Governance & Risk Management , Next-Generation Technologies & Secure Development
Microsoft Kills Windows XP Anti-VirusNo More AV Signature Updates for Ancient Operating System
Shed a tear for enthusiasts of aging Microsoft Windows operating systems.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
That's because July 14 is the day that Microsoft stopped supporting Windows Server 2003, strongly encouraging holdouts to move to Windows Server 2012 R2 (see Windows Server 2003: Mitigating Risks).
Old technology never really dies; it just fades away, never quite reaching zero.
But July 14 is also the day when Microsoft stopped issuing updates and new signatures for the built-in Windows XP anti-virus tool known as Microsoft Security Essentials. You may recall Windows XP, which debuted in October 2001, and was small enough to fit onto a single CD-R?
In fact, many XP lovers have yet to move on, according to market researcher NetMarketShare. It reports that while 61 percent of all desktop or laptop systems are running Windows 7, Windows XP still accounts for 12 percent of all such systems. That makes it marginally less popular than the 16 percent of combined Windows 8 and 8.1 users, and still more popular than the 7 percent of people running some flavor of Mac OS X.
Windows XP has been going away, slowly. Capping off seven years of related warnings, Microsoft in April 2014 stopped issuing fixes or security patches for the operating system, although it did introduce a single update shortly thereafter to patch a nasty zero-day Windows bug. But since then, XP has been left adrift, and would-be attackers have been free to reverse-engineer every Windows patch to create potential new zero-day exploits against XP holdouts (see What Happens When Windows XP Support Ends?).
Many anti-virus vendors, however, are continuing to ensure that their software will still run on XP, at least for now. Likewise, Google's Chrome team says that it plans to continue ensuring that its browser remains compatible with Windows XP until at least the end of 2015.
From a herd immunity standpoint, however, anyone who's still using Windows XP - and now Windows Server 2003 - is themself a threat. As security expert Graham Cluley warned last year: "Anyone connecting a Windows XP computer to the Internet ... is not only putting themselves at risk, but also endangering all of us on the Internet - as their computers may be hijacked into botnets and used to spread malware and spam attacks."
Until Upgrade Do We Part
Of course, old technology never really dies; it just fades away to zero, says Gavin Millard, technical director for Europe, the Middle East, and Africa at Tenable Network Security. But some organizations are still hanging on. Dublin-based information security expert Brian Honan, for example, tells me that he knows of "a number of organizations that are still running Windows Server 2003 and, indeed, will be for the foreseeable future," thanks, in part, to their reliance on older software that might not run on newer devices or modern Windows Server software.
Migrated from Windows server 2003 right? RIGHT? No more patches from today. Expect to find it for years to come. pic.twitter.com/ZvUt0wALrcï¿½ Gavin Millard (@gmillard) July 14, 2015
Life support doesn't come cheap. The U.S. Navy reportedly signed a $9.1 million contract with Microsoft in June to continue a year's support for 100,000 Windows XP systems, which works out to $91 per PC. And the word on the street is that buying extended support for each Windows Server 2003 device will cost $600 to support for the next year, with the price doubling every year thereafter.
Organizations that are concerned about security, however, and in a position to move on certainly should do so. In fact, don't just figure out how to ditch Windows XP and Windows Server 2003, but also think about how you might get rid of Windows 7 as well as Windows Server 2008, both of which stopped receiving "mainstream support" - meaning major upgrades - this year, and which are scheduled to reach "end of life" in 2020. "They're only releasing security patches now," warns Trustwave threat intelligence manager Karl Sigler.