Next week, Microsoft will deliver its last set of public security patches for Windows XP.
The end-of-life for XP which has been announced for a number of years now, means that computers running XP will be very attackable in the near future. Over 70% Microsoft’s security bulletins in 2013 affected XP, and there is no reason to assume that this will change in the near future. XP will be affected by a large percentage of the problems exposed in May, June and July, but there will be no remedy (except for companies that pay for extended support – an option that is at least US$ 100,000/year).
The best solution is to migrate away from this outdated (designed in the 90s) operating system to a newer version, with the best candidates being Windows 7 and Windows 8. Organizations have focused a large amount of resources and money on updating their infrastructures, and we have seen the percentage of Windows XP machines drop from 35% in January 2013 to 14% in February 2014. We now project to be at 10% of Windows XP machines by the end of this month.
Different industry sectors show different XP migration profiles. For example, transportation dropped impressively fast from 55% in January 2013 to 14% in February.
Healthcare has been consistently low in the ratio of Windows XP in their organizations’ networks.
Both of these industry sectors had significant challenges to overcome, especially in regards to specialized (non-IT managed) equipment that is connected to their networks and that frequently cannot simply be updated. Many industrial control systems and medical devices, configurations that typically have much longer useful lifespans (>10 years) than pure computer equipment (<4 years), have Windows XP systems as vital components in their setups that cannot simply be updated. Nevertheless, these systems are full XP and as attackable as your average office machine if they are used in similar fashion, for email and web browsing. Moving these machines into network segments that do not have direct Internet access and introducing additional firewalls that curb that type of usage are ways to improve security.