Windows XP: The world after April 8, 2014

To be clear upfront: After support for Windows XP will end, the world will still exist – at least I hope. However, over the course of the last few months I read numerous articles with speculations, what is going to happen, once we stop support of Windows XP. The key problem is, that we do not know at all – there is no precedence. When Windows 2000 went out of support, there were much less systems still in use. This is a huge challenge with Windows XP.

There are a few things we know today:

  • The last day we issue security updates for Windows XP SP3 will be April 8th, 2014
  • There will be a lot of systems after this date, which will still run Windows XP (any Service Pack).
  • There will be vulnerabilities, which are in Windows Vista, Windows 7, and Windows 8, which will affect Windows XP as well.

The last point is a guess, however, the likelihood is very, very high. What does that mean for you and for the ecosystem? Starting from April 8th, there will be zero-days for Windows XP. By definition a 0day is a vulnerability, which gets known to the public and the bad guys before there is a security update by the vendor. As there are no security updates anymore, there will be 0days at the moment we release an update for a vulnerability, which is in Windows XP as well. How off does that happen? According to The Risk of Running Windows XP After Support Ends April 2014:

Between July 2012 and July 2013 Windows XP was an affected product in 45 Microsoft security bulletins, of which 30 also affected Windows 7 and Windows 8.

Basically, migrating off Windows XP is definitely the preferred way to go from my point of view as you cannot expect a 12 year old operating system to protect you against today's threats. However, I am aware that certain systems cannot be migrated or certain users and companies do not want to migrate off (or do not have the means to do). If you cannot migrate, shielding the systems and applying a defense in depth approach from the network to the application layer seems to me the only way to go. If you do not want to migrate – well, you should definitely think again. It is time.

If you or your management needs more data and insights, there is a fairly good analysis done by the team, which runs the Security Intelligence Report called Software Vulnerability Exploit Trends. This gives you some insights as well.

Finally, you might remember the two slides, I promoted in Security in 2013 – the way forward?. The slides can be downloaded here and I do not only give you permission to use them, I would motivate you to!

In the meantime, our Windows marketing team wrote a blog post How the evolution of security threats impacts businesses, where you find a great infograph (to the left) with the evolution of Windows and the Internet since 2001. You can definitely use this to promote any type of migration and protection.

Roger

Comments

  • Anonymous
    January 01, 2003
    I have windows 7 will I be effected by the changes in March/April 2014

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Good story

  • Anonymous
    August 19, 2013
    Has Microsoft notified the public of the impending doom? I've seen nothing....

  • Anonymous
    August 20, 2013
    Hi rhalbheer I know about the lifecycle but the question is if the regular Joe & Josephine who are not technical would know about the impending doom. I personally haven't seen any advertising or anything. [Maybe I haven't been lucky.] But I am sure many of the Win XP users [individuals and small companies with no support staff] may not know.

  • Anonymous
    November 03, 2013
    The comment has been removed

  • Anonymous
    March 28, 2014
    @Above
    No you will not.

    Windows 7 end of life isn't until 2020, so you're perfectly safe until then.

  • Anonymous
    June 17, 2014
    Thank you for share this is such a very nice post i really like it your blog.
    http://www.qadit.com/payment-and-settlement-systems.html>Payment and Settlement Systems Audit

  • Anonymous
    September 17, 2014
    So, where are these exploits, what are they? It's been a few months now, how bad is it really?