The UK government and some other large organisations have recently procured Windows XP support extension packages from Microsoft. HMG in this instance have committed a £5.5m budget to ensure that future security vulnerabilities will be addressed and patched. And that’s money they might not even have needed to spend.
HMG will not be permitted to share their patches with the rest of the UK as per the licensing conditions set down by Microsoft, so any smaller businesses that rely on Windows XP will either have to bite the bullet with a Windows 7/8/MacOS upgrade or take a risk based approach to the longevity of the current “secure” status of Windows XP SP2 with all the latest patches applied. I doubt many organisations have that kind of money lying around and simply cannot afford the extended support offered by Microsoft.
There are not yet any critical vulnerabilities with XP that haven’t been patched, so this £5.5m is a pretty expensive insurance policy – there will be viable alternatives and you have to bear in mind XP is rarely installed in critical environments – it’s a desktop operating system after all.
Researchers bemoan the fact that most ATMs in the world still run XP and the whole world will come crashing down, but despite what they say, a production ATM is very difficult to compromise. It’s not as if they’re all on the Internet. Major ATM service providers have publicly declared they will be sticking with XP for the time being. It’s not as if ATM have ever been properly patched in the past several years anyway, but that’s a different matter.
Is there a risk that there’s a major vulnerability or ticking security time bomb for those using XP? I think not. It’s been around for almost 15 years and has been hammered to death by the research community and hackers, and they’re moving on.
All is not lost for organisations that cannot afford extended support – there will be plenty of hardening and configuration recommendations published by the security community, and anti-malware solutions will still be able to detect/prevent many future exploits, but it will be harder to keep up and maintain a secure Windows XP environment whilst community support crumbles and the world simply moves on.
XP users must of course tread carefully and stay up to date with vulnerability research, and make a risk based decision on a case by case basis, but one things’s for sure – Windows Update will no longer be able to solve your XP problems.
Will Windows XP become more insecure? I’m hoping not, but one things for sure – running obsolete products will ramp up support costs and there will come a point where impending Windows 7/8 solutions or even a suite of nice new shiny Apple Macs will be the cost-preferred solution, showing that businesses aren’t driven by security, they’re driven by cost.