My Two Cents on the Security and Market Implications of the End of Windows XP

I know there have been a substantial number of articles on the end of Windows XP and its implications, but I couldn’t resist chiming in. Hey, maybe I was destined to do so since I was one of a few thousand people at the Windows 95 introduction in Redmond (back in the summer of 1995 of course). Here are my thoughts on this transition, I’ll try to take a bit of a different angle on the topic.

1. Microsoft will likely come out of this with a black eye. Windows XP was released in 2001 and was supported by Microsoft for nearly 13 years. As a point of comparison, the aforementioned W95 was supported for just over 6 years. Microsoft was more than generous with XP support, in spite of its market misstep with Vista, yet roughly 27% of PCs are still running XP and will now be vulnerable to a certain wave of malware over the next few months. If any of these attacks result in a major breach, we are bound to see publicity-seeking pols lambasting Redmond in the halls of the U.S. Congress conjuring up imagery of Teddy Roosevelt and his famous trust-busting exploits of 1902. In truth, Microsoft did nothing wrong, but if and when there are XP security problems, look for the Washington PR machine to seize on the opportunity for Microsoft vilification.

2. XP remains in all the wrong places. If you are like me, you have a few semi-retired systems around your house that still run this venerable OS that you fire up now and then but hardly use. So where is the rest of this 27% of the market that remains dogmatically committed to XP? Walk around your community and you’ll find them. They are running in the administration office of your local high school, at town hall, the public library, your local small hospital, the state house, DMV, the pizza place on the corner, etc. In other words, Windows XP is still installed and was running at organizations that don’t have the budget or resources to upgrade to Windows 8. This could lead to a big problem if bad guys and even script kiddies start to use XP for target practice. Imagine local tax information, billing systems, and student records all disappearing. Yikes!

3. Look for XP security to become a cottage industry. In lieu of ripping and replacing XP, many organizations will look to third-party security solutions to help buy them time. For example, I wouldn’t be surprised to see a special version of endpoint security software from Kaspersky, Malwarebytes, or Triumfant, with added protection, virtual patching, and more comprehensive threat intelligence built in. I'm also certain that IPS vendors like Cisco, Fortinet, Juniper, McAfee, and Palo Alto will trumpet network-based virtual patching as well. Look for ads for these types of products – starting next week.

4. Endpoint virtualization to the rescue? In addition to custom security tools, we are bound to see a bit of a renaissance for desktop virtualization. IMHO, this isn’t a bad idea – especially for XP systems at mid-sized companies with some IT personnel capable of installing software and managing operations. I wouldn’t be surprised if service providers jump on board as well, as they implement and manage VMware Horizon for state and local governments (not to mention networks of ATMs running XP. Yikes again!). Look for some vendor or service provider to spin up their own solutions based upon KVM as well.

5. There’s always Ubuntu. I realize that desktop Linux has never grown beyond a niche but the end of XP could be a tipping point in the market. Lots of XP systems in libraries, museums, and Universities do little more than host browsers and connect to printers. Have you seen Ubuntu recently? It doesn’t look exactly like XP but neither does Windows 8 – and you can’t complain about its price tag; it’s free and really easy to use. Again, some service provider is likely to seize this opportunity with services to swap out XP for Ubuntu and offer ongoing support. Heck, they’ll probably throw in OpenOffice as well (a nerd joke as OpenOffice is also free and works fine with existing MS Office documents).

Finally, look for a SaaS vendor to step up with virtual desktop and/or endpoint Linux offerings. There will also be a fair bit of tire kicking with alternative platforms like Macs, Google Chrome, and even a vocal minority wanting to eschew PCs altogether in favor of mobile devices.

Windows 3.0 was introduced in 1990, followed by W95, W98, and XP in 2001. For those of you keeping score, that’s 4 operating system revisions in 11 years. Given this history, you’ve got to believe that the folks in Redmond were thinking that XP would be in a museum by 2008 – not running on 27% of PCs in 2014. Yes, Microsoft will likely sell its share of Windows 8 and even Surface devices now that it’s pulling the plug on XP but I still think it will somehow end up with egg on its face (as well as the black eye described above).

For the most part, the XP issue will likely be a minor annoyance, but we should all be concerned about ATM networks, POS devices, and public records that still reside on XP systems. Shame on all of these laggards for not heeding Microsoft’s warnings. Unfortunately, we the people may suffer the consequences for this procrastination and Microsoft will get its unfair share of the blame.

Topics: Cybersecurity Enterprise Mobility