Microsoft Gives XP One last Hug
Microsoft's decision to offer a Windows XP patch for a serious Internet Explorer flaw has drawn cheers, but those still using the no-longer-supported operating system shouldn't hold their breath waiting for the next one, the company has indicated. That isn't stopping security pros from lobbying for an extension of the support grace period, however.
05/03/14 11:15 AM PT
When Microsoft included Windows XP in the Internet Explorer zero-day browser vulnerability patch it issued this week, some industry observers were stunned. Had the company decided to backtrack on its assertion that it would no longer support XP? Had it knuckled under to user protests?
Not really. Redmond has not decided to backtrack on killing support for Windows XP; it made an exception this time, because the vulnerability was discovered so close to Microsoft's ending support for XP, Adrienne Hall, general manager of trustworthy computing, wrote in a blog post.
There have only been "a very small number of attacks" exploiting this flaw, according to Hall and other Microsoft executives.
Asked for specific figures on casualties, Sarah Wilcock, of Microsoft's PR agency Waggener Edstrom, pointed TechNewsWorld to Hall's blog post and the Windows XP end-of-support website.
Fighting a Rearguard Action
Despite issuing the patch, Microsoft is urging XP users to upgrade to a more modern OS such as Windows 7 or 8.1.
"Just because this update is out now doesn't mean you should stop thinking about getting off Windows XP and moving to a newer version of Windows and the latest version of Internet Explorer," Hall wrote.
These modern OSes "provide more safety and security than ever before," she continued.
The latest version of Internet Explorer "has increased support for modern web standards, better performance, and expanded the ability to deliver an immersive experience from within the browser. In other words, cool stuff that you need even if you didn't know you need it," Hall enthused.
"Microsoft's decision to issue an XP patch ... creates a lot more questions than it answers, and highlights the fact that the company is in a rather awkward situation," Jerome Segura, senior security researcher for Malwarebytes, told TechNewsWorld.
XP Keeps On Keeping On
XP "has proven more popular and more resilient than most people would have anticipated," Segura pointed out. "Users so far seem to be sticking by XP even with discontinued support."
Indeed they have -- while Windows 7 had nearly 50 percent of the desktop OS market in April, XP had more than 26 percent, show statistics from Netmarketshare. That's more than all the other players put together.
Microsoft's covering XP with the latest patch means "it somehow shoots itself in the foot by encouraging users to stick with [that OS] for at least a little longer," Segura said.
Who's at Risk
The financial services and healthcare industries may have the most to lose if XP remains unsupported, Darren Hayes, a professor at Pace University's Seidenberg School of Computer Science and Information Systems, told TechNewsWorld in an earlier interview.
Most ATMs run on that OS, as do the "vast majority" of medical devices.
Utility companies also are at risk.
The move toward cloud computing will make things worse, warned Eric Chiu, president and cofounder of HyTrust.
"Virtualization and the cloud essentially let operating systems live forever," Chiu told TechNewsWorld. "These technologies, which run 70 percent of the data center, remove the hardware dependence of the operating system so that older OSes like XP will be able to run [in them] for the next 20 years."
This "has tremendous cost benefits for companies ... but creates a security nightmare and a hacker's delight."
What Might Happen
However, antivirus software won't resolve the underlying vulnerabilities cybercriminals are likely to discover.
"We're expecting some pretty intense exploits [against XP] over the coming months, which will certainly affect Microsoft's brand," Segura warned.
Eventually, Microsoft will "either stick to their guns and discontinue support entirely, or they'll need to extend the grace period and give users another 6-12 months to upgrade," Segura speculated. "We're hoping for the latter."