Microsoft Gives Windows XP Security Reprieve Until 2015
- By Kurt Mackie
- January 16, 2014
Microsoft will continue to provide some form of anti-malware support for Windows XP even after the OS hits the end of its product lifecycle on April 8, 2014, the company said this week.
According to a Microsoft Malware Protection Center blog post, the company will continue to deliver the "signatures" that are used to identify and ward off malware for Windows XP systems "through July 14, 2015."
Those anti-malware signatures will continue to be delivered for Windows XP systems running various Microsoft security and management products, including Forefront Client Security, Forefront Endpoint Protection, System Center Endpoint Protection and Windows Intune.
In addition, Microsoft will continue to provide anti-malware signatures through July 14, 2015 for users of its free Microsoft Security Essentials anti-malware solution, a product aimed at consumers. That decision represents a major change in thinking. Earlier this month, the company gave notice that Microsoft Security Essentials would lose product support on April 8, 2014, and that it would no longer get product updates after that date.
Security for an Insecure OS
Microsoft's reprieve on Windows XP anti-malware signature support comes as somewhat of a surprise. Company officials had consistently warned that Microsoft would not provide patch support for Windows XP after April 8, 2014, and that the continued use of the operating system after that date could subject users to perpetual "zero-day" attacks. Announcements from company officials have been resolute, insisting that users and organizations get off Windows XP by that date. And that message hasn't changed, despite the backtracking on anti-malware definition support.
"This [anti-malware support announcement] does not affect the end-of-support date of Windows XP, or the supportability of Windows XP for other Microsoft products, which deliver and apply those signatures," Microsoft's announcement stated.
In other words, Windows XP still will lose product support on April 8, 2014, leaving it vulnerable to attacks, although anti-virus signatures will continue to be issued. Microsoft will not issue monthly security patches for the OS, although some paying "custom support" customers will get fixes from Microsoft on an ad hoc basis. Microsoft essentially will stop fixing the proprietary Windows XP OS kernel, which Microsoft alone has the authority to patch.
Continued use the 12-year-old Windows XP OS after the April product expiration date will be a security problem for individuals and organizations, according to security solution tester AV-Test.
"Once these [Windows XP] updates are stopped, the system is sure to develop more holes than a good Swiss cheese over time, as programmers start to produce special exploits for Windows XP vulnerabilities," AV-Test explained in a blog post.
In addition, the track record of Microsoft Security Essentials to protect Windows XP, even with continued anti-malware signature support from Microsoft, is not very good, according to AV-Test's anti-malware software rankings. The security software testing organization found that Microsoft Security Essentials scored 0 out of 6 points in AV-Test's "protection" category.
Vendor Support for Windows XP
While Microsoft will continue to provide anti-malware signature support through July 14, 2015, it's not as generous of an offer as compared with support promised by some third-party software vendors. For instance, Kaspersky Lab will provide anti-malware support for Windows XP through 2018 for consumers and through the latter half of 2016 for business users. Trend Micro is promising Windows XP support through Jan. 30, 2017. A list of anti-malware software vendor support for Windows XP is being compiled by AV-Test and can be accessed at this page.
Windows XP currently holds a 29 percent use rate in the OS market, according to the latest Net Applications' data. AV-Test has found that many Windows XP users are located in China and India. Manufacturers located in those countries are reporting Windows XP use by "60 percent of their customers," according to AV-Tests' research.
Should an individual or organization continue to use Windows XP after the April 8, 2014 date, it's still not enough to rely on updated anti-malware solutions for protection, according to AV-Test. For instance, the Internet Explorer 8 browser is tied to the lifecycle of Windows XP, and it loses support at the same time as the OS. AV-Test recommends that individuals switch to Mozilla Firefox or the Google Chrome browser if continuing to use Windows XP. Both Mozilla and Google have pledged continued browser support for Windows XP after Microsoft's April 8 end-of-life date for Windows XP.
Anti-malware vendors won't be replacing Microsoft's expiring security patches for Windows XP. Instead, the anti-malware signatures that they will provide will just lower the risk of using the OS.
"Although anti-virus programs are unable to replace the soon-to-be abolished security updates for Windows XP, they can at least make it harder for malware to take advantage of your system vulnerabilities," according to AV-Test.
Microsoft also downplayed the protection afforded by anti-malware solutions on an unsupported Microsoft OS.
"Our research shows that the effectiveness of antimalware solutions on out-of-support operating systems is limited," Microsoft's announcement stated. "Running a well-protected solution starts with using modern software and hardware designed to help protect against today's threat landscape."
And by that statement, Microsoft means that Windows XP users should move to Windows 7 or Windows 8.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.