Patching XP makes Microsoft no money. But millions of unpatched and easy-to-exploit systems equal cybercrime payday.

Mathew J. Schwartz, Contributor

November 6, 2013

5 Min Read

Windows XP holdouts: Prepare to get pwned.

That's the future facing Windows XP users, for the simple reason that the future security and reliability of their operating system hinges on two economic factors that are beyond their control, and which pose a significant information security risk.

First, XP no longer contributes to Microsoft's bottom line, hence -- more than 12 years after the product was first released -- the software vendor plans to stop releasing public updates and patches come April 2014. Second, cybercriminals get maximum bang for their buck when they target widely installed systems that sport known vulnerabilities.

[ Do you really understand the threats you face? Read Think Hackers Are IT's Biggest Threat? Guess Again. ]

With an estimated 500 million systems in use today running Windows XP, they're soon going to become easing pickings for cybercriminals.

People don't like to hear that. They've invested in Windows XP -- maybe way back in late 2001, when it was first released -- and their consumer laptops continue to run just fine, thanks very much. Many businesses large and small, from neighborhood dental and medical facilities all the way up to Fortune 1000 firms, have invested in software, embedded systems or heavily customized applications that only run on XP or Internet Explorer 6. They don't want to pony up for new hardware, OS licenses and replacement applications. Furthermore today's economic climate stinks and to top it off, for the majority of would-be users, Microsoft has failed to make Windows 8 sexy.

Like climate change, signs of the impending XP security apocalypse can be ignored, but not refuted.

Even so, my incoming hate mail recently peaked after I detailed Microsoft's assertion that scans of real-world Windows installations found that six times the number of Windows XP systems are infected with malware as Windows 7 systems. One reader emailed: "How much did you get paid by Microsoft for your trashy fear monger piece about XP?"

My hands are clean. In security circles, Microsoft's findings aren't surprising. For starters, XP lacks the modern attack-prevention and mitigation techniques built into Windows operating systems after Microsoft found secure-code-writing religion in 2003. As a result, XP is easier to exploit than later versions of Windows, for the simple reason that more attacks will get through -- and an attacker just needs one exploit to work.

Furthermore, XP continues to be widely used, thus making it an attractive target. As of October 2013, 31% of all PCs still ran Windows XP, putting it in second place behind Windows 7 (46% market share), but ahead of versions of Windows 8 (9%), Mac OS X (8%), Vista (4%) and Linux (2%), according to By the end of 2013, reckons Gartner, there will be 1.63 billion PCs, which puts the Windows XP install base at about 500 million units.

With a user base like that, however, is Microsoft missing a huge potential revenue boost, by not attempting to sell future security patches to anyone who wants to keep using -- and trusting -- Windows XP? In fact, Wes Miller of analysis company Directions On Microsoft argues that when it comes to XP, "there's no gold left in them thar hills." In other words, anyone who wants to continue receiving security updates from Microsoft will need to pay for the privilege, and dearly. For everyone else, Microsoft has no financial incentive to feed you any more security updates; plan accordingly.

"I hate to sound like a shill, but XP systems will be ripe for an ass-kicking beginning next spring. And they can, and will, be taken advantage of," says Miller. "I also don't believe Microsoft will do any favors for businesses that stay on XP -- and don't pay the hefty costs for custom support agreements with a locked and loaded exit plan in place."

Remaining XP users, furthermore, will not just put themselves at risk, but -- per herd immunity -- make themselves a risk to the rest of us too. "Anyone connecting a Windows XP computer to the internet after Microsoft drops its support in April 2014 is not only putting themselves at risk, but also endangering all of us on the Internet -- as their computers may be hijacked into botnets and used to spread malware and spam attacks," says independent security researcher Graham Cluley.

Come April 2014, massive numbers of XP users might not get owned right away. But as Microsoft continues to release monthly security patches for supported versions of Windows, attackers will reverse-engineer the underlying flaws and turn them into working exploits. For an illustration of how that works, just look at how attackers today are reverse-engineering Oracle's Java updates to find working exploits for the outdated versions of Java 6 and Java 7 still used by hundreds of millions of people. Economically speaking, cybercriminals can't afford not to attack all of those easy-to-exploit Java users, which has made it attackers' most-used technique for compromising systems.

Expect the same thing to happen with Windows XP, once it becomes a sitting duck. "It appears a lot of organizations don't realize -- or don't care -- [how] porous Windows XP will become after it ceases being patched in April," says Directions on Microsoft's Miller. "It isn't a war-hardened OS, as some customers believe. It's a U.S.S. Constitution in an era of metal battleships."

Windows XP holdouts: Prepare to sink or swim.

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights