Your perilous future on Windows XP

You've been getting warned for ages about the impending end of support for XP. Things are even worse than you've heard (especially if you run Internet Explorer). Expect a flood of new vulnerabilities and no help for them.
Written by Larry Seltzer, Contributor

An older relative (a really frugal but sharp guy in his 80's) once bemoaned to me about the scam in the computer industry pushing people to upgrade all the time. "Why" (I'm paraphrasing here) "should I upgrade a computer which does what I want it to do?"

We're coming up on one really good answer to his question. As Mary Jo Foley reported the other day, Microsoft is stepping up their warning campaign about users still running Windows XP, which will reach end of life on Patch Tuesday, April 8, 2014.

Security is the reason my relative doesn't appreciate for why running old software is often an inherently bad idea. Security technology in Windows XP was never really that great, even if it got a lot better with SP2, but the product was a runaway smash hit to such an extent that we may never be rid of it. Next April will be 12 years since Windows XP was made generally available; this is an astonishingly long time to keep supporting a software product. Nobody else keeps support life spans like Microsoft; with Windows XP they actually extended the normal 10 year life by 2 years, a move I consider a grave error. In fact, they should seriously think about cutting the 10 year standard down.

Partly as a result of their policies and partly because of people like my relative, Windows XP is still a massive presence in the market, and it's a massive target of attack. So are later versions of Windows, but those versions are far better able to defend themselves against attack. See the stats in this blog entry by Microsoft's Tim Rains which explains just how much more vulnerable to breach XP is than Vista, Windows 7 and especially Windows 8. Imagine how vulnerable it will be when you can't even get patches for critical vulnerabilities anymore. Only a fool would rely on it.

One point Rains didn't make that I think is worth emphasizing: If you're using Internet Explorer on it, and I bet many XP users are, you are stuck with a version that will soon be 3 generations old and without critical updates anymore. Don't keep using XP but, if you do, use Chrome or Firefox. (This reminds me of the old line "Don't stick your hand in the garbage disposal but, if you do, use your left hand.")

Some other points: If you're on XP and you care about updates you're probably using Windows Update, and therefore automatically running the Malicious Software Removal Tool every month. Not any more after April 2014.

And it's not exactly a wave yet, but more and more software is not supporting XP, or at least not well. You can make a good case that this is irrelevant, since the users sticking with XP are likely sticking with the software they already have, but it's another thing to consider.

One thing you don't have to worry about is antivirus support. I asked Kaspersky about their plans for XP. Elliot Zatsky, Senior Director of Consumer Partner Services at Kaspersky Lab said that about 20% of their user base is still on Windows XP (!). It's slowly trending down and they expect, as a result of the end of XP support and the release of Windows 8.1, their XP decline will "increase slightly and continue on this steady downward trend for a few years." Zatsky says the company plans to include support for Windows XP in their 2015 product line and, therefore, for at least 2 more years.

I also asked whether the inevitable increase in unpatched vulnerabilities on systems makes it harder for antivirus to do its job. Obviously this increases the chance that a system will be infected in some way, but Zatsky says that their multiple layers of protection should catch any malware in real time even if it is trying to exploit a vulnerability.

I think they may be a bit optimistic with that last point. Things will certainly get worse for Windows XP. Once there are no more patches, demand for vulnerabilities may increase considerably. It wouldn't surprise me if some are being stockpiled for next year; it's a risk since someone else may discover it, but if you release an exploit for which there will be no patch, users will be helpless.

You out there, the one running XP! That's you I'm talking about when I say "helpless." When the new models show up for the holidays it's time to go computer shopping.

Editorial standards