Windows XP – Hitting the Wall
Just under one year from now, on April 8, 2014, Windows XP leaves Extended Support.
There are three key questions I’ve been asked a lot during the past week, related to this milestone:
- What even happens when Windows XP leaves Extended Support?
- Will Microsoft balk, and continue to support Windows XP after that date?
- What will happen to systems running Windows XP after that date?
All important questions.
The first question can be exceedingly complex to answer. But for all intents and purposes, the end of Extended Support means that you will receive absolutely no updates – including security updates – after that date. While there are some paid support options for Windows XP after 4/8/2014, however as we understand it they will be very tightly time limited, very expensive, and implemented with a contractual, date-driven expectation for a retirement of the organization’s remaining Windows XP desktops. There’s no “get out of jail” card, let alone a “get out of jail free” card. If you have Windows XP desktops today, you have work to do, and it will cost you money to migrate away.
If you want to look for yourself, you can go to Microsoft’s downloads site and look – but Windows XP still receives patches for both Windows itself or Internet Explorer (generally 6,7, and 8 all get patched) every month. From April 2012 to April 2013, every month saw security updates to either Windows XP or IE on it – and 8 of the 13 months saw both. Many of these are not pretty vulnerabilities, and if left unpatched, could leave targeted organizations exceedingly vulnerable after that date.
This leads us to the second question. In a game of chicken, will Microsoft turn and offer support after 4/8/2013?
Why are you asking? Seriously. Why? I was on the team that shipped Windows XP. I wish that, like a work of art, Windows XP could be timeless and run forever. But it can’t (honestly, that theme is starting to get rather long in the tooth too). It’s a piece of machinery – and machinery needs maintenance (and after a time, it usually needs replacement). Windows 2000 received it’s last patch the month before it left Extended Support. So, while 4/8/2014 is technically a Patch Tuesday, and Microsoft might give you one last free cup of joe, I’d put a good wager down that if you want patches after that day, you’d better plan your migration, get on the phone to Microsoft relatively soon, get a paid support contract in place, and be prepared to pay for the privilege of support while you migrate away.
Companies that are running Windows XP today – especially in any sort of mission critical or infrastructure scenario – especially if connected to the Internet, need to have a migration plan away to a supported operating system.
At a security startup I used to work at (not that long ago), it shocked me how many of our prospects had Windows 2000, Windows NT, or even older versions of NT or 9x, in production (and often connected to networks or the Internet. Even more terrifying, many of these were mission critical systems.
And this segues us to the third question. What happens to systems running after 4/8/2014? You can quote Clint Eastwood’s “Dirty Harry” character, “Do I feel lucky? Well do you?” It’s not a good bet to make. Again, we’ve seen some nasty bugs patched in IE 6,7, and 8, and Windows XP itself over the last year. While one would hope an OS 12 years out would be battle-hardened to the point of being bulletproof, that is not the case. Windows XP isn’t bulletproof. It’s weary. It’s ready to be retired. Organizations with critical infrastructure roles still running Windows XP will have giant targets on them after next April, and no way to defend those systems.
A common thread I’ve also seen is a belief that a wave of Windows XP migrations over the next 12 months will mean anything, economically. It really isn’t likely to. While we will likely see a good chunk of organizations move away from Windows XP over the next year, doing so may mean finding budget to replace 5+ year old PCs, and patch, update, or purchase replacement Windows, Java, and Web applications that can run on newer operating systems. Most of the easy lifting has already been done. The last customers remaining are likely extremely hard, extremely “financially challenged”, or both. It may be unfortunate, but this time next year (and likely the year after that, and years after that), there will still be Windows XP systems out there, some of them running in highly critical infrastructure. Dangerous, but unfortunately, likely to be the case.