Windows XP will not be supported, or updated, or patched by Microsoft after April 2014
I have argued before that it will not be a good idea to run Windows XP after Microsoft cease support for it in April 2014. The main argument is quite straightforward – from the point of view of people wanting to do you harm, there will probably be so many installations of XP running after that date that it will be worth spending time and effort exploiting vulnerabilities that they know Microsoft will not be fixing.
Here’s another argument – taken directly from an official Microsoft Security Blog:
Whenever Microsoft become aware that there is a vulnerability in one of their products, they always check all other SUPPORTED Microsoft products to see if the vulnerability also exists in those other products. If it does, then it fixes the potential problem in all places at once. The reason they do this so assiduously (and not just because it is good housekeeping) is that the bad guys analyse security updates to see if they can find what it is that the update fixes, and then see if other products are affected in the same way.
Since Microsoft release the update for all products at once, the bad guys can’t use the knowledge to exploit an “unfixed” program. However, after Microsoft stop updating Windows XP then the bad guys can use knowledge gleaned from analysing updates to Windows 7 (for instance) to discover an unfixed vulnerability in Windows XP.
And this risk is by no means just hypothetical. To quote the Microsoft blog referenced above:
“How often could this scenario occur? Between July 2012 and July 2013 Windows XP was an affected product in 45 Microsoft security bulletins, of which 30 also affected Windows 7 and Windows 8.”
In other words, it could happen two or three times a month. And the effect will be cumulative as older vulnerabilities won’t ever be fixed.
I’m tempted to apologise for bringing this subject up again. After all, it probably won’t affect most of the readers of this blog as most people will be using either Mac OSX or a more recent version of Windows. But what about that old computer you’ve got in the spare bedroom on the third floor? You know, the one you boot up just occasionally when you can’t be bothered walking all the way downstairs? What about the computer you passed down the line to a family member? Are they likely to be using it next year and beyond? For all the users out there who change their computers every 2-5 years there are also plenty who don’t, as they only use their computer for the internet and don’t need the fastest and newest.
No-one knows for sure just what will happen after April 2014. Maybe nothing at all will happen (remember the Millennium Bug that turned out to be more of a damp squib?) Personally, I’m not going to risk it (unless I choose to do it on purpose on a computer completely isolated from the network of my others). However, I can just hear plenty of people saying “I’ll carry on just the same and do something about it if I have to”. But by then your data may be well and truly messed up, corrupt, missing. “OK”, you say “I’ll throw a six and start again on a new computer”. Fair enough – but be prepared to discover there are all kinds of passwords, account details, purchase histories, old correspondence, and goodness knows what else that you may have lost if your old machine has become well and truly messed up.
PS: I do realise that many organisations were still deploying new XP installations well after the dates above, but my own IT support clients tend to be individual professionals or home users (or both). They are the readership I am addressing. Besides which, there’s an argument for saying that it’s even more important for organisations to move away from XP than individuals – even if those installations are newer.
(Last updated 08/09/2023)