Windows XP is finally DEAD, right? Er, not quite. Here's what to do if you're stuck with it

Lock down and look sharp, it's the hackers' game now

Today will be like no other day because it’s the last Patch Tuesday for Windows XP. Yet there's good news if you're still using XP. For starters, you're not alone.

Thirteen years after it was released, Windows XP remains the world’s second most popular PC operating system. It's running on 27.69 per cent of consumer machines, according to market stats from beancounters Netcraft. For businesses and governments, the numbers are thought to be slightly lower but not by much. Windows 7 is the number one OS.

Gartner reckons up to a quarter of enterprise systems and 10 per cent of “large” organisations are still running Windows XP. That means SMEs, corporations, multinationals, utility companies, retailers, and government – both local and national – and hospitals are all in the same boat.

And it’s not just PCs.

Seventy-seven per cent of UK organisations have the 13-year-old operating system running “somewhere”, according to UK software company AppSense.

That “somewhere” can mean anything that’s not a PC – so passenger information systems, kiosks and airline ticketing systems.

And let's not forget ATMs: two-thirds of the country’s 60,000 cash machines are also, as of today, still trucking along on Windows XP.

Yet for every silver lining there is a cloud: from now on, you're alone when it comes to security. As of now, if a new vulnerability is written that targets the operating system, Microsoft won't come riding to your safety with a software fix.

Security experts fear the worst: that rather than malware writers discovering new code, they’ve been hoarding a back catalogue of badness that they’ll release.

Microsoft’s last security patch contained two fixes for Windows XP and for Office 2003, which also runs out of gas on Tuesday.

From now on, the only protection you have is if you’ve got loads of money to fling at Microsoft. If so, you can afford a custom-support agreement priced at $200 per desktop, meaning Microsoft will keep on making security fixes for your machines.

Such agreements, though, are only for the biggest of the big – and you also need to prove to Microsoft you’ve got a migration plan in place.

Plenty in the private sector who’ll be running Windows XP after today have swallowed the price and taken out cover. Application migration specialist Camwood reckons at least 10 large enterprises it knows of have paid up.

Often the price is factored into the overall project costs of migrating off of Windows XP, with a view that the migration will be finished in a year and they won’t need to pay for a second, more expensive, year of custom Windows XP security.

Last week, the British Government became the latest to take out just such a deal.

A one-year deal priced at £5.584m will provide support for Office 2003 and Exchange 2003, which is also no longer supported by Microsoft. Crown Commercial Services, the commercial arm of the Cabinet Office, reckons the deal will save £20m over the standard pricing of such Microsoft Windows XP deals. Cover is available for tens for thousands of PCs in Whitehall, the NHS and other government bodies struggling with upgrades. These organisations will remain on Windows XP for at least another year.

There is an upside to this tale: in about a year’s time, most of the outstanding Windows XP users in business and government should have gone, thereby closing down a large attack vector open to hackers and malware writers. Many are already migrating, it’s just that the completion dates shoot well out past the April 8 end date.

They haven’t buried their heads in the sand. Well, mostly they haven't.

“There are customers we are talking to that are still talking and who haven’t started yet or in the process of just starting their Windows XP migration programs,” Avanade's head of technology infrastructure, Paul Marsh, tells The Register.

He has seen a stream of customers moving to either Windows 7 or Windows 8 in financial services, manufacturing, and utilities.

Recent headlines in publications such as The Reg about the Government’s £5.584m deal have been responsible for a sudden, late rush to action, too.

“There’s been a lot of headlines recently – the government extended its support deal to the NHS and lots of government agencies,” added Simon Body, chief technology officer for app migration bods Camwood. “Lots of customers are coming to us are talking to us about doing a very fast migration. It pricks the realisation there must be one risk they [government] do not know about and they [customers] are pressing the button.”

Camwood found 15 per cent running Windows XP didn’t know the end date was coming in March 2014. A year on, that number has decreased by nine per cent, Body said, adding that he reckons SMBs are only now waking up to the problems caused by XP's demise.

Fellow app migration specialist 1E reckoned that private sector projects are moving faster and are more focused than those in the government sector. Finance and healthcare companies are moving fastest because of concerns about the “business impact” and security risks.

For “business impact”, read lost income or fear of fines for breaches resulting from the fact they are running a desktop operating system lacking the latest security features.

Those without a company or organization-wide plan are seeing business units move on their own – phasing out Windows XP PCs only as they reach end-of-life.

But why have so many people so comprehensively missed the date? It’s not like nobody knew Microsoft was going to finally kill all updates for Windows XP.

Installing a new operating system is relatively simple, and we’ve been here before. Windows 98 and Win 2000 did gave way to XP, after all.

Other stories you might like

  • Meet Wizard Spider, the multimillion-dollar gang behind Conti, Ryuk malware
    Kremlin-linked crime-as-a-service crew is rich, professional – and investing in R&D

    Analysis Wizard Spider, the Russia-linked crew behind high-profile malware Conti, Ryuk and Trickbot, has grown over the past five years into a multimillion-dollar organization that has built a corporate-like operating model, a year-long study has found.

    In a technical report this week, the folks at Prodaft, which has been tracking the cybercrime gang since 2021, outlined its own findings on Wizard Spider, supplemented by info that leaked about the Conti operation in February after the crooks publicly sided with Russia during the illegal invasion of Ukraine.

    What Prodaft found was a gang sitting on assets worth hundreds of millions of dollars funneled from multiple sophisticated malware variants. Wizard Spider, we're told, runs as a business with a complex network of subgroups and teams that target specific types of software, and has associations with other well-known miscreants, including those behind REvil and Qbot (also known as Qakbot or Pinkslipbot).

    Continue reading
  • Supreme Court urged to halt 'unconstitutional' Texas content-no-moderation law
    Everyone's entitled to a viewpoint but what's your viewpoint on what exactly is and isn't a viewpoint?

    A coalition of advocacy groups on Tuesday asked the US Supreme Court to block Texas' social media law HB 20 after the US Fifth Circuit Court of Appeals last week lifted a preliminary injunction that had kept it from taking effect.

    The Lone Star State law, which forbids large social media platforms from moderating content that's "lawful-but-awful," as advocacy group the Center for Democracy and Technology puts it, was approved last September by Governor Greg Abbott (R). It was immediately challenged in court and the judge hearing the case imposed a preliminary injunction, preventing the legislation from being enforced, on the basis that the trade groups opposing it – NetChoice and CCIA – were likely to prevail.

    But that injunction was lifted on appeal. That case continues to be litigated, but thanks to the Fifth Circuit, HB 20 can be enforced even as its constitutionality remains in dispute.

    Continue reading
  • How these crooks backdoor online shops and siphon victims' credit card info
    FBI and co blow lid off latest PHP tampering scam

    The FBI and its friends have warned businesses of crooks scraping people's credit-card details from tampered payment pages on compromised websites.

    It's an age-old problem: someone breaks into your online store and alters the code so that as your customers enter their info, copies of their data is siphoned to fraudsters to exploit. The Feds this week have detailed one such effort that reared its head lately.

    As early as September 2020, we're told, miscreants compromised at least one American company's vulnerable website from three IP addresses: 80[.]249.207.19, 80[.]82.64.211 and 80[.]249.206.197. The intruders modified the web script TempOrders.php in an attempt to inject malicious code into the checkout.php page.

    Continue reading

Biting the hand that feeds IT © 1998–2022