I’ve had a few people mention to me a recent blog post by Microsoft1, discussing what the company feels are some of the many risks associated with continuing to run Windows XP after the end of support in April of 2014.
I’ve had more people point me at “press” (I put press in quotation marks because many don’t actually deserve to be referred to as legitimate and reputable) reports based on that same post. These run the range from a relatively accurate reporting of what was said to an all-out “Microsoft is introducing zero-day vulnerabilities in XP that they won’t fix so you’re forced to switch!!!” hyperbole.
As is so often the case, the truth is much more nuanced than that.
And yet, it is important.
No one is intentionally introducing vulnerabilities
Let’s start by clearing that one up.
The notion that Microsoft would intentionally introduce vulnerabilities into their software to force people to upgrade is patently absurd to me. I know the Microsoft-haters want it to be true; sadly, some will actually believe it.
That notion is simply not good business and it’s not necessary.
The transition is happening, albeit perhaps more slowly than Microsoft might like. At best, that kind of self-sabotage would only hasten the inevitable at the risk of further reputation-damaging press as well as potential legal action. I don’t believe Microsoft is so stupid as to risk those kinds of results just to accelerate a timetable.
Besides, they don’t have to do that. The vulnerabilities are already in there.
They just haven’t been discovered yet.
Software has bugs – complex software has lots of bugs
It’s difficult for many people to grasp this concept, but it’s as true today as it’s ever been.
All software has bugs; unintentional errors that creep in during development and revisioning. The vast majority of these bugs are so benign as to be inconsequential or go completely unnoticed for years.
Even though Windows XP has been out for well over a decade, there are still bugs in the software that have not been discovered. An operating system like XP is almost unimaginably complex and the probability that all of the bugs that it contains will ever be discovered and fixed is exactly zero. It won’t happen.
Over time, some of those bugs will be discovered. And they will be exploited by malware authors.
How bugs found in Vista, 7, and 8 may impact XP’s security
Windows Vista was not a complete rewrite of XP. Windows 7 wasn’t a complete rewrite of Vista, and 8 wasn’t a complete rewrite of 7. In each case, some components were rewritten, some were altered only slightly, and others were left alone.
Windows Vista, Windows 7, and Windows 8 each contain some code that dates back to Windows XP. And with that code comes the potential of bugs.
A vulnerability is a bug or design flaw in software that allows that software to be used in some malicious and unintended way. All software has bugs, which are nothing more than mistakes made in the design or implementation of the software. Bugs can
... continue reading »
- A vulnerability is discovered in some part of Windows 8 (or 7 or Vista) – a vulnerability that could be exploited by malware.
- The vulnerability is patched and the affected software updated – but if they are affected, only Windows Vista, 7, and 8 are fixed.
- Malware authors examine what was fixed, how it was fixed, and figure out what the original vulnerability was.
- They then ask an important question: “Was this vulnerability in Windows XP?“
If so, they can write malware that targets the vulnerability in Windows XP, which they know will never be patched.
If you follow that scenario closely, you realize that it can be interpreted this way:
- Fixing bugs in Windows Vista, 7, and 8 can cause vulnerabilities in Windows XP to be made public.
And indeed, that’s true. Hackers will use the information. They can reverse engineer bug fixes in supported versions of Windows to exploit any vulnerabilities that might remain in unsupported versions, like Windows XP.
And that’s exactly what the Microsoft blog post warned about.
Some people, or perhaps media outlets looking for sensational headlines, claimed that this scenario was entirely somehow premeditated maliciousness on Microsoft’s part.
In reality, it’s nothing more than an expected side effect of exactly what has been planned and publicized all along:
- Microsoft will continue to fix bugs in supported versions of Windows, as they should.
- Microsoft will not fix bugs in unsupported versions of Windows, as they’ve been warning us for years.
The other accusation
There’s another scenario that I’ve heard that is unprovable at this point. It goes like this:
Microsoft knows about vulnerabilities in Windows Vista, 7, and 8 that they are choosing not to fix and leaving those systems vulnerable until after the Windows XP support end date, so that they won’t have to fix them in Windows XP.
In other words, it’s a conspiracy theory!
I’ll stick with what I said: it doesn’t make business sense for Microsoft, and it’s just not necessary.
Until presented with cold, hard facts (and not hearsay), I give that accusation exactly zero credibility.
What it all means to you
If you’re still running Windows XP, I’d seriously encourage you to consider an alternative come April.
… the bottom line is that by continuing to run Windows XP beyond the end of support date you are intentionally choosing to take on some additional risk.
While it probably won’t be as bad as the scare-mongers might have you believe, the bottom line is that by continuing to run Windows XP beyond the end of support date, you are intentionally choosing to take on some additional risk.
Is that risk worth taking? Only you can answer that.
If you do go down that path, I encourage you to stay on alert and keep your defenses strong. Up-to-date anti-malware tools, common sense, and regular backups will be more important than ever.