Some twelve-and-a-half years after Windows XP first went on sale, Microsoft is turning off support for the operating system. From 8 April there'll be no further free updates or security patches.
There's nothing new about software reaching the end of its commercial life. But the trouble with Windows XP is that it's still reckoned to run between a quarter and a third of the world's desktops.
The sheer scale of XP's legacy means many organisations and individuals now find themselves in the same boat, perhaps because of the difficulty of migrating certain apps, the cost, or simple inertia.
Given that XP users have already shrugged off the arrival of Vista, Windows 7 and Windows 8 without shifting operating system, they may think their first option is just to stay put. After all, Microsoft has had more than 12 years to patch the OS, so surely most vulnerabilities will have been found by now?
"I'm not a believer that you're not going to see anything else," said James Lyne, global head of security research at Sophos. "There's been a healthy supply of [vulnerabilities] for many years now. It would be a turn-up for the books if all of a sudden that ceased to be a problem and the operating system magically became secure," added Lyne.
In fact, criminals may have been stashing away exploits to use once Microsoft has departed the scene, leaving the OS open to unpublished lines of attack, according to Gartner Research vice-president and research director Michael Silver.
"There's certainly a possibility of some vulnerabilities that were already known that haven't been exploited yet. From 8 April or 9 April you could see a number of attacks that people have been holding back," he said.
This pattern of behaviour has certainly been seen before, Sophos' James Lyne points out.
"For example, I remember with Mozilla Firefox — back in the days before Firefox would just update to the latest versions — we would see cybercriminals specifically targeting the versions that were no longer updated," Lyne said.
"They knew a significant number of people would still be running them. So in microcosm — it's a small example by comparison — that behaviour has been seen, but this is going to be somewhat of a first in terms of such widespread use of a platform."
A more sophisticated threat landscape
That high level of continued XP use will certainly attract the attention of criminals, but Gartner's Michael Silver believes that changes to the nature of security threats will compound the problem.
"Whether this is the most machines or not really doesn't matter. The seriousness of the issue is going to be way higher because of the threat environment that we have today," he said.
"It's broader and more targeted — there's just a lot more going on. If you look back at when Windows 2000 support ended — that would be the last time this happened with this magnitude and that was in 2010.
"In 2010 there certainly weren't as many devices running Windows 2000. You might even have to go back to Windows 95 or something like that. The threats then were more to create a nuisance rather than targeted at certain people, or organisations or monetary goals."
The issue is the threats are more sophisticated, yet XP dates from an earlier generation of technology, according to Sophos' James Lyne.
"Undoubtedly these XP devices already represent a significantly higher risk from a security standpoint than more modern operating systems like Windows 7 and Windows 8," he said.
"That's already the case and will only become exponentially more so over time past when Microsoft stops maintaining it."
Criminals can reverse-engineer patches for supported operating systems issued by Microsoft and apply the vulnerabilities they uncover to no-longer-updated Windows XP devices.
As Microsoft Trustworthy Computing director Tim Rains pointed out last August, the company's own security updates for supported operating systems such as Windows 7 and Windows 8 involuntarily provide attackers with intelligence about flaws in older operating systems.
Criminals can reverse-engineer patches for supported operating systems issued by Microsoft and apply the vulnerabilities they uncover to no-longer-updated Windows XP devices.
Reverse-engineering a patch can be an incredibly helpful indicator of how to go about writing an exploit for an unannounced vulnerability, according to Sophos' James Lyne.
"While security researchers are going to move to the new platforms and Microsoft will be focusing on patching the new stuff, their work in those spaces is likely to reveal flaws in the no longer patched and maintained Windows XP," Lyne said.
Lyne also stresses that although Windows XP and, say, Windows 7 are very different operating systems in terms of security, they still share a massive code base.
"Looking at, for example, lots of the common libraries and DLLs that you call when writing applications, just from my experience producing some of this stuff, there is a lot of commonality between the platforms — and indeed there must be to maintain backwards-compatibility. So it's somewhat by design."
Lock down your XP machines
So what can organisations do in the short period remaining before Windows XP's end of life?
Even last April, when there was still one year of support to go, Ovum principal analyst Roy Illsley argued that insufficient time remained for substantial migrations using traditional methods, which — depending on size — he reckoned can take anything from two to three years.
Certainly, the experience of budget airline easyJet supports that estimate. It started migrating an estate of 2,500 laptops and desktops from XP to Windows 7 in 2010 and completed the project last year.
Sophos' James Lyne believes one of the key measures that companies running Windows XP in some form should still undertake is to work out the extent of the problem by surveying the IT estate.
"A lot of organisations will have these devices here there and everywhere, hidden in corners, connected to projectors in meeting rooms — you name it, these desktops have got around. Discovering them is the key to being able to manage and assess that risk," he said.
At this late stage it is important for businesses to focus on measures that are not only effective, but also relatively cheap and easily accomplished, such as limiting XP use to approved applications, according to Gartner's Michael Silver.
"Whitelisting software in a lot of cases is actually included in a lot of organisations' anti-malware suites but most probably aren't using it," Silver said.
"In a typical environment it's hard to understand what everyone needs to run, and you don't want to affect their jobs. But when security starts becoming an issue, the organisation may have a bit more clout to be able to implement that sort of thing," he said.
Measures that Silver classes as simple but effective include ensuring anti-malware software will continue to be supported under Windows XP, switching the browser to a supported one, locking down the workstation — and taking away admin rights if users have them.
The browser issue
Given figures suggesting just under five percent of desktops worldwide are still running Internet Explorer 6 — potentially representing a significant number of XP desktops — the browser issue remains a priority area.
"With the browser and email being the two predominant vectors where security issues are going to come through, limiting the use of that sort of thing and using a supported browser where the vendor is watching for security issues and trying to repair them is certainly a good thing," Silver said.
"So take away the browser as much as possible, don't do email on the machine as much as possible, restrict the machine to running only specific software that you know is compatible and safe," Silver advised.
"You could also have the machine reimage itself every time it boots so that it goes back to the last known good clean image. Schools do that all the time. For an organisation, that's a bit harder," he added.
Having XP clients actively browsing the internet on outdated browsers is a recipe for disaster, Sophos' James Lyne says.
"The exploits that are already in these older browsers are fairly hideous. You're talking about connecting a system that you could effectively sneeze on and get backdoor access," he said.
"So I would definitely be particularly cautious of the likes of internet-connected XP systems where it's going to be very difficult to control the risks."
If not migration, what?
Assuming that the best option — migration away from XP — is not viable in the short term, Lyne says that limiting the role of the devices in question is the next best thing.
"I'd be looking at ways to isolate those devices and minimise the risk of them getting infected in the first place or passing that infection on to others," he said.
Lyne suggests a focus on, for example, heightened network security, and filtering the traffic going to and from XP devices more aggressively, along with a more rigorous monitoring and incident-handling policy on those platforms.
"It's all about building enclaves. You want to put these systems of higher risk into isolated network zones and use network security and firewall technology to do heightened inspection on those devices," he said.
Putting XP applications on separate networks is a popular, short-term approach to the migration problem, according to Gartner's Michael Silver.
"You could be moving applications to supported versions of servers and running them remotely, trying to turn whatever machines are in the users' hands into really thin clients so that they can't get infected or that if they do they are really easy to switch out and clean," he said.
"It's all about building enclaves. You want to put these systems of higher risk into isolated network zones and use network security and firewall technology to do heightened inspection on those devices"
— James Lyne, Sophos
"Windows Server 2003 is supported until July 2015. So if you're looking at a server version that's similar to XP, that would be the release.
"Looking to try to run applications on Terminal Services for an application that requires Windows XP, Server 2003 may be the way to go and it does buy you 15 months. Of course, it only buys you 15 months but it certainly could be a decent short-term fallback."
Last year, Ovum principal analyst Roy Illsley said many of those organisations that have still to make the move from XP would look to desktop virtualisation for a solution.
"If they do a desktop virtualisation-type approach, whether they go fully desktop-virtualised or whatever, they can still get some useful tools to help get over 80 to 90 percent of the problem," he said.
Gartner's Michael Silver is wary of the idea that cloud-based productivity suites, such as Office 365, could provide a short-term answer to XP problems.
"Switching to a cloud-based Office product is not a trivial sort of thing. There are a lot of things that won't work. Certain users may be able to use it, others users may not. That project really requires a year, a year and a half, of investigation and testing before you would implement it," he said.
"For an organisation that's trying to scramble and do things quickly, probably if they're trying to do Windows XP and Office at the same time and they are so far behind, I would probably try and get them not to do the Office product and save that for a little bit later because you can do that remotely and the risk is a bit lower.
"But if people were to make a decision in haste and try to move to something really quickly, that just has disaster, loss of compatibility, loss of productivity written all over it."
Custom support: a costly option
For large organisations with legacy XP systems, Microsoft's Custom Support represents another option — albeit a costly one, according to Silver.
"If I had $200 per PC to pay for Custom Support, I'd probably be better off upgrading my existing machines. But even at that price they'll still go for Custom Support because it's the easier short-term way out," he said.
"If you have one machine, it's not like it's going to cost you $200. It's going to cost a lot more because there's a minimum payment. Organisations have told us about a ceiling but typically the list pricing has been $200 for the first 12 months, $500 for the second 12 months, and $1,000 for the third 12 months.
"Certainly Microsoft uses that as a bit of a stick to try to get organisations to move rather than sign up."
Silver thinks third-party support, such as that offered by Arkoon, is in surprisingly short supply, especially given the scale of the XP user base.
"I'm surprised that there aren't any other folks out there that are targeting that because it's going to be a fairly big market — although the window of opportunity is probably pretty small," he said.
"We may be in the 20 percent range on 8 April in terms of PCs running Windows XP but probably down to the mid-single digits by the end of the year."
Other companies have set out Windows XP support plans for their products. For example, Google has announced its Chrome browser will support Windows XP until at least April 2015.
Antivirus is not the answer
There will be an extended market for XP in terms of security research and mitigation, Sophos' James Lyne says, which includes antivirus software. However, it would be unwise to rely on antivirus as the answer to Microsoft's end of support.
"Certainly, antivirus is going to help. It can still detect lots of threats on their way into the platform. It's still going to pick up a lot of malicious code," he said.
"Unfortunately, when you have a platform like Windows XP, if a new zero day — although technically it's going to be an infinite zero day — enables exploitation at the system level of the device, that exploit would get in underneath the antivirus before the AV gets the chance to scan it."
Staff working from home on their own Windows XP devices may also constitute a further security issue, according to Lyne.
"Any good security manager these days needs to recognise that people's home devices are an extension of their infrastructure," he said.
"People will use corporate services, data and social media on their home systems and potentially they will be a backdoor into that corporate environment."
Lyne says in many cases those machines may be granted a level of access, for example, via a VPN.
"They probably browse around the internet on that system with a nice, no-longer patched and updated browser, get infected, connect to the VPN and provide the attackers with back-door access to the corporate network. That's a very realistic attack vector," he said.
"Even if those systems aren't connected to the company network via a VPN, they still pose a risk — given that a lot of people tend to take work home to work on those systems.
"So even if there's no direct connection between them, they may potentially put company data, credentials or intellectual property at risk on their employee systems.
Lyne said people tend to think about the core part of a network and the desktops that they may have deployed themselves.
"But people's systems that they brought in on a bring-your-own-computer or bring-your-own-device basis, people's home-use systems — the broader environment — I've seen very few considering that stuff yet," he said.
What about XP Embedded?
That broader environment also includes XP devices that may well fall outside an IT department's normal ambit because they are running the lightweight, embedded version of the operating system or one that has been customised for a specific purpose.
Although Microsoft support for Windows XP Embedded continues until 12 January 2016, many of the dedicated devices that people assume are running it may actually be using modified versions of the desktop OS.
Lyne says over the years he has seen all kinds of "really scary stuff", including ATMs running heavily customised Windows XP throughout bank networks; medical devices for measuring and controlling people's heart rates; and building management systems that control people striking in or out of offices, whether the doors are open or closed and whether the fire alarm goes off.
"If I were a security manager for an organisation, I'd be running around frantically looking at my printers, my faxes, my scanners, my building-management system — all those black-box devices that normally no one thinks about."
— James Lyne, Sophos
"This stuff has casually wound itself into so many different parts of our infrastructure. The problem is everybody forgets about things like the building management system or XYZ black box. They see it as black box that performs a function rather than something running Windows XP."
Even many modern printers and scanners run versions of Windows XP in enterprises.
"They'll be sitting plugged into the network, running a no-longer-maintained, vulnerable operating system with the hope that the printer manufacturer locked it down enough that it's never going to be a problem," Lyne said.
Many of these devices run a base XP that has never been patched because it has relied on being locked down and inaccessible.
"For some of the systems in that configuration — certainly not all of them — this April date doesn't make it any worse, other than it may flare the interest of attackers and get them to focus on trying to attack this platform a little more than they previously would have done," Lyne said.
"If I were a security manager for an organisation, I'd be running around frantically looking at my printers, my faxes, my scanners, my building-management system — all those black-box devices that normally no one thinks about. I wouldn't assume anything and I'd be validating each and every one of them."
Compatibility and performance
Along with the security implications of hardware such as printers and copiers comes the question of their continued compatibility with unsupported XP machines.
Compatibility has already been a problem for the best part of a year of even more, according to Gartner's Michael Silver.
"Most newer hardware does not support Windows XP. You're not going to get a full set of drivers," he said.
"So, if you're still — God forbid — bringing Windows XP on your machines, you not only have all the legacy stuff that you haven't addressed but you're actually increasing the amount of your problem."
In many cases, the performance and productivity of XP is a major issue today, Silver says.
"In 2001, when Windows XP shipped it actually ran fairly well on a 256MB machine. Today, a 1GB or 2GB machine sometimes can take 10 minutes to boot. Some of that could be Windows rot — the machine probably is due for a reimage anyway because there's lots of junk on it," he said.
"This [performance issue] actually hurts Microsoft to a large degree because there are a lot of folks who may not have bought a Windows PC in a long time and think that's the state of the art. Windows 7 and certainly Windows 8 on a good image should boot a lot more quickly."
Regulation and compliance
Running an operating system that is no longer supported can also raise serious issues relating to regulation and compliance.
"It may just be an IT security rule that, 'Thou shalt run supported software'. If software is not supported, if there are not security fixes that I'm getting on it, how do I know that it's secure, how do I know it's not leaking sensitive information because I don't know what the vulnerabilities are or if they're being exploited," he said.
"The question is when it comes to regulation and compliance, things are sometimes subjective based on the decisions of an auditor. So certain auditors might be tuned into this, others might not. But it's certainly something to worry about."
Silver argues that running an unsupported version of an operating system, especially if you are in some sort of industry that has regulation, can be really dangerous.
"There are a lot of organisations that really haven't taken this all that seriously and hopefully they won't get hurt too badly by it."