News

Windows XP Support Deadline Does Not Apply to Embedded Systems

• By Kurt Mackie
• February 19, 2014

Most Windows XP Embedded versions will live on for a few more years, even as the Windows XP desktop OS loses "extended" support on April 8, Microsoft clarified this week.

Of the Windows XP Embedded OSes, only Windows XP Professional for Embedded Systems will lose extended support on the same day as Windows XP. That's because the Pro version is basically the same product as Windows XP for desktop computers, explained Dave Massy, a senior program manager on the Windows Embedded team, in a blog post.

The loss of extended support means that no more security patches will be issued by Microsoft for the OS, leaving systems potentially vulnerable to attack.

Two Windows XP Embedded products will lose extended support in 2016, while two others face 2019 end-of-life dates, according to the post:

• "Windows XP Embedded Service Pack 3 (SP3). This is the original toolkit and componentized version of Windows XP. It was originally released in 2002, and Extended Support will end on Jan. 12, 2016."
  
  
• "Windows Embedded for Point of Service SP3. This product is for use in Point of Sale devices. It's built from Windows XP Embedded. It was originally released in 2005, and Extended Support will end on April 12, 2016."
  
  
• "Windows Embedded Standard 2009. This product is an updated release of the toolkit and componentized version of Windows XP. It was originally released in 2008; and Extended Support will end on Jan. 8, 2019."
  
  
• "Windows Embedded POSReady 2009. This product for point-of-sale devices reflects the updates available in Windows Embedded Standard 2009. It was originally released in 2009, and extended support will end on April 9, 2019."

The "componentized" aspect of some embedded OSes indicates that independent software vendors have the option to reduce the footprint of the OS by excluding some of Windows XP's functions that don't fit the design criteria of a particular device. Reducing the footprint can aid security by enabling fewer avenues of attack. The embedded OSes also lack the Windows Update component, according to a Microsoft whitepaper (PDF), so the embedded OSes aren't subject to change as much as their desktop cousins.

Windows Embedded OSes typically get used for special-purpose devices or kiosks, including point-of-sale devices or inventory devices. They might not represent a typical attack object, although both Neiman Marcus and Target recently had point-of-sale device malware breaches. Possibly, the Target stores used Windows XP Embedded or Windows Embedded for Point of Service OSes, according to a Krebs on Security post. Many ATM machines used by banks also may be using Windows Embedded OSes.

In the meantime, the April 8 loss of extended support for Windows XP desktop computers is expected to be a major potential security problem for organizations. Microsoft has warned that using it after that date could subject organizations to perpetual zero-day vulnerabilities.

Windows XP for desktops still is widely used. The OS had a 29 percent market share measured back in January, according to Net Applications' data.