The popular operating system Windows XP is about to become a lot less secure, yet a surprisingly high number of enterprises still expect to run parts of their business on the software, analysts say.
As long planned, Microsoft ended support on Tuesday for XP users—meaning no new security updates will be offered. And without these security patches, anyone using the operating system leaves the network open to an attack the next time a vulnerability is discovered.
Companies that don't upgrade are asking for problems sooner or later, analysts say.
"This has the potential to be a big problem, especially for businesses," said Michael Fumai, chief operating officer of Blue Ridge Networks, a cybersecurity firm. "The bad guys have been waiting for this sunset date, they are more prepared than many businesses, and in a lot of cases they are better funded to use this to their advantage."
Over the years, Microsoft has issued over 700 upgrades to Windows XP and about 60 percent of those updates were rated as "critical." Given its track record, there's a good chance more vulnerabilities will be discovered and that could cause a big headache for companies and consumers still using the outdated OS, said Sanjay Castelino, vice president of marketing at Spiceworks, a professional network for IT.
"It opens up the possibility for a big negative impact. It's not like everything is going to blow up right away, but as of Tuesday they are not issuing fixes," Castelino said. "So you might find two months from now, people are complaining because a problem arises and now as a business you are under the gun to resolve that problem with very little time to do it."
Windows XP was released to the public in 2001, and despite newer operating systems since then (Windows 7 in 2009, and Windows 8 in 2012) a lot of businesses still use it to run important operations.
According to a recent Spiceworks survey, 76 percent of respondents said they still use at least one Windows XP system on their network, a statistic that Castelino called "scary." And the system isn't just limited to office computers and personal computers, it has also become common on ATMs, point-of-sale retail devices and even in some health care equipment.
Because the software is so widespread, it can be difficult for companies to ensure they are 100 percent protected. Even if a business has actively been upgrading all outdated systems, there's still the chance that it could miss some machines, and that can cause a lot of damage, said Ken Bechtel, a malware analyst at Tenable Network Security.
"There could be a lot bigger impact than people are realizing," Bechtel said. "A lot of companies aren't sure of which computers are running XP and which aren't. It's hard to get that kind of transparency."
Companies still using the software are doing so primarily because of the cost of switching operating systems and because apps that are critical to their business weren't compatible with later systems, Castelino said.
Microsoft is offering some support through mid-July for XP users that can't upgrade by Tuesday and is discounting its Windows 8 Pro and Office 2013 products for small and medium-size businesses until the end of June.
Businesses and consumers that haven't already upgraded can also help protect their networks by making sure they are running updated anti-virus software and by isolating any computers running Windows XP on a different network, Bechtel said. Point-of-sale devices and ATMs should also be isolated off the network, he said.
But even taking these steps is just biding time, he added.
"Upgrading is going to be your only option at some point," Castelino said. "What you do between now and then is just delaying the inevitable."
First published April 8 2014, 8:42 AM