Tomorrow marks the end of support for Windows XP by Microsoft. There are multiple reasons why we still see XP in use today: the cost of upgrading can be daunting and machines may run critical legacy apps dependent on XP. There is also a lack of awareness of the size and state of the XP device population. Lastly, there are governments and other large organizations who have chosen to buy extended support for the OS from Microsoft.
In 2013, more than 70% of Microsoft’s security patches affected Windows XP, and after April 8, this trend will continue even though Microsoft will not explicitly state this. XP use is dropping quickly, but according to BrowserCheck XP data from last month, we’re still seeing 14% usage across enterprises.
According to international data from Qualys’ BrowserCheck comprising more than 100,000 monthly vulnerability scans, Windows XP usage in Q1 2014 ranges from 7% to 13% in the U.S., the UK, Germany and France.
United States and United Kingdom
The UK and US have made the most progress of the countries we studied, reducing exposure in enterprises by more than half since Q1 2013 – down to 8% this quarter from 18%.
While French businesses have reduced exposure by nearly half, the country is most at risk with 13 percent of enterprises still using XP, down from 23 percent in Q1 2013 – significantly higher than the other countries we studied. At this rate, it will take at least an entire calendar year for XP exposure to be eliminated.
Enterprise PCs only had 12 percent of scans showing usage in Q1 2013. However, it has had the slowest progress in reducing exposure – with 7% of scans showing usage in Q1 2014. At the current rate of decline, it’s likely that it will take Germany at least another year and a half before machines running XP are either retired or upgraded.
So how long will XP survive? Certainly into 2015 and maybe beyond. A linear extrapolation of the data, which leads one to believe in 2015 as an endpoint, is too optimistic given that companies and governments will buy extended support from Microsoft and there will be operational barriers in other organizations.
In a separate scan of QualysGuard data from 6,700 companies, we identified substantial differences in XP usage by industry:
- Finance: Use of XP is at 21 percent of scans, levels that are too high, especially for an industry dealing with such sensitive data
- Transport: 14% of scans show usage – though this industry accounts for the sharpest drop (from 55% to 14% in the last twelve months)
- Retail: 14% of scans show usage
- Services: 7% usage rate
- Healthcare: 3% usage rate
There’s clearly a large install base relying upon XP right now, and for these organizations I have two pieces of advice: Upgrade your software or decommission it. While some uses of XP can’t simply be upgraded, examine if it is a critical component to your system. Isolate XP as much as possible, and limit dangerous activity on these devices (including surfing the web and using email). Secondly, install Microsoft’s EMET – this is a hardening tool and is one that I’ve personally used and recommend. It monitors activity, identifies irregular behavior and aborts suspicious programs. It’s worked against all 0-days I’ve seen this year, and has prevented exploitation of vulnerabilities. It’s not widely publicized, but has very nice capabilities.
Of course there is the option to sign up for Extended Support, it is expensive, in the millions of US$ if one has enough machines such as the UK NHS or Dutch government that were recently in the news, but it might be necessary to assure the security and consistency of their respective infrastructures and buy the time needed for the migration.