Tuesday, April 8, 2014, could be a dark day for security administrators: That's the day Microsoft will end support for its Windows XP operating system. Since XP still runs on about one out of every four corporate PCs, enterprises may need security contingency plans unless they become more proactive and take steps to protect these systems, and soon.
Unveiled in October 2001, Windows XP has become a greybeard among desktop operating systems. The OS's influence peaked at 76.1% market share and 400 million copies were sold as of January 2007.
In March 2008, Microsoft announced plans to phase out the OS. OEMs stopped bundling the Windows XP with their systems in June 2008, Microsoft ceased selling it in January 2009, and all support (including security patches) is slated to be dropped next April.
Yet, Windows XP still operates on 28% of corporate Windows computers, according to Ovum Research. Even though Microsoft has given companies plenty of notice, U.K.-based OS migration specialist Camwood recently found many companies have not started to plan for a move off of XP. Despite Microsoft’s recommendation of an 18- to 30-month window for successful migration away from XP, according to a Camwood survey of 250 corporate IT directors, only 42% of companies have started the process.
With Windows XP security updates ending in 2014, security vendor Sophos has warned of what it termed an upcoming XPocalypse if those numbers do not change. If XP is still running on so many corporate systems a year from now when regular software security patches stop coming, hackers will likely ramp up attacks on the OS beyond the frequent penetration seen today, putting corporate networks in greater danger.
"There's certainly the potential for a lot of havoc," said Joshua Long, a security and networking specialist with Sophos and a contributor to its Naked Security blog. "For instance, [a] new Internet-propagating worm that targets Windows X systems, or even just an increase in Internet Explorer 8 browser exploits, could open the doors wide for all manner of malware infections."
So, how can a business protect itself from such problems? Microsoft, of course, would like companies to upgrade to newer versions of Windows, but doing so is not always in an enterprise's best interest.
"It can be difficult to build a sound business case for upgrading an operating system," noted Richard Edwards, principal analyst with U.K.-based Ovum. "They can easily find business reasons to upgrade their applications, but the economics are not as clear with operating systems."
Depending on the number of PCs a business wants to upgrade, Edwards added, plus the cost of any RAM upgrades for older systems, costs can run into multiple thousands of dollars.
An alternative option to upgrading that Ovum suggested is replacing Windows XP laptops and desktops -- not with the same device types, but instead with tablet computers. They are smaller and can be more convenient for many users, though they do present new challenges: they may not run the firm’s existing applications and may be susceptible to new and emerging intrusion methods.
"Hackers are now keenly focused on finding vulnerabilities with mobile systems," Edwards said.
Deploying a desktop virtualization system, another XP upgrade alternative suggested by Ovum, also improves security. “Since the desktops are under centralized control and administration," Edwards explained, "the IT department can make sure that proper security patches are deployed."
To protect corporate data from the threats unpatched XP machines present, it's clear that companies running XP will need to do something. Unfortunately, he said, many won't.
"We expect that XP will continue to be used in many enterprises throughout the rest of the decade," Edwards concluded.
About the author:
Paul Korzeniowski is a freelance writer specializing in technology issues. He is based in Sudbury, Mass. and can be reached at firstname.lastname@example.org.