15/01/2014

It’s high time to say goodbye: Windows XP‘s end of life is dawning

It’s high time to say goodbye: Windows XP‘s end of life is dawning Security products

Why is this a question of security?

Sticking to the non-supported OS after the end of life (EOL) date on April 8 2014 means leaving the door wide open for cyber attackers and crooks! G Data has always explained how important it is to upgrade a computer’s OS and its third party software and this directive remains valid! But users of Windows XP and Office 2003 won’t receive any more updates, patches or fixes after this said Tuesday in spring 2014! The Support Lifecycle, usually 10 years long, will end and “there will be no new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates”, explains Microsoft.

This means: Cyber-criminals are fully aware of the huge number of possible easy targets. As soon as an attacker publishes information about any new security vulnerability in Windows XP, Office 2003 or XP bound third-party software after the April 8 2014, which will surely happen, this security vulnerability remains exploitable, open and unpatched. A zero day vulnerability, forever active!
And looking at 2013 alone, Windows XP Service Pack 3 was amongst the affected Windows products in 50 security bulletins! This corresponds to almost one new security issue per week, statistically.
 

How many users are affected?

Statistics about the number of active Windows XP users vary greatly, which makes it quite difficult to determine a reliable number of potential victims. According to netmarketshare.com, Windows XP was used by almost 29% of active web surfing users in December 2013, whereas statcounter.com lists 19.8% for the same month – both generate their numbers by analyzing page views of web users on millions of different websites. Both services show that the Windows XP market share declined during the last months.

Nevertheless, taking into consideration that these stats are based on active web surfers who visit a certain set of pages, these numbers can be seen as rather lower end of the analysis. Many computers equipped with Windows XP are in use (in companies) but are not actually used to surf the web and those specific test set sites. Therefore, we expect that the actual percentage of desktop computer using Windows XP is actually higher than the market share the Internet statistics reveal.
 

But I do have my AV product! This will protect me! Am I right?

The simple answer is: NO.
It is true that many AV companies made and make sure that their products remain compatible with Windows XP for some time after the EOL, to make sure that OS migration latecomers are not left without any AV protection at all. Therefore, the familiar protection software will still be functioning as such on these systems. BUT: AV product compatibility does not mean that the computer is entirely protected! In this case, it is only half the truth!

System integrity and security is a question of many interacting factors and XP/Office 2003 will become a weak link in the security chain. One single security vulnerability is enough to compromise the whole system.

AV products are built to protect against malware and cyber threats and they will obviously continue doing so, even on Windows XP. A lot of the malware that tries to exploit any post-XP-EOL vulnerability will be caught as long as the AV product is kept up-to-date. Nevertheless, Microsoft clearly states that “anti-virus software will [also] not be able to fully protect you once Windows XP itself is unsupported.”

Image living in an apartment house. The building’s entrance door is too old to be repaired. There are no spare parts available anymore for this door, so the landlord decides to leave the door open forever. All tenants now have to rely upon their apartment doors being safely closed or maybe even buy themselves watch dogs to protect their belongings. The more people can get into the house, the higher the possibility that things can be stolen stolen/damaged. But actually, one gatecrasher is enough to do enough mischief within the building.

In general, AV vendors cannot fix vulnerabilities in third party software or operating systems. They might be able to provide technologies or invent tools against very specific and unique vulnerabilities, but this is an extremely costly and time consuming effort – no AV vendor will pursue such an approach for the huge amount of vulnerabilities out there, even if it was possible. AV vendors have extremely limited possibilities to interfere with third-party components.
 

Where to start now?

In case migrating to a newer operating system is out of the question for you, “you have the option to purchase Custom Support. As a condition of buying a Custom Support contract, you must have a Premier Support agreement” and “the cost of Custom Support is significantly higher than regular support, and rises annually”, according to Microsoft. As this is option is only suitable for very few users, we have the following suggestions:

Business users:

Many small and large companies, public authorities and specialized businesses have relied on Windows XP for years now and migrating to a newer OS is certainly not a day’s task only. In many cases, businesses use proprietary software or even industrial control system software which is bound to Windows XP and upgrades of these programs for compatibility with newer OS is likely to entail additional costs.
Microsoft asks customers to contact their respective sales representatives or Certified Microsoft Partners. Migrating and deploying a whole IT infrastructure is a complex process and needs professional assistance.
Switching to a newer OS makes sense in many aspects – even if you have software that needs Windows XP to be executed properly. Built-in sandbox technologies such as Windows Virtual PC and the possibilities to set program compatibility settings can already serve many needs with regard to older software.

End users:

Obviously, it is much easier for end users to cope with their limited number of computers in their home networks, which makes upgrading to a new OS less time consuming, generally. Nevertheless, new operating systems often need more powerful hardware to function and this, in many cases, entails hardware investments. Microsoft currently offers various discount programs for people who migrate to Windows 8, such as trade-in discounts.


There is a life post-Windows XP. End users and business users can organize their life and work differently after Microsoft pulled the plug for their two products, no doubt about that, but they really need to start organizing it now!


 

G Data compatibility for Windows XP after April 2014

G Data security solutions for end users, currently version 2014, and businesses, business generation v12, do support Windows XP, of course.
Our new business generation v13, which will be launched in February 2014, and our upcoming retail generation 2015 will be compatible with Windows XP as well.