Come April 8, those using computers running Windows XP operating systems will face serious issues, including a total lapse in security protection.
On that date, Microsoft will stop sending security updates, nonsecurity hotfixes, assisted support options and online technical content updates.
“The problem is twofold,” said Steve Treppa, principal consultant at CT Logic in Royal Oak, Mich. “Obviously, Microsoft won’t be [security] patching any more, but the other thing people are talking about is traditionally when Microsoft issues a patch, it’s regressive to earlier versions. So the fear is the bad guys will see what the patches are for Windows 7 and 8 and go back to XP and exploit that patch, because Microsoft will not fix it.”
He added, “In many cases Microsoft is reactive; they see a bug, and they go patch it. So the bad guys may be holding bugs and just have to wait until Microsoft stops and then go out there and exploit those machines.”
Michael Menor, a former military computer specialist and network engineer at Tech Experts in Monroe, Mich., said that come April 8, a lot of hackers will be targeting that XP system exclusively.
“They will get infected very quickly,” Menor said. “With XP, you can expect that within 10 minutes, the system would get infected without all of the patches and service bulletins.”
The problem, he pointed out, is that those who are infected likely will never know it.
One caveat: According to a Jan. 15 posting on Microsoft’s Technet blog, the company “will continue to provide updates to our antimalware signatures and engine for Windows XP users through July 14, 2015. This does not affect the end-of-support date of Windows XP, or the supportability of Windows XP for other Microsoft products, which deliver and apply those signatures.”
The major security concerns remain, however, as further clarified by Microsoft, “Antimalware products have limited effectiveness on PCs that do not have the latest security updates. Therefore, after April 8, 2014, PCs running Windows XP should not be considered to be truly protected.”
No bull’s eye
Claudia Rast, a shareholder at Butzel Long PC in Ann Arbor, Mich., agreed.
“It’s bad enough that law firms are the soft underbelly of malware and cyber-attacks, but it’s even worse when we are disgorging it — why not put a bull’s-eye on your head?” she said.
“[A] lot of the security issues that make law firms vulnerable, usually go undetected. Client information may have been stolen, account information may have been accessed, even if your password has not been compromised, they might be able to get into the system. It’s malware nowadays. It’s not obvious. It can be placed on servers and talk to remote folks and can relay information.”
Butzel Long started its plan to convert four years ago, she said, so nightmares of XP being exploited are nonexistent at her firm. But she said she realizes some small firms may say they paid good money and the system still works.
“There are a couple things they can do in the interim,” Rast said. “If you’re running certain apps, don’t use it for the email and don’t connect to the Internet; it’s the external access that is the problem. If they isolate the apps, just take away the email and browser functions.”
When contacted for comment on the concerns, Microsoft sent the following statement:
“After April 8, 2014, Windows XP users will no longer receive new security updates, nonsecurity hotfixes, free or paid assisted support options, or online technical content updates from Microsoft.
“Third parties may provide ongoing support, but it’s important to recognize that support will not address fixes and security patches in the core Windows kernel. This is in-line with Microsoft’s existing Support Lifecycle policy that has been in place since 2002.
“Windows XP was released in 2001 and doesn’t support new business trends such as mobility and touch, and can’t match the features, reliability, security and speed of a modern operating system like Windows 8.1. Running Windows XP in your environment after the product’s end of support date may expose your data and information to potential risks, such as:
- Security Risks: Unsupported and unpatched environments are vulnerable to security risks. As the threat landscape evolves new vulnerabilities will not be patched.
- Compliance Risks: If you are a company still using Windows XP, this may result in an officially recognized control failure by an internal or external audit body, leading to suspension of certifications, and/or public notification of the company’s inability to maintain its systems and customer information.
- Higher Total Cost of Ownership: Businesses incur a higher cost of purchasing custom support solutions for unsupported software.”
Go out and splurge
This may be one of the few times that IT people will tell you to go out and just buy a brand new system.
But that’s the general advice.
“It’s a lot cheaper to buy new now than to upgrade the existing,” Menor said. “It’s going to be slow. You can add parts to it but it’s not going to give you the performance you need. It’s going to cost a lot more to upgrade, too. It’s a lot cheaper to just buy new equipment in most cases.
“We get calls all the time about making their system go faster, and we will do the research, but in most cases the cost is way too high and we advise them to buy a new computer.”
Treppa said that users probably will be very unhappy trying to run Windows 7 on a 5- to 8-year-old computer. He advises against trying to install a new OS in an old machine, noting the memory just isn’t there.
“And the upgrade pricing for Windows 7 or 8 is in the $200 range, and when computers can be had for $400-$500, you’re already half way there.”
An important point that Microsoft brought up was support of mobile and peripheral devices too, he said. If you’re running XP, it’s likely on a near-obsolete computer. And while the software may have a hard time supporting new applications, the hardware also may not be able to deal with new add-ons, such as printers.
“It’s not like Y2K fears. They won’t shut down, but we don’t know about malware,” Treppa said. “If it’s true they are sitting on exploits [hacker intrusions], then it’s hard to say what will happen. The best advice to give is to budget for PC replacement — now.”
Jason Killips of Young & Associates in Farmington Hills, Mich., said updating his firm’s systems has been a here-and-there proposition, and said the firm was out of XP some time ago. The firm just updates as it goes, especially with the addition of tablets and laptops and much higher use of smartphones.
“Technology has probably changed and advanced more from an office computing standpoint in the last couple years than any other point,” Killips said. “Because so much is available … iPhone, tablets, and those things change. It’s like anything else; it won’t work as well and not be as complete as a cohesive system.”
You are not alone
It’s estimated that one-quarter to one-third of desktops still use XP as an operating system, although that figure is much lower for businesses specifically.
In addition, 95 percent of the ATMs are run by the XP operating system, and about 15 percent have been updated. It’s been reported that because of the nature of the machine and the size of the account, temporary fixes are being worked out for ATMs until upgrades are made.
Law firms and other businesses won’t be as fortunate and should plan as though no help is available, Menor said.
There are reports that very large companies will have the option for dedicated support. One report pegs the cost at $200 per desktop for one year, $400 for the second year, and $800 for the third.
For a firm with more than one or two computers, Menor recommended contacting a local service provider to come in, look at the network and work stations and get a proposal of what might be needed.
As far as migrating files, he said it can be relatively easy using the Windows Easy Transfer download to grab the old files and settings onto a flash or external drive, then download them into the new system. He said it is relatively easy and users should find the files and folders set up the way they had been before.