Roger's Security Blog

As Chief Security Advisor of Microsoft EMEA - lets share interesting security information

Windows XP: The world after April 8, 2014

Windows XP: The world after April 8, 2014

  • Comments 9
  • Likes

To be clear upfront: After support for Windows XP will end, the world will still exist – at least I hope. However, over the course of the last few months I read numerous articles with speculations, what is going to happen, once we stop support of Windows XP. The key problem is, that we do not know at all – there is no precedence. When Windows 2000 went out of support, there were much less systems still in use. This is a huge challenge with Windows XP.

There are a few things we know today:

  • The last day we issue security updates for Windows XP SP3 will be April 8th, 2014
  • There will be a lot of systems after this date, which will still run Windows XP (any Service Pack).
  • There will be vulnerabilities, which are in Windows Vista, Windows 7, and Windows 8, which will affect Windows XP as well.

The last point is a guess, however, the likelihood is very, very high. What does that mean for you and for the ecosystem? Starting from April 8th, there will be zero-days for Windows XP. By definition a 0day is a vulnerability, which gets known to the public and the bad guys before there is a security update by the vendor. As there are no security updates anymore, there will be 0days at the moment we release an update for a vulnerability, which is in Windows XP as well. How off does that happen? According to The Risk of Running Windows XP After Support Ends April 2014:

Between July 2012 and July 2013 Windows XP was an affected product in 45 Microsoft security bulletins, of which 30 also affected Windows 7 and Windows 8.

Basically, migrating off Windows XP is definitely the preferred way to go from my point of view as you cannot expect a 12 year old operating system to protect you against today's threats. However, I am aware that certain systems cannot be migrated or certain users and companies do not want to migrate off (or do not have the means to do). If you cannot migrate, shielding the systems and applying a defense in depth approach from the network to the application layer seems to me the only way to go. If you do not want to migrate – well, you should definitely think again. It is time.

If you or your management needs more data and insights, there is a fairly good analysis done by the team, which runs the Security Intelligence Report called Software Vulnerability Exploit Trends. This gives you some insights as well.

Finally, you might remember the two slides, I promoted in Security in 2013 – the way forward?. The slides can be downloaded here and I do not only give you permission to use them, I would motivate you to!

In the meantime, our Windows marketing team wrote a blog post How the evolution of security threats impacts businesses, where you find a great infograph (to the left) with the evolution of Windows and the Internet since 2001. You can definitely use this to promote any type of migration and protection.

Roger

Comments
  • Has Microsoft notified the public of the impending doom? I've seen nothing....

  • Hi Ed,

    basically we have a support policy of 10 years after the Initial release for major versions of our software. All the policies can be found on www.microsoft.com/lifecycle.

    With Windows XP we even extended the supported period and we are communicating end of support since quite a while and increased the volume since April this year

    Roger

  • Good story

  • Hi rhalbheer

    I know about the lifecycle but the question is if the regular Joe & Josephine who are not technical would know about the impending doom.

    I personally haven't seen any advertising or anything. [Maybe I haven't been lucky.] But I am sure many of the Win XP users [individuals and small companies with no support staff] may not know.

  • Well, OMG! Have to leave WXPSP3 AND I E 8 at what might as well be the same time? I'm like the "regular Joe & Josephine" about whom Ed 20 Aug 2013 wrote.

    I mean I am in no way a Techie.

    Add to that: just yesterday an Avast anti-viral site rep (ahem, after I agreed some weeks ago to pay $180 for one years' comp-tech service from Avast) changed my home page/search engine from my fave google to msn, bleck, AND did not tell me anything at all about how I might as well let him "upgrade" my computer from IE8 to something else.

    Repeat: yesterday. Why do the tech reps at anti-virus sites seem not to know enough about the eventual death of I E 8 to suggest to paying subscribers that they allow the tech rep to uninstall (I guess...I SAID I'm no Tech) I E 8 in favor of whatever comes next.

    Oh, and when another Avast tech rep had to be contacted to get MSN off my monitor, putting Google home page/search engine back, Tech #2 didn't say anything about the "impending doom," either. BOTH guys didn't know about this upcoming change??? Hmm...

    Look, I'm 65 and hate change especially when I do not appreciate the "well, this system has been in use for ten years, might as well stop serving or supporting it" speech from whatever honchos seem to be intent on killing off I E 8 and WXP 3.

    I suppose that mostly I'm worried that I might make some error when "migrating away" from I E 8 and WXP 3, and make my computer into a GREAT but too expensive door-stop.

    Thanks for the rant-space. I'm going now to see what hoops I have to jump through to do the suggested migrating.  : - (.

  • I have windows 7 will I be effected by the changes in March/April 2014

  • @Above
    No you will not.

    Windows 7 end of life isn't until 2020, so you're perfectly safe until then.

  • Thank you for share this is such a very nice post i really like it your blog.
    http://www.qadit.com/payment-and-settlement-systems.html>Payment and Settlement Systems Audit

  • So, where are these exploits, what are they? It's been a few months now, how bad is it really?

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment