Bekker's Blog

Blog archive

Microsoft's Head Fake on Windows XP Support

Did Microsoft just blink on security support for Windows XP?

Windows XP's extended support phase officially ends on April 8. The company has used a lot of tough talk over the last few years to make sure that all customers know that deadline is coming and that it means that from April 9 onward, keeping Windows XP PCs online is an invitation to cyberattacks because there will be no more security updates from Redmond.

Beyond that, Microsoft has been running customer and partner campaigns with the messaging that no amount of patching would make the dozen-year-old Windows XP as secure as more modern OSes like Windows 7 and Windows 8, anyway.

Then comes the odd decision unveiled last week that Microsoft will continue to provide signatures for malware on Windows XP through July 14, 2015. Those signatures will be delivered through Microsoft security and management products like Forefront Client Security, Forefront Endpoint Protection, System Center Endpoint Protection, Windows Intune and the free Microsoft Security Essentials.

I'm concerned that Microsoft's least sophisticated customers will misinterpret this move as an extension of Windows XP support. It's not.

Security experts order the priority of security steps very clearly. It's operating system and application patches first, virus/malware protection software installation with regularly updated signatures second.

What Microsoft has not done is change its decision on whether to keep patching Windows XP after April 8. So far, all indications are that it won't -- and it will be open season for the creation of zero-day attacks for Windows XP. All that signature support through July 2015 won't help much with that. (See Kurt Mackie's in-depth report here for more.)

Microsoft's announcement of the decision acknowledged as much. "Our research shows that the effectiveness of antimalware solutions on out-of-support operating systems is limited," the Microsoft Malware Protection Center blog post stated. In explaining the strange decision, the blog post said the move was intended "to help organizations complete their migrations."

The bottom line is that Microsoft hasn't blinked on the most important part of Windows XP support. But it has done a head fake that's probably going to fool some of the reported 29 percent of remaining Windows XP users into thinking that it's OK to procrastinate a little bit longer.

The longer all those laggard organizations wait, the more dangerous the Internet is for them and, because of their infected zombie computers, for the rest of us.

Posted by Scott Bekker on January 22, 2014


Featured