Oct. 8, 2012 at 12:10 PM ET
When Microsoft introduced Windows Vista in 2007, many people refused to make the switch from Windows XP, an operating system they liked a lot.
Windows XP still has a legion of devoted users who've stuck with the old system, despite all the bells and whistles and improved security of Windows 7. Some of those users would probably prefer to avoid Windows 8 as well.
However, Microsoft rained on the XP users' parade when the company announced it would be ending its support for the aging OS by April 2014.
That means there will be no more upgrades for XP, and no more security patches.
Withdrawing the troops
That's very bad news for anyone who uses XP, according to Fortinet Research's Stefanie Hoffman.
"Legacy XP systems will become increasingly vulnerable to zero-day attacks and other security threats," Hoffman wrote in a recent blog posting. "The sudden absence of support for XP leaves a void that will likely be filled by a slew of old and/or soon-to-be-discovered vulnerabilities and subsequently give rise to a new crop of security exploits that specifically target these legacy systems, which are now devoid of security updates or support."
Fortinet investigated just how dangerous older and/or outdated operating systems can be to computers. The threat team checked its database for malware snapshots on the same date every year over the past 13 years — during which Windows 2000, XP, Vista and 7 were released — and found that older operating systems typically have more exploit activity.
That's partly because malicious code and exploit kits for older systems have more time to circulate and mature. It's also because the security on newer operating systems is simply better.
As Hoffman pointed out, "It's also harder today to get a working rootkit for Windows 7 than Windows XP thanks to Microsoft technology such as PatchGuard, which protects the kernel of an operating system from being unduly modified."
Here come the barbarians
So what can XP users expect if they decide to avoid an upgrade to Windows 7 or 8, or wait until April 2014 to make the switch?
"Full-disclosure security research typically follows a certain pattern: a vulnerability is discovered by a security researcher, a bulletin is released to numerous security mailing lists outlining the vulnerability, and there is a frantic scramble for manufacturers to repair the problem," explained Dylan Evans, vice president of operations at Reveal Digital Forensics and Security in Boise, Idaho.
"These same mailing lists are also monitored by hackers, meaning that once a new vulnerability is discovered, there will be a rise in attempted attacks until the problem is patched entirely," Evans said.
You shouldn't be lulled into thinking that just because a new strain of malware is released, targeting a newer operating system, that your old machine will be off the hook.
"New operating system versions still reuse much of the same code, especially when considering the kernel," Evans said. "This means that newly discovered vulnerabilities have the potential to affect old operating systems long past the date that support ends for them.
"If the manufacturer doesn't repair the security hole, it is generally up to third-party security researchers to discover a patch. The average user will neither be aware of the vulnerability nor the patch due to the lack of automatic support, and this puts them at risk."
Even Mac owners need to upgrade
Windows machines get the bulk of the attention of vulnerabilities in operating systems, but Mac owners also need to remember that updates to the latest operating-system versions are equally important to their security.
"On the Mac OS front, the newest versions, Lion and, more recently, Mountain Lion, have made moves that showed that Apple was more serious about security," said Ryan Permeh, chief technology officer at Newport Beach, Calif., security firm Cylance.
"With the Lion release, Apple started to use an app store model similar to their iDevices. This allows a control point for getting updates, and offering a degree of quality control on the software that is offered," Permeh said.
"Additionally, in Mountain Lion, they implemented a new system called Gatekeeper as a default protection mechanism. Gatekeeper ensures that applications that run must be signed by an appropriate signing vendor. This ensures that rogue applications do not run."
In the end, said Evans, the same very important rule of thumb applies to any piece of software, whether it's an operating system or an anti-virus program: stay current.
"When you can't stay current anymore, like when a manufacturer drops support for an old OS," Evans said, "you absolutely need to upgrade if you plan on keeping your personal information safe."