Windows XP: Microsoft’s ticking time bomb
There are also “soft problems” for companies that don’t migrate to the most up-to-date software, added Shepley. “Companies run the risk of being left behind the rest of the industry,” he said. “If you’re using a 32-bit version of XP, all the new tools and software that allow your competitors to be competitive won’t be available to you.”
Despite the real security risks, analysts have suggested that corporations are reluctant to budget for the time and money required for a full migration. Many won’t even be able to upgrade before the cut-off date.
According to IHS iSuppli analyst Craig Stice, most businesses have tried to avoid a full IT refresh amid the economic uncertainty, with managers “hanging on” to the hardware they already have.
“They’re extending the life of [hardware] as best they can, through internal upgrades or additional memory – doing anything to increase performance without having to upgrade,” he said. “Traditionally, PCs are refreshed every four years. We’re seeing that extended pretty dramatically to five or six years.”
According to Shepley, it’s been so long since most businesses have conducted a wholesale migration that many have simply forgotten how long it will take. Microsoft states that corporations should leave up to 30 months to complete their migration.
“Some of our clients think it can be done over a few weekends. They don’t understand how many applications they have,” said Shepley. “One client we’re working with believes they have 1,000 applications; we’re doing an inventory for them, and our number is somewhere north of 4,000. People don’t realise how much app proliferation has gone on since they put XP in.”
It hasn’t helped that Microsoft has, in some instances, been undermined by its rivals continuing to support products on XP.
Many organisations still run dozens, or even hundreds, of applications on XP and may have trouble migrating
One such company, Google, recently announced that it will continue to support Chrome on XP until April 2015 – a year after the deadline for extended support expires. “We recognise that hundreds of millions of users, including a good chunk of current Chrome users, still rely on XP,” said Google.
“Many organisations still run dozens, or even hundreds, of applications on XP and may have trouble migrating.”
Security experts condemned Google for “facilitating” unsafe internet use. “Yes, maybe Google can keep a handle on bugs and security holes in Chrome running on Windows XP,” said security analyst Graham Cluley, “but it’s powerless to fix vulnerabilities in Windows XP itself.”
Given the hundreds of millions of users potentially at risk, many are expecting Microsoft to relent and release patches. “People are hoping they can get away with it, and that Microsoft will issue a patch of some kind,” said Shepley. “It will be interesting to see if something comes onto the internet that affects XP in a bad way quickly. Where Microsoft can deliver a fix, will it? Otherwise, it’s forcing an awful lot of people to be significantly impacted.”
However, Shepley isn’t optimistic that Microsoft will perform a U-turn. “Personally, I don’t think it will push back,” he said. “XP arrived in 2001, so we’re talking about producing a fix for something that [will be] around 13 years old.”
There is some comfort for businesses that are likely to miss the April deadline: they have the option of switching to Windows Server 2003, which is based on the same kernel as Windows XP, but won’t be terminated until 14 July 2015. “All the people we know who will miss the April 2014 deadline will easily hit April 2015,” said Shepley.
One mitigation strategy being employed by those who are set to miss the deadline is disconnecting vulnerable PCs running XP from the internet – but this isn’t without risks, either. “Even if a device is only a on private network another device – even one running a supported product – can be infected with malware outside and can bring it onto the private network, infecting other devices,” Gartner said earlier this year.
Nonetheless, both Cluley and Shepley agreed that Microsoft should send out a “strong message” to warn more users off XP before the April deadline.
“Microsoft has done well communicating through partners, even if it isn’t quite so doom and gloom itself,” said Shepley. “Part of me wishes it would say, ‘Right, we’re going to remotely turn off every XP box on 9 April’, because everyone would then pay attention.”