In my post “Get the hell off Windows XP! NOW!”, I talked about why it’s probably not safe to keep running Windows XP when Microsoft end support for it on 8th April 2014. I talked there about vulnerabilities and exploits, like the IT guy that I am, but what are the real risks if you’re someone running Windows XP at home, or on a work computer supplied by your employer?
There are a load of answers to this, some of which are worse than others, so let’s look at a few options. Some of them are a bit scary – that’s on purpose, but I’m not just being sensationalistic – I just want you to know so that you can make an informed decision as to whether you need to do anything. Look, it’s likely possible to carry on quite safely if you’re running with the computer properly locked down, and you’re taking every precaution in using it (using a modern browser, don’t run Java, don’t run as admin, etc), but making sure that it’s really hardened against attack isn’t easy, and only time will tell if it can be done at all. When you’ve read this, you need to decide if you’re confident in taking that chance.
There’s every chance that someone out there has found a way to get some code of their choosing to execute on your computer, taking advantage of an as yet undiscovered loophole, which Microsoft aren’t going to close. As soon as someone malicious can execute code on your computer, it isn’t your computer!
Your computer could become part of a botnet, set to work sending spam emails, or trying to take down other systems by flooding them with network traffic.
That doesn’t hurt you yet. What else..?
Your files could be lost or held to ransom. If you’ve got your only copy of anything on your computer we need to talk anyway, but lots of people do. Let’s say you’ve got all of your family photos on there. The fact that you’ve got all of them in albums on Facebook isn’t a great backup. There’s a possibility that some enterprising soul could install ransomware on your computer; encrypting all of your files and demanding that you pay them real money to give you access back, otherwise they’re gone for good.
Your best defence against that is to have multiple copies of anything that has value, so that if anyone does take control of your computer, you can flatten it and start again, with an operating system newer than Windows XP. The fact that you have physical access to the machine still gives you an edge over the remote attacker, but only if you have backups.
Maybe. If you’re going to pin your hopes on “maybe” then we might as well not be having this conversation.
So we’re at a point where you may lose something of value. Perhaps you’ve got some software that you purchased and can’t easily retrieve again, or your collection of mp3s, or the sentimental value of your digital photo collection (which is by far the most valuable digital content that I own personally). Maybe they won’t touch your files. Perhaps they’ll just watch what you’re doing and collect your passwords with a key logger. If you do your online banking on that computer, you just gave them access to your bank account. Oops. They’re also in your email and social networks. Do you have anything in there that you want to keep private?
That’s at home though. What about at work?
So the same applies – if somebody else can run code on the computer. They can own the computer. Does your computer hold, or have access to, anything that’s of value to your company, or its customers, or its competitors. Would your password give somebody access to anything that could harm the organisation? Does your manager’s password? We know the CEO/COO/CFO have access to that stuff. Are they using Windows XP too?
Not to be dramatic, but can you foresee a situation where someone could get access to your systems and do enough damage to the company that it loses a stack of money, or a stack of value off the share price, or get a massive fine for leaking confidential data, or loses the confidence of its customers? Would the company be able to bounce back, or would you and your colleagues be out of work?
If you’re working for a company that is planning to carry on using Windows XP after 8th April, have you asked the management whether they’ve considered the risks of this? I know I would. You need a job more than you need those family holiday photos, right?
How certain are you that some script kiddie isn’t going to spam all your contacts, steal the music collection that you took years to build, ransom your own files back to you, then wipe then off your hard drive anyway for a laugh even after you’ve paid up, upload your fruitier selfies to a revenge porn site, and use photos of your significant other to catfish your best friend, sell your company’s secrets and client list to its competition, meanwhile opening it up to litigation from said clients and regulators, making your stock options worthless and leaving you looking for new employment?
Don’t worry though, it probably won’t happen.
It’s up to you.
It hasn’t bothered the people still using Win98 & Win 2000.
All the concerns you raise are valid but they could already be happening now on your Windows 8 PC or could have been running the last 3 years on your XP machine.
You’re right, of course, but I don’t believe that Windows 98 or 2000 still had as much market share when they went end of life. XP still presents a massive target, and as I said in the earlier post, I have a strong suspicion that people have been holding on to zero-day exploits until a time when they know it’s not going to be patched.
There are undoubtedly some vulnerabilities in newer operating systems, but at least they’ll get fixed.
As I said, you might be ok with Windows XP. Personally I’m not ok with that level of uncertainty.
True, I didn’t think about market share but obviously that’s a factor when people target their malicious efforts.
I just saw at http://en.wikipedia.org/wiki/Usage_share_of_operating_systems#Desktop_and_laptop_computers that XP has an estimate of ~30% still.
You are right that it is a gamble but the only real risk to an end user is if things like a keylogger gets installed and that has more to do with a user clicking the wrong link on a website rather than and OS exploit.
I can’t think of any consumer I know that would actually pay the £190 upgrade cost. It will just be a case of keeping it running until it’s time to buy a replacement.
Businesses, on the other hand, have no excuse and should have got off XP years ago.
Have you seen the latest infographic that MS have released about XP EoL?
http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-87-29/7416.XP-EOL-Infographic-_2800_1_2900_.pdf