Windows XP: The world after April 8, 2014
To be clear upfront: After support for Windows XP will end, the world will still exist – at least I hope. However, over the course of the last few months I read numerous articles with speculations, what is going to happen, once we stop support of Windows XP. The key problem is, that we do not know at all – there is no precedence. When Windows 2000 went out of support, there were much less systems still in use. This is a huge challenge with Windows XP.
There are a few things we know today:
- The last day we issue security updates for Windows XP SP3 will be April 8th, 2014
- There will be a lot of systems after this date, which will still run Windows XP (any Service Pack).
- There will be vulnerabilities, which are in Windows Vista, Windows 7, and Windows 8, which will affect Windows XP as well.
The last point is a guess, however, the likelihood is very, very high. What does that mean for you and for the ecosystem? Starting from April 8th, there will be zero-days for Windows XP. By definition a 0day is a vulnerability, which gets known to the public and the bad guys before there is a security update by the vendor. As there are no security updates anymore, there will be 0days at the moment we release an update for a vulnerability, which is in Windows XP as well. How off does that happen? According to The Risk of Running Windows XP After Support Ends April 2014:
Between July 2012 and July 2013 Windows XP was an affected product in 45 Microsoft security bulletins, of which 30 also affected Windows 7 and Windows 8.
Basically, migrating off Windows XP is definitely the preferred way to go from my point of view as you cannot expect a 12 year old operating system to protect you against today's threats. However, I am aware that certain systems cannot be migrated or certain users and companies do not want to migrate off (or do not have the means to do). If you cannot migrate, shielding the systems and applying a defense in depth approach from the network to the application layer seems to me the only way to go. If you do not want to migrate – well, you should definitely think again. It is time.
If you or your management needs more data and insights, there is a fairly good analysis done by the team, which runs the Security Intelligence Report called Software Vulnerability Exploit Trends. This gives you some insights as well.
Finally, you might remember the two slides, I promoted in Security in 2013 – the way forward?. The slides can be downloaded here and I do not only give you permission to use them, I would motivate you to!
In the meantime, our Windows marketing team wrote a blog post How the evolution of security threats impacts businesses, where you find a great infograph (to the left) with the evolution of Windows and the Internet since 2001. You can definitely use this to promote any type of migration and protection.