I’ve heard that Windows XP is coming to an end. How does...

I’ve heard that Windows XP is coming to an end. How does this affect my business?


I’ve heard that Windows XP is coming to an end. How does this affect my business?

In a nutshell:

  • Yes, you need to upgrade, and as soon as possible.
  • Between then and now, make sure your antivirus is up to date, and your backups are working. You do back up, right?
  •  If you really can’t upgrade, you still have some options. Read on!

Windows XP has been Microsoft’s most successful version of Windows. It initially debuted all the way back in 2001, after a string of disappointments in Vista and Windows ME, and managed to get right what the predecessors hadn’t. It’s been stable and user-friendly, and because it’s just kept on going that’s also meant we didn’t need to upgrade the PCs are often too.

But now it’s dead, Jim. Microsoft actually stopped selling XP in 2008, but has still been providing updates and security patches on a regular basis. And that’s all that’s changed, really – from April, Microsoft has no longer been updating Windows XP. And that’s why you got the warning message: To let you know that your PC will no longer be updated.

To be fair, XP is 13 years old. Think back to the other technology you were using in 2001 – what sort of cellphone were you using back then?

That’s the era we’re talking about. Windows XP has had a great shelf life, and many people are happy using it. But technology evolves, and the underlying framework of XP is showing its age, making life difficult for developers, lacking support for newer hardware and software, and becoming increasingly onerous to patch.

It’s been working fine for years, why do I need updates anyway?

The main reason for updates is for security reasons, and there are two major factors at play here.

The first is that security researchers (and hackers) constantly discover new flaws in software which they can exploit to take control of PCs. Older software tends to be more vulnerable, and XP, and the Internet Explorer web browser which came with it, are perfect examples of this.

So Microsoft may not be investing in keeping XP secure, but you can bet the virus writers are investing in ways to attack it.

Most viruses these days are delivered online. You don’t have to open a dangerous attachment or be specifically targeted by an attacker – just browse to an infected website and the malicious software will check your PC to find out what system you’re using, and send down exploit code tailored to whatever it is.

For an attacker, there’s always a window of opportunity between finding a flaw and the manufacturer fixing it. On Windows XP, that window will never close. You’re vulnerable, and you’re going to stay vulnerable.

And it’s not just XP that won’t be patched – the older versions of IE won’t either, and nor will Microsoft Security Essentials – the free antivirus many people use. So, the most vulnerable components won’t be updated, and the thing which is supposed to keep you safe won’t be updated either.

If you’re using third-party anti-virus, that may help, but the bottom line is that there’s no substitute for a healthy, up-to-date operating system, and XP is no longer that.

The second factor is that the very fact of patches being issued for other operating systems could make XP more vulnerable. It’s standard practice for security researchers to examine software patches to work out what has been fixed and then to identify how to exploit the flaw on unpatched systems. If the same flaw affects XP as well as its newer brothers, the attackers can have a field-day.

Virus outbreaks don’t happen every day. I’ve got some time, right?

Actually, virus outbreaks do happen every day – there’s a constant background hum of new malware appearing. It’s only good security practice that keeps outbreaks in check, and one of those security practices is to keep operating systems patched.

In fact, just days after XP’s support ended, a major vulnerability was discovered in Internet Explorer, and Microsoft backtracked on its “no support” stance and issued an emergency patch for XP alongside Windows 7 and 8. But one of the security developers stated at the time this was only because the timing was so close to the end-of-support date – this won’t happen again.

So what now? Do I have to buy a whole new PC?

If you’re using an older PC, unfortunately, yes: you might have to upgrade. The newer versions of Windows need more computing power (though Windows 8 is actually lighter on resources than Windows 7). You can download a tool from Microsoft to check whether your PC will cope.

If you do have to upgrade, now could be a good time to consider your options. Do you need fully-fledged PCs everywhere? Could you move some functions into the cloud, to Microsoft Office 365 or Google Docs perhaps, and save on desktop resources and software costs?

You could consider alternative operating systems – Apple hardware is more expensive, but the OS upgrades are effectively free. Linux comes in variants specifically designed for low-power hardware, but will also come with a learning curve and what you save on hardware, you may pay in support and training.

But for most people, the reality will be that yes, it’s time to upgrade. And the cherry on top is that the change from 13-year old XP to modern Windows 8 is pretty sharp – it’s a whole new experience and you will take some time (probably unproductive time) getting used to it. Them’s the breaks, I’m afraid.

What if I have something that can’t work with a newer version of Windows?

This is a real bind facing many people: they rely on some custom-built piece of software, or esoteric hardware device, which hasn’t been updated and doesn’t work with newer versions of Windows, only XP. Chances are good the provider of that technology can’t upgrade it either, if they even still exist.

There are limited options in that case, but there ARE options.

One is to just roll the dice, carry on regardless, and hope that you won’t get blitzed when the next major malware outbreak comes around. That’s really not a great option; it’s a bit like hoping you’ll be the only person not to get rained on.

At least invest in some heavy-duty security tools like antivirus and network security to protect that machine and everything around it. And back it up obsessively, so that when something bad happens, you can restore it safely – and remember that elderly piece of software you’re reliant on may be particularly difficult to back up and restore, so test your backups too.

You can physically isolate that PC, get it off the network and give it what security experts call an ‘air gap’. That’ll work (be careful of USB-borne malware – make sure the PC isn’t set to automatically execute programs when a storage device is inserted), but could be annoying for day to day work.

You may be able to get that old program or device to work through Windows 8’s compatibility mode – an IT consultant may be able to set it up, for a fee.

You may also be able to run XP in a ‘virtual machine’ – a program which emulates a complete PC, with whatever operating system (XP in this case) you need. The software to do this is free (ask your consultant about VirtualBox or VMWare) but you’ll almost certainly still need a new PC. Your 10-year old XP box almost certainly won’t be up to running Windows 8 AND Windows XP at the same time.

You might even be able to get the software working through ‘Wine’, an emulation technology capable of running Windows programs on Linux (which DOES support older hardware pretty well).

If your IT consultant turns up his nose at the mention of Linux, get a new one – good consultants shouldn’t be afraid to learn new tools if that’s what required to get the job done.


Jon Tullett
Jon Tullett, Senior editor at ITWeb has been covering information technology for two decades, working as a journalist and editor in South Africa, Europe and the Middle East. He is currently responsible for news analysis and spokesperson for the Security Summit, Africa’s premier information security event for IT and business professionals. Jon has trained in computer forensics, visited Interpol's cyber crime task force in Lyon, chaired numerous security events and seminars, judged technology awards, and developed testing protocols for a lab operation which reviewed dozens of security products every month. He has very, very, long passwords.