Support for Windows XP ends on April 8. Subsequently, there will be no new security updates, no non-security hotfixes, no assisted support options (free or paid) and no online technical content updates.
This has been on the horizon for a while and would not be a problem if everyone had already switched to newer operating systems.
However, significant numbers of people are still running Windows XP (Kaspersky Lab data indicate that around 18% of people haven't switched, notwithstanding the fact that it's now more than 12 years old).
Big problem
This creates a problem. Once Microsoft stops developing patches for Windows XP, anyone running it will be wide open to attack.
Effectively, every vulnerability discovered after this date will become a zero-day vulnerability – that is, one for which there is no patch and never will be.
This problem will be compounded as application vendors stop developing updates for Windows XP: this will create an even greater attack surface, since every unpatched application will become a further potential point of compromise.
Malware abound
Malware writers will undoubtedly target Windows XP more, since an un-patched operating system will offer them a much bigger window of opportunity in which to exploit any vulnerabilities they find.
It's easy to understand why some businesses could be reluctant to migrate, even though they have had plenty of notice that this day was coming.
It might not simply be the cost of buying a replacement operating system, they may also need to invest in updated hardware to do so. On top of this, they may need to replace any bespoke software created for them that potentially won't run on their new operating system.
Staying secure
So is there a way to stick with Windows XP and stay secure? What if the business is protected with anti-virus software? Certainly this would be better than no protection at all, but it's important to qualify this.
This only holds good if by "anti-virus" we mean a comprehensive internet security product that makes use of proactive technology to defend against new, unknown threats – rather than basic anti-virus protection based largely on signature-based scanning for known malware. In particular, it must include the ability to prevent the use of exploits.
The company must also be sure that their chosen vendor will continue to support Windows XP. And it should also be understood that, as times goes by, security vendors will have to implement new protection technologies that may not be Windows XP-compatible.
One of the factors to consider is how computers running Windows XP are integrated into the rest of the company's network.
Weak points
If they're stand-alone, the risk is much lower. But if they're connected, they offer a weak point that can be exploited in a targeted attack on the company – if compromised, they will become a stepping-stone into the wider network.
There's no question that anyone that continues to run Windows XP after April 8 will face a greater degree of risk.
Clearly, switching to a newer operating system may be inconvenient and costly, but the potential risk – from malware and phishing – of using an operating system that will become increasingly insecure may well outweigh the inconvenience and cost.
- David Emm is senior security researcher at Kaspersky Lab
