The fact that millions of PCs and embedded systems will continue to run Windows XP beyond this week’s End of Life (EOL) deadline is only the latest example of obsolete, risky software that shouldn’t be used to stoke up unnecessary fear, KPMG analyst Stephen Bonner has argued.
As this week's deadline has approached, a wide range of firms including Microsoft have warned of the dire consequences of continuing to use an operating system that will no longer receive updates or patches so Bonner’s view runs counter to this conventional wisdom.
His view is pragmatic. XP cannot easily be upgraded on many embedded systems such as ATMs, ticketing, point-of-sale and military systems, which means that one way or another it will be with us for some time. Ditto consumers, with huge numbers around the globe simply indifferent to the fact that XP is about to become past tense.
“So XP will be with us for some time, and in some quite unexpected places. Little wonder banks and governments are paying millions of pound to extend support beyond April 8,” said Bonner.
This was absolutely predictable because a sizable minority of PC users already run many other types of obsolete software such as browsers, plug-ins and other software. Obsolete software is endemic and has been for years.
“It is worth remembering just how much obsolete software resides on our desktops. A survey of Java versions on a million end points last year found many had multiple versions of Java installed. On average organisations ran over 50 different Java versions, and more than half the organisations surveyed had Java software running which was over 5 years old,” he said.
Bonner has hit on one of the biggest weaknesses of the claim that running XP after this week represents an unfathomable risk – people already run a lot of risky software so is the operating system necessarily making this much worse?
“There has been speculation about cyber criminals holding back a large store of XP vulnerabilities ready to exploit obsolescent systems. I doubt that will happen - the incentive to exploit early and make money is just too great. However, I suspect some intelligence agencies might have a few zero days still in stock just in case.”
Legacy systems were in “difficult to reach places,” protected as much by physical as software security and so most of the risk was in the consumer sector. But this population already has major problems, something that running an out-of-date operating systems simply draws people’s attention to.
Bonner undoubtedly has a point but the fact remains that the stats are against the hold-outs. With recent figures from security management firm Qualys reminding us that 70 percent of 2013’s Microsoft security bulletins affected XP, getting off this desktop is inevitable.
On the other hand, the industry’s real problem with XP is that it has never before had to confront the deep indifference to security that has formed the backbone of the problems faced by the software industry in the last decade. Having made little effort to deal with the issue of obsolescence before, future migrations had to be handled better than this one or the same pattern will be repeated.
“So let’s look beyond XP, but learn some lessons about the importance of managing obsolescence, removing obsolete software, and remembering to secure those out of sight computers.”