended market for XP in terms of security research and mitigation, Sophos' James Lyne says, which includes antivirus software. However, it would be unwise to rely on antivirus as the answer to Microsoft's end of support.

"Certainly, antivirus is going to help. It can still detect lots of threats on their way into the platform. It's still going to pick up a lot of malicious code," he said.

"Unfortunately, when you have a platform like Windows XP, if a new zero day — although technically it's going to be an infinite zero day — enables exploitation at the system level of the device, that exploit would get in underneath the antivirus before the AV gets the chance to scan it."

Staff working from home on their own Windows XP devices may also constitute a further security issue, according to Lyne.

"Any good security manager these days needs to recognise that people's home devices are an extension of their infrastructure," he said.

"People will use corporate services, data and social media on their home systems and potentially they will be a backdoor into that corporate environment."

Lyne says in many cases those machines may be granted a level of access, for example, via a VPN.

"They probably browse around the internet on that system with a nice, no-longer patched and updated browser, get infected, connect to the VPN and provide the attackers with back-door access to the corporate network. That's a very realistic attack vector," he said.

"Even if those systems aren't connected to the company network via a VPN, they still pose a risk — given that a lot of people tend to take work home to work on those systems.

"So even if there's no direct connection between them, they may potentially put company data, credentials or intellectual property at risk on their employee systems.

Lyne said people tend to think about the core part of a network and the desktops that they may have deployed themselves.

"But people's systems that they brought in on a bring-your-own-computer or bring-your-own-device basis, people's home-use systems — the broader environment — I've seen very few considering that stuff yet," he said.

What about XP Embedded?

That broader environment also includes XP devices that may well fall outside an IT department's normal ambit because they are running the lightweight, embedded version of the operating system or one that has been customised for a specific purpose.

Although Microsoft support for Windows XP Embedded continues until 12 January 2016, many of the dedicated devices that people assume are running it may actually be using modified versions of the desktop OS.

Lyne says over the years he has seen all kinds of "really scary stuff", including ATMs running heavily customised Windows XP throughout bank networks; medical devices for measuring and controlling people's heart rates; and building management systems that control people striking in or out of offices, whether the doors are open or closed and whether the fire alarm goes off.

"If I were a security manager for an organisation, I'd be running around frantically looking at my printers, my faxes, my scanners, my building-management system — all those black-box devices that normally no one thinks about."
— James Lyne, Sophos

"This stuff has casually wound itself into so many different parts of our infrastructure. The problem is everybody forgets about things like the building management system or XYZ black box. They see it as black box that performs a function rather than something running Windows XP."

Even many modern printers and scanners run versions of Windows XP in enterprises.

"They'll be sitting plugged into the network, running a no-longer-maintained, vulnerable operating system with the hope that the printer manufacturer locked it down enough that it's never going to be a problem," Lyne said.

Many of these devices run a base XP that has never been patched because it has relied on being locked down and inaccessible.

"For some of the systems in that configuration — certainly not all of them — this April date doesn't make it any worse, other than it may flare the interest of attackers and get them to focus on trying to attack this platform a little more than they previously would have done," Lyne said.

"If I were a security manager for an organisation, I'd be running around frantically looking at my printers, my faxes, my scanners, my building-management system — all those black-box devices that normally no one thinks about. I wouldn't assume anything and I'd be validating each and every one of them."

Compatibility and performance

Along with the security implications of hardware such as printers and copiers comes the question of their continued compatibility with unsupported XP machines.

Compatibility has already been a problem for the best part of a year of even more, according to Gartner's Michael Silver.

"Most newer hardware does not support Windows XP. You're not going to get a full set of drivers," he said.

"So, if you're still — God forbid — bringing Windows XP on your machines, you not only have all the legacy stuff that you haven't addressed but you're actually increasing the amount of your problem."

In many cases, the performance and productivity of XP is a major issue today, Silver says.

"In 2001, when Windows XP shipped it actually ran fairly well on a 256MB machine. Today, a 1GB or 2GB machine sometimes can take 10 minutes to boot. Some of that could be Windows rot — the machine probably is due for a reimage anyway because there's lots of junk on it," he said.

"This [performance issue] actually hurts Microsoft to a large degree because there are a lot of folks who may not have bought a Windows PC in a long time and think that's the state of the art. Windows 7 and certainly Windows 8 on a good image should boot a lot more quickly."

Regulation and compliance

Running an operating system that is no longer supported can also raise serious issues relating to regulation and compliance.

"It may just be an IT security rule that, 'Thou shalt run supported software'. If software is not supported, if there are not security fixes that I'm getting on it, how do I know that it's secure, how do I know it's not leaking sensitive information because I don't know what the vulnerabilities are or if they're being exploited," he said.

"The question is when it comes to regulation and compliance, things are sometimes subjective based on the decisions of an auditor. So certain auditors might be tuned into this, others might not. But it's certainly something to worry about."

Silver argues that running an unsupported version of an operating system, especially if you are in some sort of industry that has regulation, can be really dangerous.

"There are a lot of organisations that really haven't taken this all that seriously and hopefully they won't get hurt too badly by it."

Topics: Windows XP and the Future of the Desktop, Enterprise Software, Microsoft, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • MOVB (R1)+,R0

    The good news is, if you wait long enough, no one will bother to target your stuff anymore.

    General Electric nuclear power plant robots are still running code written for the PDP-11, and will be at least until 2050.
    Robert Hahn
    • PDP-11s were also relatively immune...

      Smaller code enforced better structure and didn't have the space to wast on sloppy coding.
  • White House is still on Windows XP and Office 2003

    If the Government itself is not upgrading, how do you expect the average enterprise to do the same. See the following link, this was Obama taking a picture catching a foot ball in front of some Windows XP machines running Office 2003 just yesterday:
    • Well

      Now I guess they HAVE to upgrade then.
    • They can take a cue from the Navy, and replace Windows with Linux.

      The Navy uses Linux in their nuclear submarines.

      Anyway, those computer with Windows probably are just for casual convenience browsing. Any important hardware would have to be secured in a separate room.

      My family has been using Linux Mint on their laptops and the family workstation. There was never any need to train them.


      Using Firefox or Chrome on Linux isn't any different than Windows. Web applications work the same. == Active-X isn't supported by Linux for security reasons, and I haven't seen it used for key web functions. Maybe it's there for gathering data, but when you use Linux on the web, especially with Ad Block Plus, it's very clean. no distractions.
      • Virtual Machines not working

        Joe, I have old legacy software on XP machines which I hoped to insulate by imaging them, then running as VMs on a Win7 machine for now, with strong interest in moving to Linux or equiv. for the future. Problem? None of the VHDs so far will open either under Windows' own Virtual Machine, or under VirtualBox. These may be OEM in origin, but no one has clearly explained how/why starting such a VM should be a problem- and if it is, I would expect it to be a problem under Linux etc. as well. Any useful suggestions, elaboration, or advice here?
        Computer LoQ
    • That is,

      if by "yesterday" you mean 2009.

  • Errrrr

    I've said it before, even with the extension given to Win XP [5 years or so ago] companies knew this "day" would come. So if they didn't plan beforehand it is their fault. If you know that Win 7 support dies in 2020, wouldn't you start making plans in [say] 2017 or 2018 if you were part of a large company or organization?
    • I agree

      People have had more than ample time to plan a roadmap off XP. Had it not have been for Vista's flop, support would have ended long ago.
    • Not always so simple

      My office still has a few NT 4.0 boxes kicking around. They run specialized software for running lab equipment. The software upgrades cost several million dollars. So, we throw the old machines into a DMZ and they keep chugging along.

      So, yeah, XP on the average desktop at this point is really dumb. But XP at all? You know... it happens.
  • Criminals can reverse-engineer patches . . . . . .

    WinXP will provide the best of all malwareprotections available
  • Don't even think of upgrading to a newer OS. Simple, Simple fix available.

    And best of all you can stop using AV products.

    Just run XP or Win7 in a Linux shell using the virtual machine.

    Robolinux is free and has provided easy to use tools to run Windows inside of Linux, which (of course) is secure and doesn't get infected, even without using any external AV products. Use your existing product key and forget about expensive new Microsoft products.
    • I'm not interested in running Windows, but this seems the best way.

      "In this video you will see Robolinux successfully defeat two active morphing viruses ." (Windows XP)
    • Sales pitch time I see

      I hear Robolinux wasn't close to what it was claimed to be.

      Even "Global George" has been working hard trying to convince people otherwise.
      • It's very impressive. I use it. It's fast and well thought out.

        I don't use Windows, but for someone want's it, it has to be the absolute best way to give CPR to XP. In using XP in a VM, what Linux does or does not do really doesn't matter at all, it's transparent. Robolinux uses the 3.9 kernel, and the security is derived from the kernel.

        I pulled a friends XP laptop hard drive and and found 3,094 infections. Now this was a senior who didn't install, she just read emails and browsed. She used paid AV. I switched here over to Mint 16, set up a couple of icons and bookmarks and she loves it. See Screenshot below. ... I actually cleaned it with ClamAV but it didn't work. I think some of the system files may have been compromised.
      • Correction, I believe I installed Mint 15, not 16.

        I use Wine to run MicroStation SE, (Home Use) in Linux. It's an older CAD program and it works great. There's no delay, even with 3D models and rendering. I use a Acer 721-3070 11.6 netbook with small Bamboo digitizer and pen.

        I also use other utilities in Wine, like Agent Ransack.

        Kali Linux is a specialty OS set up for penetration testing, which incliudes OPH crack by default.

        I mostly use the VM for testing distros, including some Open Suse distros I make. But, there's never any thought given to security. It's not a problem. It would be interesting to see XP or 7 running in Robolinux (with no AV) using their custom configurations. Should be pretty easy to get going.
    • Ya. right.

      These Linux zealots said the same thing after Vista's and Win 8's "failure". They think it would be Linux's time to gain users but if you look at legitimate sites like NetMarketShare, Linux has barely gained much in market share over the last 10 years.
      • I haven't used AV in 14 years.

        You have to use it every day and you probably pay for it like a fool.
  • Forced to update/upgrade from Windows XP

    It's all about the money. If one quarter to one third of the worlds desktops are running XP, as stated above, then upgrading would put a lot of money in Microsoft's pocket. Nothing more, nothing less.