This is the end. Your Windows XP computer will get its last update today. Oh, it's not going to roll over and kick the bucket, but continuing to use it will be more and more dangerous, since any new vulnerabilities that arise won't be patched. We checked in with a number of security experts to discuss just how risky life will be for those who continue to run XP.
Who's still using XP?
Opinions on just how many systems are still running XP vary. Qualys CTO Wolfgang Kandek reports that XP's market share has sunk from 35 per cent in January 2013 to 14 per cent in February 2014. He points out that "computers running XP will be very attackable in the near future." Kandek also notes that over 70 per cent of security patches in 2013 affected XP. "XP will be affected by a large percentage of the problems exposed in May, June and July," said Kandek, "but there will be no remedy."
Peter Bright, technology editor at Ars Technica, reports a higher figure. According to Bright's research, 29 per cent of Windows computers were still running XP as of last week. "While firewalls and other measures will provide some degree of protection, widespread exploitation of these users by phishing and similar attacks remains highly probable," said Bright. "This writer would not be the least bit surprised if the first wave of exploits for the obsolete operating system materialised on or about 9 April."
Debra Littlejohn Shinder, owner and CEO of TACteam, advises businesses to upgrade all XP systems. In a blog post she notes that despite "literally years of advance notice," 29 per cent of computers that connect to the Internet are running XP. "It was fun while it lasted," she said, "but businesses need to take a look at their system inventories and bite the bullet and upgrade any XP computers they still have." She also suggests blocking remote workers from connecting to the corporate network using computers running XP.
What will happen?
According to Trustwave Director Christopher Pogue, criminals are most likely hoarding XP-based exploits, waiting for the end of security patches. But wait, it gets worse. There's a fair amount of code shared between different Windows versions. Pogue suspects that the bad guys will reverse-engineer patches for vulnerabilities in still-supported Windows versions and use that information to craft exploits that will work on XP. Pogue recommends that businesses switch to a newer Windows version immediately.
Trend Micro's threat communications manager Christopher Budd warns that financial instructions are most at risk when XP support ends. In a recent blog post, he suggests that financial institutions may have to block online access by XP users. "When users go to websites, it's a relatively simple matter to detect the browser and operating system that's accessing the site. Using that information it's easy to create an alert to make people aware of the risks of being on Windows XP," said Budd. However, users tune out warnings, so despite the risk of lost business, "the banking and finance sector should consider taking steps to block customers still on Windows XP from their services entirely."
Sometimes you don't have a choice. "Many organisations have business critical applications that run on Windows XP and have legitimate reasons not to migrate to a newer version of Windows," said Nicolas Rochard of VMware. Not surprisingly, he recommends moving all XP-specific operations into virtual machines. This allows running them alongside modern Windows versions, and of course, if the XP system succumbs to an attack you can roll the virtual machine back to an uncorrupted snapshot.
Rebecca Herold, CEO of Privacy Professor, sees potentially dire consequences in the medical field. In a post titled How Many Patients Will Die Along with Windows XP, Herold notes that the percentage of medical devices running XP is probably higher than the overall percentage. These devices have a lifespan of 10 to 20 years, so for many, XP or embedded XP was the most up-to-date Windows version at the time they were created. After today, these devices "will be vulnerable to malware, hacking, and may also be non-compliant with HIPAA," said Herold. "Even of more concern," she added, "medical devices running on no-longer-supported OS's present real health risks to the patients."
Making the switch
Switching to a new computer can be a pain. LapLink has been around almost as long as the PC, creating options for transferring data to new computers. The firm's free PC Mover Express is available from Microsoft's windowsxp.com and includes the LapLink's Free Transfer Assistance. "Research indicates that remaining on Windows XP past the end of support end date of 8 April is extremely risky," explained Thomas Koll, CEO of Laplink Software. "Users might hesitate to move off of Windows XP despite those risks because of fear of losing years' worth of data. With PCmover Express for Windows XP, there is no reason to delay."
Chances are good that your ancient XP computer doesn't have the oomph to run a modern operating system. That's okay; Microsoft's Windows XP site has plenty of advice and offers to help you buy a new PC. The site points out that today's PCs cost a third less compared to what Windows XP computers cost in 2002, and lists hand-picked deals starting at £249.
Sticking with XP
If you do stick with XP, you'll need to be extra vigilant. Independent tests have shown that simply keeping the operating system up to date gives you significant protection against malware. You'll no longer have that option. Fortunately, most security vendors will continue to support XP. Right now, make sure any XP systems have a powerful and up-to-date security suite installed.
Internet Explorer under XP is stuck at version 8; the rest of the world is using version 11. Ditch IE completely – switch to Chrome, Firefox, or any non-IE browser of your choice. Other precautions include avoiding the use of public Wi-Fi, uninstalling any third-party applications that aren't totally necessary, and using a tool like Secunia Personal Software Inspector 3.0 to ensure all remaining third-party applications are fully patched.
Even if you do everything you can to harden your XP systems against attack, they'll still remain more vulnerable than PCs running modern Windows versions. Sooner or later you'll have to upgrade, or replace the PC. Why not do it now?
Granted, the issue is a much thornier one for businesses – we've further advice on that topic in our guide to migrating your business operations from Windows XP.