Microsoft introduced Windows XP in 2001, and it became an instant success. It combined the well-received consumer user interface from Windows 98 with the stability of Windows NT, was out-of-the-box Internet capable with an excellent browser – Internet Explorer (IE) – and quickly took over the market.
In terms of security, XP was immediately the target of attacks. In 2004, Microsoft hit a milestone in this area, when it unveiled Windows XP SP2, which featured a built-in, always-on firewall that effectively ended the era of the large-scale Internet worms, such as Blaster, Sasser, and Slammer. As a result, Windows XP became a huge hit with over 600 million installations worldwide.
But in April of next year, 2014, Microsoft will execute on its long published maintenance plan and stop commercial support for Windows XP. Starting in May, Windows XP will stop receiving security updates, even for highly critical security flaws such as September's and November's IE zero-day that targeted Windows 7 and, you guessed it, Windows XP. By mid-2014, new and (by then) unfixable security flaws for XP will be well-known and freely traded in the cybercriminal underground.
To illustrate this certainty, let's take a look at this year's IE security bulletins. There have been fourteen updates so far, one each month through November, plus additional updates in February, May and November to cover zero-days, addressing a total of 117 vulnerabilities. Windows XP was affected by 75 of the vulnerabilities, including 68 rated critical, which accounts for 64 percent of total vulnerabilities and 90 percent of critical vulnerabilities this year alone.
This pattern will not simply stop in April 2014. We can be certain that vulnerabilities will continue to affect Windows XP, and given that it is unlikely that Windows XP will be replaced 100 percent by April 2014, we will see reverse engineering of vulnerabilities for XP and the development of exploits as well.
Networks that include Windows XP computers used for normal office activities, such as e-mail, web browsing, word processing, etc., will become undefendable and will invite attackers inside. There are certainly steps one can take to lower the risks, such as switching to supported browser, e-mail, and office programs, and hardening Windows XP (by using Enhanced Mitigation Experience Tool, for example), but these are band-aids that can only prolong XP's useful life by a few months.
The only way to address the situation and to ensure your network and assets are secure is to migrate to a supported operating system. In the Windows line, your options are Windows 8 with its radical user interface change with currently under 10 percent market share or Windows 7, which has seen growing enterprise adoption and has a market share of over 50 percent and has the additional benefit of being familiar to users who might have it installed at home.
In a pinch, you may still have Windows Vista licenses around from when that operating system was first delivered and you preferred to install XP instead. There are other alternatives; you could follow the lead of the French Gendarmerie which migrated 40,000 desktop computers to an open source platform based on the Firefox browser, Thunderbird e-mail client, OpenOffice word processing and spreadsheet, all running on the Ubuntu variant of the Linux operating system.
If you are still running Windows XP, you are not alone. Figures for the currently installed base data varies widely, though, ranging from low teens to almost 50 percent, according to some sources. Our data indicates that more than 20 percent of all enterprise users are still using Windows XP machines, so it is probable that you can reach out to your peers and see what strategies they are planning to take. One thing is clear: the risk is real and there is little time left, so you need to act now.
Wolfgang Kandek is the CTO for Qualys.