Is It Still Safe for Businesses to Use Windows XP?
Credit: Luis Louro/Shutterstock
After April 8, 2014, Microsoft will no longer support the Windows XP operating system. There will be no more security fixes, software updates or technical support, although Microsoft will still provide some anti-malware support for an unspecified amount of time.
Computers that continue to run Windows XP will be at increased risk for malware infection after April 8, yet many businesses have critical XP-only applications. Others can't afford to upgrade to new PCs. How much of a risk are they running?
Microsoft has given Windows XP users plenty of warning that XP support will end soon, but a study released in January by cloud-services provider Evolve IP found that nearly one in five information-technology decision makers were unaware the so-called "XPocalypse" was coming.
Cloud-security firm Qualys recently found that although there has been a steady decline in the number of computers using XP, at least 15 percent of U.S. companies still run the 13-year-old OS.
It's clear that there are a lot of companies, both large and small, that need to upgrade their computers. Small and medium-sized businesses with tiny or outsourced IT staffs may not have the time or the budget to do so before April 8.
Jackpot for hackers
A lack of software support can create security problems.
"Every standard desktop-security risk that a computer faces will be amplified, because there are no fixes being written by Microsoft," said Scott Kinka, chief technology officer at Evolve IP in Wayne, Pa.
"This involves every form of malware possible," Kinka said. "Just assume someone is on your PC while you're working. Every password, trade secret and bit of personal information is at risk."
Most versions of Windows are based on previous versions, Kinka added, and patches to the newer versions could put XP users at greater risk.
"When an exploit is identified in a newer operating system that is still widely used, it's generally also a risk on older versions of the operating system," Kinka said. "As a result, Microsoft has made it a practice to patch all of their supported operating systems at the same time."
Let's say a vulnerability is found and patched in Windows 7 a few months after April 8, when there will still be millions of people using XP. When the update comes out, not only will XP not be patched, but hackers can examine the Windows 7 update to learn where the same vulnerability exists in XP.
"You just invited them in the front door," Kinka said. "To some extent, patching Windows 7 or 8 provides a potential road map to hackers into XP machines."
It's also important to remember that it isn't only the OS that loses support at the end of a Windows life cycle.
When Microsoft stops supporting Windows XP, it will also stop supporting Office 2003. Many third-party developers will follow suit and end support for XP-compatible versions of their own software. Users may not be able to call those manufacturers for assistance with critical software that runs on XP.
"End of support will not just affect the operating system," Kinka said, "but every piece of software that runs on it — whether it's written by Microsoft or not."
There is some good news, however, regarding Web browsers and anti-virus software. Google will support the XP version of its Chrome Web browser until April 2015, and Mozilla has no plans to stop updating Firefox for XP. Most anti-virus software makers plan to support XP until at least April 2016.
A possible workaround
Windows XP users may already be experiencing problems with software upgrades. Operating systems evolve with every iteration and become more sophisticated with the addition of new features that serve an increasingly demanding ecosystem of software, peripherals and users, said Victor Thu, director of desktop product marketing at virtualization-software maker VMware in Palo Alto, Calif.
As a result, the most up-to-date OS usually takes up more memory and requires faster processors than its predecessors in order for users to take full advantage of its advanced capabilities.
Wolfgang Kandek, chief technology officer of Qualys in Redwood Shores, Calif., said there are three types of users who continue to use XP: those unaware of the impending end of support, those who don't care and those who use Windows XP-specific software or applications.
"The third category is those that we can more effectively encourage to move over to a more secure operating system," Kandek said. "You don't have to abandon or change the applications you use just because Windows XP is losing its support — a common misconception. Users can simply isolate the applications and run them via the built-in Windows XP Mode within Windows 7 [Professional, Enterprise or Ultimate editions]."
Such XP-enabled virtual machines give Windows 7 users the best of both worlds: updated, more secure operating systems without the cost and hassle of updating applications. (Microsoft recommends "you only use Windows XP Mode if your PC is disconnected from the Internet" after April 8, 2014.)
While Windows 7 is not the most recent version of Microsoft's operating system, it is one of the most secure and it is well supported by IT administrators. (Windows 8 does not include Windows XP Mode.)
No matter what the reasons are for staying with Windows XP, its users will be significantly less secure beginning April 9. Vulnerabilities will be forever left unpatched, and attackers are expected to take full advantage of them.
Change is hard, both in terms of moving information and in learning a whole new OS. But if security is important to a company — and it should be — changing to a more recent and more secure OS is the only option.