Skip to main content

Windows XP and Server 2003. But they WORK! Why upgrade?

By September 17, 2015May 14th, 2021Cybersecurity

For those tech savvy readers out there, isn’t it a blessing and a curse to be your family’s on-demand help desk for trivial computer issues? On one hand it’s great to be able to perform Harry Potter-caliber wizardry to fix that pesky printer because your mother-in-law somehow deleted its driver or be able to recover lost data because you knew Office had an auto-recover feature that your brother wasn’t aware of.

Ah, but all good things eventually do come to an end and there inevitably comes a time when you have to deliver some less-than-wanted news. I had the misfortune of having to explain to some people in my family why they needed to upgrade their operating system a few years ago. The confusion on their side of the conversation still haunts me today. I somehow needed to explain to someone who thought that they needed to just pay for “a new anti-virus” and all would be ok. It made me sad.

Software, like everything else, has a life cycle – a beginning, middle and end. When a piece of licensed software, like an operating system, is launched, the manufacturer usually takes on the responsibility to provide “support” in the form of patches to code or technical help. This period of support needs to be well defined, otherwise the business model for the manufacturer breaks down. When the end is identified, the company announces it and anyone or any company still using the product should determine a migration plan.

Microsoft Windows XP and Server 2003 are the latest in Microsoft’s operating system lineup to be retired – or more bluntly put, ignored and forgotten. That sounds harsh but don’t forget that Microsoft announces their plans to discontinue support well in advance of them sunsetting any product. Microsoft announced Windows XP’s end of life date as April 8, 2014 and July 14, 2015 for Windows Server 2003. These were the dates when Microsoft stopped releasing any patches for these products and ceased to provide any support for them. These dates were known years in advance. And yet still there are XP and Server 2003 machines in the wild.

But who cares? The software still works. You can still log on to the machine and most, if not all, of your applications function just like they did the day Microsoft said it no longer would support the OS.

And right, there is the reason why you should upgrade to a supported OS. Software, especially operating systems, is not perfect. We’re talking about complex applications that communicate directly with hardware, require many libraries of code to perform functions that users take for granted, and manage information that users assume is protected. Unpatched software functions just as flawed today as it did when it was written. I’ve mentioned in previous posts that hackers look for the path of least resistance to attack a system. The ultimate goal of any attack is to gain root access to the system itself. When a hacker is plotting a targeted attack they look for a common thread that makes their attack potentially more successful. If they are looking to hit a particular company they might guess what OS the company has deployed across their network. If they guessed Windows XP or 7 they’d most likely be correct.

As of August 2015, reports that nearly 58% of machines in use are running Windows 7 and just over 12% are running Windows XP. That means that more than 1 in 10 computers that are currently used for banking, medical research, insurance claim processing, digital media creation, software development, agricultural studies – [insert industry use case here] – is running an operating system that hasn’t had an update in over 17 months!

To put that in perspective, let me indulge you. As of this writing, in 2015 alone Microsoft has released 93 Windows/IE/Office patches to address vulnerabilities in its software. In 2014 they released 85 patches – 65 of which came after the April 8th official end of life support for Windows XP. That’s a total of 158 patches.  Of those patches, 54 of them are categorized by Microsoft as critical vulnerabilities — ones whose exploitation could allow code execution without user interaction.  In other words, that’s 54 ways for the bad guy to get in.  A smorgasbord of open doors to take your data.

An interesting fact is that none of these critical vulnerabilities have listed Windows XP or 2003 as affected software. But remember – they’re not releasing patches for those operating systems anymore.  So they’re not testing to see if they’re vulnerable in the same ways.  We have to assume, though, that a high percentage of those critical vulnerabilities are in the kernel of the Windows operating system, which is an evolutionary design.  They don’t rewrite it for every version.  They take the same kernel and modify sections of it to become the next release.  Windows 7 is Windows XP’s granddaughter.  They share more than a passing few traits and features.  The bad guys know that if Windows 7 is vulnerable, it’s very likely that Windows XP also has the same hole — and that hole cannot be patched.

The bottom line is that usage of Windows XP and 2003 today should be zero. We know that’s not the case right now, and that is scary. What’s worse is that there are some businesses that run business critical applications on Server 2003 and store highly sensitive data on machines running Windows XP.

Windows XP ran for 12 years with support from Microsoft. It had a good run. It’s time to move on.

If you oversee a corporate IT environment and have XP or Server 2003 in your infrastructure, you need to respond ASAP. And hopefully this post has just been another reconfirming reminder of why you’re already migrating. But do it faster.

And let this be a lesson. Don’t let users’ inertia, resistance to change or fear of recurring expense keep you on an aging piece of software.  Every product’s lifecycle must be understood, and its inevitable upgrade/retirement should be in the plans the day it’s implemented. Without proper foresight and planning a company can fall into a bad position.  Those “End of Life” dates sneak up faster than you’d expect.

By the way, ultimately, the way I was able to get my family to upgrade from XP was to point out that the latest version of their antivirus software of choice didn’t run on Windows XP (for obvious reasons). They wanted to make sure that their computer was protected from viruses so they upgraded. Ugh… But I guess the ends justify the means.

Steven Pressman

Author Steven Pressman

Steve is responsible for the strategic direction of the company and its products. He serves as the chief solutions architect, coordinating architecture and DevOps efforts for cloud, hybrid, and on-premises infrastructures. Read his full bio here.

More posts by Steven Pressman

Join the discussion One Comment

Leave a Reply