Posted by Andrew Harrison 01 April 2014
Why Microsoft finally retiring XP will lead to an exploit apocalypse
A week today, Microsoft will officially pull the plug from Windows XP’s life-support machine. This is hardly news, but TechAdvistor is hardly a news site; instead a space for opinion. So I’m going ahead to posit a personal prediction that will be readily verifiable by the time this magazine is on sale. Move over Nostradamus and all your vague and mystical centuries-away musings...
April the 8th of 2014 will be the day of apocalypse. The millenium bug that never really happened 14 years ago actually presaged a real but hidden meltdown, one that was ignited in 2001 and has been bubbling under since. That was the year that Windows XP finally arrived as Microsoft’s general-purpose consumer and business gravy train.
When first launched, Windows XP was a bag of nails. It took the first Sticking Plaster 1 (SP1) patch almost a year later to let it work almost-properly, and even let such novelties as USB function. Then expanding Windows security holes forced Microsoft to make big repairs for SP2 in 2004 and SP3 in 2008.
But its overall overwhelming success, as measured by number of people using it, would also unhinge Microsoft. Despite being hauled through the courts in the US, in Europe and in South Korean, for its ritual abuses of its monopoly position, Microsoft’s hubris grew to the point that it really thought it could replace XP with an even bigger bag of woodpins it called Vista in 2007.
And yet, it was XP that really took root. Three full Windows versions later, one-third of the entire world is still using XP. That could be because it’s relatively swift to run on any first-decade 21st century computer; there’s an almighty base of programs that will run on it; and besides one important element, there’s little that most normal users ever need from a PC operating system that the hoary old OS can’t provide.
The one missing element is of course security. Despite being based closely on the business OS of Windows NT and 2000, Windows XP still wasn’t prepared for an internet-connected world. When worms and Trojans started blasting their way through local networks and the net at large, XP might as well have had a bullseye painted on its queasy blue and green interface.
Microsoft has tried to retire XP before now, but the outcry from users and huge businesses meant it had to delay the termination day of support. So Microsoft won’t be there to support and hold hands from now – what’s the big deal, I know how to use Windows?
Support here of course means security patching. No OS is perfect out the door at version 1.0, Windows systems particularly so, and as holes get uncovered they must be plugged by the maker who jealously holds all the source-code cards. Exploits in Windows XP in the last 13 years have been legion, typically allowing a remote attacker to take control of the PC after its user’s done nothing more than visit a website or open a JPEG.
The big holes that lead to total compromise of a Windows box and for which no patch is available are of course the zero-day exploits. Hackers, malware developers and online fraudsters have been saving up some of their best of these of late, wisely waiting for the time when Microsoft turns the sign around at its security update labs.
As soon as they’re sure the security patches have stopped being issued, all hell will be let loose as every single user of a Windows XP computer becomes online cannon fodder for their walk-in tricks.
No salvation in antivirus software
No antivirus software will save XP’s skin here – zero-day exploits cut through third-party security software as easily as the swiss-cheese operating system itself.
And what do you do if you’re running the nation’s health system on a fleet of creaky Windows XP terminals after April 2014? You could always stump up £30 million or so for a little private contract with Microsoft to patch the worst of what’s about to come. For one year anyway. That’s what our NHS has done, backed into a corner and locked into Microsoft’s software prison through the decade-old confluence of ruthless salesmanship and clueless government decision making.
If you don’t have £30 million yourself tucked behind the sofa and are still using Windows XP, then by the time you read this you’ll may be able to let me know first-hand how the prophetic revelation panned out.