Perspective: Throw Windows XP a lifeline, Microsoft

Security pro makes case that Microsoft rethink April 2014 retirement

The forecast for Microsoft: There's a Windows XP storm coming.

According to statistics from analytics company Net Applications, Windows XP's user share declined by just two-tenths of a percentage point over the last two months, the smallest decrease since Computerworld began recording data for the aged OS in early 2007.

Normally, a Lilliputian decline when user share has been leaking like a rusted bucket of a boat would be time for celebration, but Windows XP's resistance to erosion is different. Support for the 12-year-old operating system is slated to end in less than four months, and Microsoft has been loudly telling customers that they need to move on before it stops providing public security updates.

They aren't. Or better put, they were, but then they quit.

As recently as the two-month span of August-September, Windows XP's user share plummeted by 15%, or more than six percentage points, prompting Computerworld to prematurely claim that the OS was in a "nose-dive".

Wrong. Instead, users pulled up on the control yoke and leveled off: Windows XP's decline slipped just two-tenths of a point in October, then stabilized in November. At the end of the latter, XP powered 31.2% of all personal computers used to browse the Internet and 34% of all those running Windows.

While overly-optimistic projections made at the end of September showed that Windows XP would have contracted to a significant-but-perhaps-manageable 21% in April 2014, the same forecast two months later pegged the remaining user share at more than 27%. So unless Windows XP restarts a descent, it's inevitable that a quarter of all personal computers will be running Windows XP come April.

The number has real-world ramifications, as Microsoft has repeatedly underscored this year. Absent security updates, Windows XP will be substantially more vulnerable to malware attacks, perhaps -- if Microsoft's own estimate is on target -- as much as 66% more likely to be infected after April 2014.

If a major chunk of the world's PCs remains tied to XP, as seems certain, Microsoft will face an unenviable choice: Stick to plan and put millions of customers at risk from malware infection, or backtrack from long-standing policies and proclamations. In either case, it will face a public relations backlash, whether from customers who complain they've been forsaken or those angry at Microsoft for pushing them to upgrade when, in the end, they didn't need to.

Microsoft is determined to retire XP, even though it previously extended that deadline by more than two years beyond the usual decade. It has given absolutely no hint -- zero, zilch, nada, nichts -- that it will rethink that schedule. Even analysts who once believed Microsoft's hand could be forced by events have retreated as the company has failed to allude to a last-minute lifeline.

But one security expert has made the case that Microsoft should reconsider, and is, in fact, honor-bound to lend a helping hand.

"Security shouldn't be optional," said Lawrence Pingree, an analyst with Gartner who tracks security topics and vendors for the researcher. "If I buy a car, I want it to be safe. If it becomes unsafe [through the manufacturer's fault], I expect the maker to make good." Even if it's an old car, and especially if that old car has been religiously maintained -- or in XP's case, patched.

That ethical stance flies in the face of business sense -- Microsoft makes little or no revenue from customers with old PCs, and desperately wants them to buy a new Windows system of some sort -- and will be incomprehensible to a large chunk of Computerworld readers, who regularly use the comments section of news stories about XP's longevity to vilify those who haven't upgraded to a more modern OS.

But most of those critics have the mindset of an owner of one PC, or at most, a handful, agreed Pingree. While many of XP's stubborn users may be in similar situations, businesses still relying on it are not. "It's very easy to say 'just upgrade,' but not all business can do so," said Pingree, citing money, resources and mission-critical software. "One of the main reasons why people cannot leave XP is compatibility with other software."

Nor is Microsoft blameless. XP has hung around because of the mistakes Microsoft made with Windows Vista, the OS flop that outgoing CEO Steve Ballmer copped to as his biggest regret. If Vista had been more like Windows 7, or had shipped at its original "Longhorn" timetable of 2004, then been followed three years later by Windows 7, XP would not have had the opportunity to lock up the ecosystem for a decade. (It wasn't until October 2011 that XP slipped under the 50% user share mark in Net Applications' tally.)

Pingree sympathized with Microsoft's dilemma -- damned if it does pull the plug, doubly damned if it doesn't -- and understood the frustration of those who have left XP behind, and are tired of hearing about the aged OS. "Certainly, Microsoft needs to move on, and customers need to address the issue," said Pingree. "At some point, everyone has to move on and it's high time customers think about upgrading."

But he was adamant that Microsoft risked much more than ticking off long-time customers by retiring Windows XP and stopping public patching.

"If Microsoft does decide to drop support and follow through with their announcements, organizations will be at significant risk and will be forced to grapple with incompatibility problems if they do upgrade at this point," Pingree said.

"XP has roughly about 30% share. What if 30% of the world's PCs were infected with a major virus or worm, something on the level of a [SQL] Slammer?" asked Pingree, referring to the 2003 malware that slowed or halted Web traffic around the globe. "It could have architectural implications on the Internet. And if it did, and somehow brought down the Internet, it could represent a national security threat."

Not to mention an economic hit that would make the Great Recession of 2008-2009 look like a bubble. "It would be an unacceptable economic threat, one with a major impact if a third of the world's PCs were hit with a Slammer kind of worm that couldn't be fixed," Pingree argued.

The problem is that Windows XP, and the PCs that still run it, are part of the wider Windows and personal computer ecosystem. Infect one PC, and in today's connected climate, that PC is a potential threat to all other PCs.

Microsoft knows this. In fact, the company has gone to great lengths not only to clean up its own security house -- starting with Windows XP Service Pack 2 (SP2) in 2004 -- and has often lent a hand to third-party developers to help them make their software more secure. And it's talked frequently about the need to make the entire Windows environment -- from hardware to its software to the blizzard of applications that run on its OSes -- safer.

From that perspective, Microsoft's decision to drop support for Windows XP, as smart as a finance department's spreadsheet may make that look, risks more than just a possible PR problem. It also risks poisoning the Windows well.

Millions of infected Windows XP machines in 2014 may not just pose the threats Pingree outlined, where exploits start on the older OS and wreck network havoc, but they would taint the Windows brand as insecure, ruining nearly a decade of work Microsoft has done in beefing up the security of the platform.

To many customers, Windows is Windows is Windows, with no discrimination between a creaky XP and the newest, locked-down 8.1: If headlines scream "Windows under attack," nuances disappear.

Pingree had a pair of suggestions for Microsoft, neither of which were new to the XP discussion.

"If it's such a big problem, maybe they should offer an 'Extended Life' [support] subscription and charge for it," Pingree said.

Microsoft will, after all, be crafting patches for Windows XP vulnerabilities rated "critical" and "important" after April for its "Custom Support" program, an after-retirement contract designed for very large customers who have not, for whatever reason, moved on from an older OS.

While Pingree's idea would not stamp out XP -- admittedly, it would only make people more likely to run XP from the grave -- at the least, it would give Microsoft an out. The company could point to the after-market support if threats developed, and effectively tell users to shoulder responsibility.

"Or Microsoft could make a lower-cost option for moving off XP to Windows 7," said Pingree. "That would move [Windows XP users] up one. Think of it more like a maintenance upgrade."

That's possible but not likely: Microsoft has not signaled it's willing to cut prices. Even if it did as Pingree suggested and revived Windows 7, that would be a difficult decision. Boxed copies of Windows 7 have already been pulled from retail by Microsoft. And while there is an upgrade path from Windows XP to Windows 8, the latter's reputation as a keyboard-and-mouse operating system remains shaky.

Microsoft's problem could simply go away. But that may not be a good thing in the end either.

As PC sales have contracted and tablet sales expanded -- and because PCs, even older ones, have proved "good enough" for customers -- analysts have predicted a lengthening of the former's upgrade cycle. It's possible, then, that many of the machines now running XP will not be replaced, will instead simply languish unused while tablets take on their roles, and be the customer's final traditional PC.

"Time is ticking," said Pingree.

Indeed it is. And not just for Windows XP.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about windows in Computerworld's Windows Topic Center.

Join the Computerworld Australia group on Linkedin. The group is open to IT Directors, IT Managers, Infrastructure Managers, Network Managers, Security Managers, Communications Managers.

More about: Apple, Custom, Gartner, Google, Microsoft, Topic
Comments are now closed.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: net applications, Microsoft, Windows, software, operating systems, Malware and Vulnerabilities
Whitepapers
All whitepapers

Telcos seek to strengthen NBN Co wholesale restrictions

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Sign up now to get free exclusive access to reports, research and invitation only events.

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia