Microsoft Patch Tuesday: Retire Comfortably, Windows XP

Microsoft officially ended support of Windows XP, issuing its last security update for the venerable operating system and its Office 2003 suite, officially sunsetting the software in perpetuity.

In its April 2014 Patch Tuesday round of security updates, Microsoft released two critical bulletins and two rated important, impacting Microsoft Word, Internet Explorer and all versions of its operating system. In all, Microsoft repaired 11 vulnerabilities impacting its software.

The software giant has been passionately urging businesses and consumers to migrate to its more modern operating system versions, which support some deeply rooted security features. Operating system attacks have been in decline, partly because of the level of sophistication required to pull them off, said Wolfgang Kandek, chief technology officer of Qualys. In a recent interview, Kandek said he has tracked a steady decline of Windows XP systems as companies start to heed Microsoft's message. In 2013, more than 70 percent of Microsoft's security patches affected Windows XP, Kandek said, urging users to migrate.

"There's no reason to believe that Windows XP systems won't continue to be a target," Kandek said. "There is a wide enough install base out there for cybercriminals to monetize an attack."

Sponsored post

[Related: Despite Windows XP Deadline, Microsoft Partners Say XP Migration Business Isn't Drying Up ]

Windows XP has had a good, long run, said John Noble, vice president of technology at Phoenix-based solution provider Avisolve. Some businesses have been reluctant to migrate away from Windows XP, but there's been more than enough time to say goodbye and move on, Noble said.

"I find it surprising how many medium and small enterprises do not seem to be concerned about it, but once there's an outage or a system gets infected, it is amazing how fast budget frees up," Noble said.

Extended Support of Windows XP is available to organizations that can afford the premium service. Microsoft struck a multimillion Euro deal with the Dutch national government to provide security updates on a regular basis. It has made similar custom support agreements with authorities in England and Australia, and some private-sector firms have made arrangements to continue to receive security updates.

ATMs that are running a scaled-down, embedded version of Windows XP have until 2016 before support is officially ended.

While attackers have found ways to bypass newer security components, security experts agree that attackers have long migrated to targeting applications and browser components. Many of those components are still running on Microsoft, and the company made it a point to warn businesses and consumers last October that the infection rate on Windows XP systems is significantly higher than its newer Windows 7 and 8 platforms.

NEXT: The End Of An Era

Windows XP has been a favorite of business and consumers alike, who were drawn to its stability and ease of use, say solution providers. It couldn't be bested by its intended replacement, Windows Vista, which was developed to increase security against a rising tide of threats against Windows, but widely criticized for peppering end users with annoying authorization prompts. When Windows 7 was released in 2009, adoption of Windows XP continued to remain strong.

Migration services have been a big draw for solution providers. Most deployments are being upgraded on each business' standard refresh cycle said Carl Mazzanti, CEO of eMazzanti Technologies. Mazzanti said his firm has a very low percentage of clients, some of them manufacturers with equipment that rely on Windows XP to operate machinery and support systems. Some manufacturer systems still run Windows CE, an embedded version that came to market in 1996, he said. Any system running Windows XP either isn't Internet-enabled or surrounded with additional security mechanisms to prevent malicious code from running amok, Mazzanti said.

"They’re all in lock-down as much as they can possibly be at this point," Mazzanti told CRN. "It's probably certain that there are malware writers waiting to release their zero-day vulnerabilities, knowing that some businesses have systems online that are not maintained."

It's a much-needed operating system retirement, said Gus Chiarello, sales manager at Ramp Up Technology, which partners with antivirus firm AVG for endpoint security and systems management. Chiarello said his existing client base has been slow to migrate for a variety of reasons, but cost is a significant factor. Chiarello said his engineers have added a hardware-as-a-service offering combined with bundled services to help cash-strapped businesses move off of Windows XP.

"Our engineering team likes Microsoft's sun-setting of Windows XP, because the overall management capabilities in the Windows 7 world gives them more feature functionality," Chiarello said. "We don't play the hype and hysteria card with this; we approach businesses by addressing their operational and financial concerns first, and a lot of times we find we can help them find ways to address their immediate issues without breaking the bank."

Up until now, businesses haven't had to make the case to migrate, said Peter Humphries, Principal at Burlington, Ontario-based networking and security services provider SecureSense. The cost associated with additional security controls needed at the endpoint to mitigate the increased risks associated with Windows XP should free up funds to upgrade some systems, Humphries said, acknowledging that some firms have embedded systems running Windows that will never be updated.

"Windows XP was stable and there were a lot of organizations with people who can recall putting in a big investment into XP and are now making the case to jump off of it," Humphries said. "Cybercriminals are always looking for the weakest link and will find those firms that didn't heed the warnings.