“In denial” XP users left vulnerable as Microsoft logs off
Microsoft will cease supporting its Windows XP operating system next April, leaving millions of enterprise users with no protection against new security vulnerabilities as they fail to upgrade despite more than two years’ warning.
The company says 10 per cent of all PCs in Australia, about 2.5 million, are still running XP. Globally the figure is much higher. StatCounter puts it at 21 per cent, Netmarketshare.com says XP is installed on 31.4 per cent of PCs globally. And the popular software’s share is not declining at the rate that might be expected: it has dropped only eight percentage points in the past 12 months, according to Netmarketshare.
Tim Rains, director of product management in Microsoft’s Trustworthy Computing group, said any new vulnerabilities discovered in Windows XP after its ”end of life” would not be addressed by new security updates from Microsoft.
“After April 8, Windows XP … customers will no longer receive new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates,” Rains wrote in a blog post.
Joseph Sweeney, analyst with research firm IBRS, said cyber criminals might be ”stockpiling” XP attacks and waiting for Microsoft to end support.
“There are indications that there has been a slowdown in the number of new attacks and malware for XP,” Sweeney said.
“I would find it unlikely there would be some grand global conspiracy to hold anything back, but there are a lot of crime syndicates involved in malware today.”
Brian Walshe, general manger of Microsoft integration at Dimension Data, suggested many people still running XP were in denial about its imminent demise or had put the transition into the too-hard basket and were suffering from ”planning paralysis”.
“I’ve heard people say that Microsoft can’t possibly end support for XP because there are too many people using it, but Microsoft have been very consistent with their messaging for several years.”
According to Walshe the biggest upgrade hurdle faced by enterprises is applications that will not run under later versions of Windows.
“So we are advising people, rather than getting bogged down in planning, start looking at their application remediation today,” he said. “That is the most time-consuming part and that is what’s needed to understand what they have to do move from XP.”
He warned enterprise users who have not already started migration that they will likely run out of time.
“I think there are some people out there that have probably put themselves into a bit of a hole. The closer we get to April 8 the less resources will be available to help with the migration, because there is likely to be a rush on those towards the end.
”There will be some very interesting conversations between some CIOs and their board as to why they’ve left things so late.”
Walshe said that users attacked after 8 April might be able to remediate, but would have limited options for preventing repeat attacks.
“Microsoft offers a version of XP that runs as a virtual machine under Windows 7. While it will not be supported, the host operating system will offer some protection,” Walshe said.
Microsoft will offer extended support to organisations. “There are people we have spoken to who have looked at that and been pretty horrified at the cost. It its extraordinarily expensive,” he said.
According to Dimension Data’s national manager, security, Jason Ha, other solutions for XP laggards include virtual patching (also known as web application firewall) and privilege management products, such as Avecto’s Privilege Guard. Privilege Management solutions enable an administrator to prevent the OS from running any executable code other than that specified, he said.
Microsoft Australia’s local Windows Upgrade Centre website can help customers move from XP, a spokeswoman said.
« Back To Blog Page