The end of Windows XP support: what it really means for businesses

Calendar

Simon Jones explains the full implications of the looming deadline for Windows XP support

April 2014 sees the end of support for Windows XP, Windows Server 2003, Exchange Server 2003, Small Business Server 2003 and Office 2003.

By then, the 2003 wave of products will be 11 years old, and Windows XP will be 13. Office XP ran out of support in December 2011, but Windows XP’s lifecycle was extended a couple of times because people stubbornly refused to move away from it. Anyway, at T-minus five months and counting, what exactly does "end of support" entail? Should you be worried, and what are your options?

Microsoft provides three levels of support for its software products: Mainstream Support, Extended Support and Online Self-Help Support. The Support Lifecycle policy is reasonably flexible, but generally it offers ten years of support for business and developer products (five years’ Mainstream and five years’ Extended) and five years of Mainstream Support for consumer and multimedia products.

If anyone in a black hat finds a new security hole to exploit, Microsoft isn’t going to be doing anything about it in future

The main difference between Mainstream and Extended Support is that only bugs relating to security will be fixed during Extended Support – non-security bugs will only be fixed for customers who have purchased extended hot-fix agreements within 90 days of Mainstream Support ending. Once Extended Support ends, you’re on your own. Microsoft commits to maintaining Online Self-Help Support for ten years for most business and developer products, but since Office 2003 and Windows XP are already older than that, these knowledgebase articles could start disappearing at any time.

With about a third of all PCs in the world still running Windows XP, it’s highly unlikely that Microsoft will remove all the patches for it from Windows Update yet, but there won’t be any more arriving. If anyone in a black hat finds a new security hole to exploit, Microsoft isn’t going to be doing anything about it in future. Security holes in Windows and Office aren’t rare, as you can tell from the regular stream of patches that appears on the second Tuesday of every month. Once Windows XP and Office 2003 go out of support, there won’t be any more patches for those products, and the likelihood of your PC catching something nasty will increase, no matter how good your antivirus software.

We can’t know by what factor it will increase, but around a third of malware infections can be traced to missing security patches; that is, if the computer had been kept up to date, it wouldn’t have become infected. Even though infections and virus threats are increasingly common – up 182% year on year in 2012 – Windows 7 is still far less likely to be infected than Windows XP if you’re running anti-malware protection; if you don’t have real-time malware protection in place, Windows XP and Windows 7 are about on a par for infection rates.

Windows 8 comes with real-time protection built in and turned on by default, so its infection rates are incredibly low – you’d have to consciously turn off Windows Defender to reach any significant infection rate.

XP infection rates

The headline figures for the second half of 2012 were that protected Windows XP SP2 computers had 4.2 infections per thousand, while 32-bit Windows 8 machines and 64-bit Windows 8 machines had 0.5 and 0.2 infections per thousand respectively. With no real-time anti-malware installed, these figures went up to 15.6 per thousand for Windows XP and 2.7 per thousand for 64-bit Windows 8 (no data is provided for 32-bit Windows 8). These figures are a summary of the telemetry data from Microsoft’s Malicious Software Removal Tool (MSRT), which is run on millions of computers every Patch Tuesday. See more of them in Microsoft Security Intelligence Report Volume 14.

Operating systems at 64-bit are substantially more secure than their 32-bit equivalents, with the exception of Windows Vista, for reasons that aren’t clear. It’s interesting how relatively insecure Windows 7 RTM compares to Vista SP2 or Windows 7 SP1, but it’s blindingly obvious that Windows 8 is far more secure than any previous version of the operating system.

Security patches that are released for more up-to-date versions of Windows and Office will probably be reverse-engineered by malware writers to see whether Windows XP and Office 2003 share the same vulnerabilities; if they do, those old products will become even more at risk, since their now-known holes will surely be exploited.

Eventually, there will be fewer computers in the field using this obsolete operating software. Fewer pieces of malware will be written to target their vulnerabilities, and fewer instances of that malware will be in circulation. This kind of "security by obscurity" (which is often claimed by Mac aficionados) is a long way off yet, however, and you shouldn’t be sitting on your hands in the meantime.