Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Experts question Microsoft's decision to retire XP

Gregg Keizer | Dec. 5, 2012
Microsoft will 'draw a line in the sand' in 2014 when Windows XP exits support, security researchers said today, even if millions of people are still running the aged OS and a zero-day bug threatens the Windows ecosystem.

But would Microsoft actually do what Cherry and Miller expect?

Not likely, said several other security experts today.

"I think they have to draw a line in the sand," said John Pescatore of Gartner. "They've supported XP longer than anything else, so they'd be pretty clean from the moral end."

Andrew Storms, director of security operations at nCircle Security, echoed Pescatore. "I don't see them changing their minds on this whatsoever," said Storms. "To do that, and alter their support lifecycle, would remove all credibility. Next, people still running Vista would say, 'They're not going to [end support].' And those people would hold onto Vista forever."

At some point, Pescatore and Storms said, users simply have to upgrade the OS, probably by buying a new PC. XP has had its run, and it's over. And Microsoft won't back down.

"I just don't think they will extend [XP] support again," said Wolfgang Kandek, CTO of Qualys. The case could be made, Kandek noted, that by continuing to supply patches to XP, Microsoft would be working "for the greater good." But he would be surprised if the Redmond, Wash. developer did so.

In any case, it might not even make a difference. "Are the remaining XP machines actually updated? We don't know," said Kandek, referring to the common problem of unpatched PCs, no matter what operating systems they run. "Do they actually install them? Extending patches might not do anything."

In at least one instance, Microsoft stuck to its guns, and refused to patch vulnerable operating systems that had fallen off the support list just weeks earlier.

In August 2010, Microsoft issued an emergency patch -- often called an "out-of-band" update -- for a critical Windows shortcut bug that attackers had exploited with the infamous Stuxnet worm, which most now believe was aimed at Iran's nuclear enrichment facilities. But even though Windows XP Service Pack 2 (SP2) and Windows 2000 had dropped off support the month before, Microsoft did not offer those PCs a patch.

The situation will be different in 2014, however: Users of Windows XP won't have a newer service pack to deploy, and XP will probably account for a still-significant portion of all Windows PCs, unlike Windows 2000 in mid-2010.

According to data from Web metrics firm Net Applications and Computerworld's projections, XP will power more than 25% of the world's Windows PCs in April 2014. That's an enormous number.

And there are other considerations, said Miller.

"One of Microsoft's No. 1 customers is the U.S. government," Miller said. "Things are much different nowadays, it's a new age, with all these worms circulating in the Middle East. Cyber security is a national security matter now, and I wouldn't be surprised if the [U.S.] government didn't have an impact on Microsoft's decision as well."


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.