PCpro.co.uk - 29 Nov 2013- Simon Jones explains the full implications of the looming deadline for Windows XP support
April 2014 sees the end of support for Windows XP, Windows Server 2003, Exchange Server 2003, Small Business Server 2003 and Office 2003.
By then, the 2003 wave of products will be 11 years old, and Windows XP will be 13. Office XP ran out of support in December 2011, but Windows XP’s lifecycle was extended a couple of times because people stubbornly refused to move away from it. Anyway, at T-minus five months and counting, what exactly does "end of support" entail? Should you be worried, and what are your options?
Microsoft provides three levels of support for its software products: Mainstream Support, Extended Support and Online Self-Help Support. The Support Lifecycle policy is reasonably flexible, but generally it offers ten years of support for business and developer products (five years’ Mainstream and five years’ Extended) and five years of Mainstream Support for consumer and multimedia products.
If anyone in a black hat finds a new security hole to exploit, Microsoft isn’t going to be doing anything about it in future
The main difference between Mainstream and Extended Support is that only bugs relating to security will be fixed during Extended Support – non-security bugs will only be fixed for customers who have purchased extended hot-fix agreements within 90 days of Mainstream Support ending. Once Extended Support ends, you’re on your own. Microsoft commits to maintaining Online Self-Help Support for ten years for most business and developer products, but since Office 2003 and Windows XP are already older than that, these knowledgebase articles could start disappearing at any time.
With about a third of all PCs in the world still running Windows XP, it’s highly unlikely that Microsoft will remove all the patches for it from Windows Update yet, but there won’t be any more arriving. If anyone in a black hat finds a new security hole to exploit, Microsoft isn’t going to be doing anything about it in future. Security holes in Windows and Office aren’t rare, as you can tell from the regular stream of patches that appears on the second Tuesday of every month. Once Windows XP and Office 2003 go out of support, there won’t be any more patches for those products, and the likelihood of your PC catching something nasty will increase, no matter how good your antivirus software.
We can’t know by what factor it will increase, but around a third of malware infections can be traced to missing security patches; that is, if the computer had been kept up to date, it wouldn’t have become infected. Even though infections and virus threats are increasingly common – up 182% year on year in 2012 – Windows 7 is still far less likely to be infected than Windows XP if you’re running anti-malware protection; if you don’t have real-time malware protection in place, Windows XP and Windows 7 are about on a par for infection rates.
Windows 8 comes with real-time protection built in and turned on by default, so its infection rates are incredibly low – you’d have to consciously turn off Windows Defender to reach any significant infection rate.
XP infection rates
The headline figures for the second half of 2012 were that protected Windows XP SP2 computers had 4.2 infections per thousand, while 32-bit Windows 8 machines and 64-bit Windows 8 machines had 0.5 and 0.2 infections per thousand respectively. With no real-time anti-malware installed, these figures went up to 15.6 per thousand for Windows XP and 2.7 per thousand for 64-bit Windows 8 (no data is provided for 32-bit Windows 8). These figures are a summary of the telemetry data from Microsoft’s Malicious Software Removal Tool (MSRT), which is run on millions of computers every Patch Tuesday. See more of them in Microsoft Security Intelligence Report Volume 14.
Operating systems at 64-bit are substantially more secure than their 32-bit equivalents, with the exception of Windows Vista, for reasons that aren’t clear. It’s interesting how relatively insecure Windows 7 RTM compares to Vista SP2 or Windows 7 SP1, but it’s blindingly obvious that Windows 8 is far more secure than any previous version of the operating system.
Security patches that are released for more up-to-date versions of Windows and Office will probably be reverse-engineered by malware writers to see whether Windows XP and Office 2003 share the same vulnerabilities; if they do, those old products will become even more at risk, since their now-known holes will surely be exploited.
Eventually, there will be fewer computers in the field using this obsolete operating software. Fewer pieces of malware will be written to target their vulnerabilities, and fewer instances of that malware will be in circulation. This kind of "security by obscurity" (which is often claimed by Mac aficionados) is a long way off yet, however, and you shouldn’t be sitting on your hands in the meantime.
I know many personal users and small businesses belong to the "if it ain’t broke, don’t fix it" school of thought. Why should they spend money on new computers, software or operating systems when what they have works perfectly well for them?
I understand and sympathise with this attitude, but we’re rapidly reaching a point where the risks aren’t worth it. If a fire took out your company’s offices and destroyed your paper records – the only records you had – you wouldn’t know, and certainly couldn’t prove, who owed you what money, and you’d go out of business. If you had computer records, you’d be in the same boat if you lost those computers in a fire and didn’t have off-site backups.
A computer is far more like a car than a filing cabinet, in the sense that it needs regular maintenance and servicing
The bad news is that a serious malware infection can wreak much the same havoc: it can hold your data to ransom by hiding your files, only giving them back if you pay the malware’s writers for "support". It can also infect your backup files so that the infection will return after you’ve rebuilt your computers and reinstalled your backups. Such an infection can slow your machine to a crawl, and if it starts sending spam or virus emails from your machine, your legitimate emails risk being refused by the recipients’ email servers because you’ve been blacklisted as a spammer. All these things can hamper or cripple your business for days or weeks.
Good antivirus software can only do so much, and fully patched software and operating systems are essential to keep your computers and business running. You must move off Windows XP, Server 2003, Small Business Server 2003 and Office 2003 before next April’s deadline. In order to upgrade to Office 2013 you must move to Windows 7 or 8 anyway, and if you’re running a version of Office before 2003 – Office XP, 2000, 97, or 95 – then you’re already way beyond support.
A computer is far more like a car than a filing cabinet, in the sense that it needs regular maintenance and servicing: you can’t expect it to keep working year after year if you don’t look after it properly. Think of it this way – you have around six months before your garage says they won’t be servicing your car any more. Its steering and brakes might be knackered, its seatbelts frayed and its air bags absent, but since the manufacturer isn’t making the parts anymore, you’re going to have to do something or take the risk of crashing and losing everything.
Many old computers could be successfully upgraded to run Windows 7 or 8 – perhaps with the addition of a little more RAM – but it may not be economically viable to keep them chugging along for another year or two: you’d get a much faster machine more cheaply if you bought a new computer. If you’ve already upgraded your computer but are still running an old version of Office, you could upgrade to a later version or switch to a different product.
Remember: if your copy of Office came preinstalled on a new computer, you can’t legally transfer its licence to another computer. The same is true for Key Card licences. That’s why OEM and Key Card licences are so cheap – they’re tied to the one computer and must die with it; if you replace the computer, you have to buy Office again. (As such, I don’t recommend buying OEM or Key Card licences, even on the tightest budget.)
Perhaps you have a software compatibility problem, a peculiar application that refuses to run on a more modern version of an operating system, or a document or template that’s locked to an old version of Office. Your first port of call for an old application should be Windows compatibility settings. Right-click on the application and choose Properties from the menu; select the Compatibility tab, and either run the troubleshooter or manually set the compatibility mode to an earlier operating system version.
You can also increase the application’s privileges by running it as Administrator. The Windows Compatibility Center enables you to search for your software and check what options are available – the manufacturer may have released a patch or some instructions on how to run the software on a newer OS version. You might also consider running it in a virtual PC that’s turned on only when necessary. That’s still a security risk, but less of a risk than running your entire operation on an obsolete platform.
If you can’t make any of these options work for you, you’re probably going to have to invest some time – and money – to replace the incompatible dinosaur with something more modern. If you’re in a business with five or more PCs, you should consider volume licences.
You’ll pay less than you would buying the software off the shelf in a shop, and you can spread the cost over three years. Everyone – businesses and home users alike – should be looking at Office 365 subscriptions, where you pay monthly or yearly rather than buying the licence outright.
In a bid to push customers towards a subscription model, Microsoft has made a standard Office 2013 licence expensive compared to an Office 365 subscription, despite the fact you get much more with Office 365 and support for it doesn’t end next year. Subscription licences, and volume licences with Software Assurance, include the cost of the next version in the amount you pay, so you’re always kept up to date with the latest version of Office and never run out of security patches.
If you can’t afford to buy Office 2013 or Office 365 subscriptions and your needs aren’t that demanding, another option is LibreOffice, which is free, or Ability Office, which costs £30 for the standard version and £35 for the professional package. These programs are sufficient for most users, but you may come across formatting problems from time to time, where what you see isn’t quite what the originator of the document intended.
If you think you’re capable of handling the OS upgrade yourself, go ahead. If you don’t, or you’re not sure what’s involved, find yourself a local IT consultant who can examine your setup, advise you what it will cost and complete the job for you. Whatever you choose to do, do something – or accept, like the owner of a classic car, that you’re going to have to be prepared for it to crash and burn at any moment, and that if it does, you’re on your own.