“What once was considered low-hanging fruit by hackers now has a big neon bull’s eye on it,” says Patrick Thomas, a security consultant at the San Jose, California-based firm Neohapsis.
Microsoft has released a handful of Windows operating systems since 2001, but XP’s popularity and the durability of the computers it was installed on kept it around longer than expected. Analysts say that if a PC is more than five years old, chances are it’s running XP.
While users can still run XP after Tuesday, Microsoft says it will no longer provide new security updates, issued fixes to non-security related problems or offer online technical content updates. The Redmond, Wash.-based company says it will provide anti-malware-related updates through July 14, 2015, but warns that the tweaks could be of limited help on an outdated operating system.
Most industry observers say they recognize that the time for Microsoft to end support for such a dated system has come, but the move poses both security and operational risks for the remaining users. In addition to home computers, XP is used to run everything from water treatment facilities and power plants to small businesses like doctor’s offices.
Thomas says XP appealed to a wide variety of people and businesses that saw it as a reliable workhorse and many chose to stick with it instead of upgrading to Windows Vista, Windows 7 or 8.
Prone to crashing
Thomas notes that companies that don’t like risk, generally don’t like change. As a result, companies most likely to still be using XP include banks and financial services companies, along with healthcare providers. He also pointed to schools from the university level down, saying that they often don’t have enough money to fund equipment upgrades.
Marcin Kleczynski, CEO of Malwarebytes, says that without patches to fix bugs in the software XP PCs will be prone to freezing up and crashing, while the absence of updated security related protections make the computers susceptible to hackers.
He added that future security patches released for Microsoft’s newer systems will serve as a way for nefarious people to reverse engineer ways to breach now-unprotected Windows XP computers.
“It’s going to be interesting to say the least,” he says. “There are plenty of black hats out there that are looking for the first vulnerability and will be looking at Windows 7 and 8 to find those vulnerabilities. And if you’re able to find a vulnerability in XP, it’s pretty much a silver key.”
Those weaknesses can affect businesses both large and small.
Mark Bernardo, general manager of automation software at General Electric Co.’s Intelligent Platforms division, says moving to a new operating system can be extremely complicated and expensive for industrial companies. Bernardo, whose GE division offers advisory services for upgrading from XP, says many of the unit’s customers fall into the fields of water and waste water, along with oil and gas.
“Even if their sole network is completely sealed off from attack, there are still operational issues to deal with,” he says.
Hefty cost of upgrading
Meanwhile, many small businesses are put off by the hefty cost of upgrading or just aren’t focused on their IT needs.
Barry Maher, a salesperson trainer and motivational speaker based in Corona, California, says his IT consultant warned him about the end of XP support last year. But he was so busy with other things that he didn’t start actively looking for a new computer until a few weeks ago.
“This probably hasn’t been as high a priority as it should have been,” he says.
He got his current PC just before Microsoft released Vista in 2007. He never bought another PC because, “As long as the machine is doing what I want it to do, and running the software I need to run, I would never change it.”
Mark McCreary, a Philadelphia-based attorney with the firm Fox Rothschild LLP, says small businesses could be among the most effected by the end of support, because they don’t have the same kinds of firewalls and in-house IT departments that larger companies possess. And if they don’t upgrade and something bad happens, they could face lawsuits from customers.
But he says he doesn’t expect the wide-spread malware attacks and disasters that others are predicting — at least for a while.
“It’s not that you blow it off and wait another seven years, but it’s not like everything is going to explode on April 8 either,” he says.
McCreary points to Microsoft’s plans to keep providing malware-related updates for well over a year, adding that he doubts hackers are actually saving up their malware attacks for the day support ends.
But Sam Glines, CEO of Norse, a threat-detection firm with major offices in St. Louis and Silicon Valley, disagrees. He believes hackers have been watching potential targets for some time now.
“There’s a gearing up on the part of the dark side to take advantage of this end of support,” Glines says.
He worries most about doctors like his father and others the healthcare industry, who may be very smart people, but just aren’t focused on technology. He notes that healthcare-related information is 10 to 20 times more valuable on the black market than financial information, because it can be used to create fraudulent medical claims and illegally obtain prescription drugs, making doctor’s offices tempting targets.
Hoping for the best
Meanwhile, without updates from Microsoft, regular people who currently use XP at home need to be extra-careful.
Mike Eldridge, 39, of Spring Lake, Mich., says that since his computer is currently on its last legs, he’s going to cross his fingers and hope for the best until it finally dies.
“I am worried about security threats, but I’d rather have my identity stolen than put up with Windows 8,” he says.--Bree Fowler with Joyce M. Rosenberg