Educated estimates suggest that almost 1 in 5 personal computers still run Windows XP. While this figure has dropped from 25 percent last year, it will remain stubbornly high for some time. The picture is even more complex with XP still running on computers embedded in systems that are difficult to upgrade – the likes of ATM machines, kiosk, airline ticketing or military systems.
And it’s not just a problem limited to the UK. In China, for example, XP remains even more prevalent, with over 22 percent of computers still running Internet Explorer 6, the default browser parcelled with XP and itself over a decade old.
So XP will be with us for some time, and in some quite unexpected places. Little wonder banks and governments are paying millions of pound to extend support beyond April 8th.
Cyber criminals play the numbers game. They are interested in targeting a large population and will attach far greater value to an opportunity to exploit current operating systems and applications, and ideally cross platform. That doesn’t mean computers running XP will be ignored as they provide a useful population of vulnerable systems to recruit into botnets for spam and potential attacks.
There has been speculation about cyber criminals holding back a large store of XP vulnerabilities ready to exploit obsolescent systems. I doubt that will happen – the incentive to exploit early and make money is just too great. However, I suspect some intelligence agencies might have a few zero days still in stock just in case.
Many of the legacy systems which represent the XP population are also in difficult to reach places, where the security of the system depends as much on physical security and network segregation as it does on the patching of the operating system itself.
Unlike those trying to use fear, I like to take a more pragmatic view on Windows XP end of support. It is worth remembering just how much obsolete software resides on our desktops. A survey of Java versions on a million end points last year found many had multiple versions of Java installed. On average organisations ran over 50 different Java versions, and more than half the organisations surveyed had Java software running which was over 5 years old.
So let’s look beyond Windows XP, but learn some lessons about the importance of managing obsolescence, removing obsolete software, and remembering to secure those out of sight computers.