Steven J. Vaughan-Nichols: You can keep using XP for another year, but do you really want to?

While clinging to the 11-year-old OS after Microsoft issues its last security patch in April is defensible, the security risks are going to keep mounting

On April 8, Microsoft will pull the plug on Windows XP SP3 when it issues the final security patch for the 11-year-old operating system. So it's high time to switch to Windows 7, right?

Probably. But it's still going to be possible to hang on to XP for another year or so, and given the number of users still clinging to it, I'd guess a significant chunk will do so. But is that wise? Not really. Security risks are just going to keep mounting.

About those numbers: Net Applications states that in December, XP was still running on 29% of all desktop and laptop PCs. By some counts, XP still accounts for 32% of all Windows systems. That's a heck of a lot of users.

One reason users haven't switched is that Windows 8.x is garbage. There are others. One is that XP machines simply still do their job. I'm a big believer in the maxim, "If it ain't broke, don't fix it," and many XP users believe that too.

Of course, Microsoft wants you to move to a newer version of Windows. If it can't talk you into Windows 8.x, it'll be OK with you moving to Windows 7. To help this process along, it's trying to scare you into moving by publicizing claims such as the one that XP-specific malware is going to jump by two-thirds. As for the OEMs, they'd like you to abandon XP too, but they'd be just as happy to see you shifting to Android PC or Chromebooks. They're not proud; they just want to sell new units.

Unsurprisingly, Microsoft hasn't been quite so loud about what it's doing to make XP viable for another year. But it's going to continue to support its Malicious Software Removal Tool (MSRT) on XP until July 14, 2015. The company will also be offering antivirus signatures for Security Essentials until mid-July 2015.

Meanwhile, most antivirus companies are going to continue to support XP for years to come. The top three Windows antivirus companies, by AV-Test's count, Kaspersky, BitDefender and Avira, have pledged to support consumers until 2018, January 2016 and April 2015, respectively.

It's true that Microsoft has already given up supporting its latest software on XP, but many other companies haven't. For example, while Internet Explorer 8 is the most recent Web browser Microsoft will give you for XP, Google will be supporting the newest versions of Chrome on XP until at least April 2015. Indeed, as far as I've been able to tell, no major company currently producing XP software plans on ending support for its programs anytime soon.

That's a good thing, since these days many malware programs attack third-party programs instead of XP itself. After all, with 13 years of endless hacking, Microsoft finally has nailed shut most of XP's holes.

One favored third-party means of attack is Java. Oracle's most recent patch set for it had no fewer than 36 security patches for Java alone. Java just isn't worth the risks it exposes you to. Unless you absolutely must use it -- on any operating system, not just XP -- you'll be much safer removing it from your system.

You can also protect your aging XP PC by putting it behind a firewall. Well, you should have been doing that all along, but if you're going to continue to use it and you don't have it behind a firewall, now is the time to take that step. You'll need all the protection you can get.

Another useful XP security trick is to set up users with limited accounts. Installing new software or hardware with a limited account can be a pain, but how often are you going to be doing either with your old XP box? A good deal more defense for a little trouble is a trade well worth making.

So should you try to eke another year of life out of XP? I wouldn't.

Keeping XP safe is only going to get harder as months go by. Eventually, someone will craft a new XP crack that's going to break XP security like an egg.

Come that day, I expect Microsoft to reluctantly issue an emergency fix if there are still, say, 10% of users running XP at the time. But, it won't do it with dispatch, and the new security hole may not become known for a while. Do you want your PC to be ransacked by vandals during the zero-day period? I wouldn't.

Still, if you can't bring yourself to switch quite yet, you can keep running XP for now. Just don't think that you're going to be able to keep doing it safely. You may have years instead of weeks, but XP's end of life really is in sight.

Steven J. Vaughan-Nichols has been writing about technology and the business of technology since CP/M-80 was cutting-edge and 300bit/sec. was a fast Internet connection -- and we liked it! He can be reached at sjvn@vna1.com.

Read more about windows in Computerworld's Windows Topic Center.

Tags net applicationssecurityMicrosoftWindowssoftwareoperating systems

More about AviraBitDefenderGoogleKasperskyMicrosoftOracleTopic

1 Comment

Don

1

I feel totally comfortable running WinXP and even Win2K as virtual machines under Fedora 20. Virtual machines that don't have browsing access to the web, don't "see" email, and essentially have no contact with malware.

In years of using both OSes this way I've never had a problem. I do save whole virtual machines as backups every week or two. I only use XP for running WordPerfect and TurboTax. I use 2K for running an ancient version of Acrobat and for running two scanners that have no SANE drivers.

Essentially, my theory is that a Windows that doesn't browse the web or read email is a relatively safe OS even without AV software.

My host OS is my main OS and it's been Fedora, Fedora Core and Red Hat since 1997. My virtualization software was originally Win4lin with Win98 and then Win4LinPro with Win2K and now VirtualBox with Win2K, WinXP and varioius LInux distros that I run to take a look.

Comments are now closed

ATO sets out treatment of Bitcoin

READ THIS ARTICLE
MORE IN Security
DO NOT SHOW THIS BOX AGAIN [ x ]