Windows XP: The COBOL of the 21st Century

Posted on by Joshua Marpet

What happened when Windows XP went into end of life (EOL)? That fateful day happened on April 8, 2014. It doesn't mean that WinXP computers will suddenly stop working. It doesn't mean that the world of WinXP computing will end. To be honest, it probably doesn't even mean that WinXP-based programming will end.

So what does it actually mean? New drivers won't be developed. It will get increasingly more difficult to replace hardware, as new hardware won't be built with XP in mind. But, most importantly, it means that new security patches will not be developed, deployed, or updated.

So what? Windows 7 is pretty good, and Windows 8.1 has a start bar, sandboxed applications, and pretty darn good security. So everybody's probably already updated, right?

Unfortunately, that simply isn't so. Due to the cost of acquiring licenses, the time and effort it takes to plan and execute a deployment, and software that can't run on anything but Windows XP, there are a significant number of currently deployed Windows XP computers out there. Actually, Windows XP usage jumped in the last few months! In January 2014, Windows XP rose to being used in over 29% of all PCs today. Many current users don't see any reason to leave. If it works, why fix it?

Because once the security patches stop, every vulnerability found is a zero-day event. No protection, no recourse, no fix. Any vulnerability in the 13-year-old system would spawn an exploit with no patch in sight. It's estimated that the zero days began on April 8 and, as WinXP is no longer updated, any problems or vulnerabilities found (and patched) in newer Windows versions (7, 8, 8.1) will be backported to WinXP and exploited.

Will there be a sudden outpouring of breaches? What measures can be taken to protect an isolated WinXP computer? First off, the easiest thing to do is upgrade. Even if there is an application that absolutely, positively has to run on XP, it can be virtualized, firewalled, fenced off, and protected a lot more effectively than an aging workstation.

But what if the entire company is on XP, and there's no upgrade budget? Start simple. What does everyone do? Do they only surf the web, handle email, and use Word? Maybe a web sandbox, proxy server with anti-malware and antivirus could help protect the workstations by centralizing and keeping updated the web vulnerability window? How about building an ESXi server and using VMWare View with extremely cheap PCoIP boxes to virtualize all those WinXP workstations? That way they can at least be snapshot and rolled back if there's an outbreak.

Finally, if your servers are running XP, then it's time to bite the bullet. XP was never designed as a server OS. No budget for hardware? Perhaps it's time to find out how easy the Ubuntu Linux server is? It's free! And it does a heck of a lot more than Windows XP as a server!

There are options. Hopefully, many of the options available to most of the people and organizations still running XP will take the hint and upgrade, virtualize, and change paths. If not, there might be a significant increase in breaches, identity theft, and zero days. It could be very interesting in XP land.


Business Perspectives

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community