Analysis It's been months coming but many organisations are ill-prepared for the end of security support for Windows XP SP2, potentially leaving a huge population of vulnerable machines for hackers to exploit.

July's Patch Tuesday marked the closure of patching support for both Win 2000 and Windows XP Service Pack 2. From now on there'll be no security updates, hotfixes and other updates for Windows XP Service Pack 2 - regardless of how serious a threat any newly discovered vulnerability may pose to users stuck on the OS.

And it's not only the base OS that won't get patched. Internet Explorer, Windows Media Player, Outlook Express and other Windows XP SP2 components have also seen their last patches, net security firm Sophos points out.

However, support for Windows Embedded XP SP2, an OS build frequently used in ATMs and point of sale terminals will extend until Jan 2011, so users of embedded systems have a few months to prepare for change. That's just as well since the management of these systems is often handled by third party suppliers, further complicating the process of rolling out changes.

Microsoft advises all XP SP2 users to upgrade to either XP SP3 or (preferably, from Redmond's perspective at least) Windows 7. Win XP SP3 was released in April 2008 and will be supported until April 2014.

Microsoft named the precise date for the end of support for Win XP SP2, which debuted in August 2004, back in April.

Upgrading to Windows 7 may not be an option for sys admins supporting older PCs. Moving to XP SP3 is simpler but still poses application capability problems that means many corporates have been slow to move on, especially in the previous absence of any compelling reason to upgrade.

Win XP SP2 turned on the built-in firewall within Windows and proved a useful Defence against Blaster-style network worms prevalent at the time. No similarly compelling argument existed for an upgrade from XP SP2 to SP3.

"I believe the level of awareness for the upcoming change was not high enough," said Wolfgang Kandek, CTO at security risk and compliance management firm Qualys. "Unlike the SP1 to SP2 switch, there was no significant functionality added to SP3 that made the move enticing. Existing users are still very satisfied with the SP2 iteration of Windows XP."

"In the future, however, Windows XP SP2 users will not receive updates anymore and their systems will start to accumulate attackable vulnerabilities. Although we don’t have any insight into attackers’ preparations, I am expecting attackers to take advantage of the large pool of SP2 machines as soon as a suitable vulnerability appears."

Statistics from Qualys out last month estimate that around 50 per cent of Windows XP machines are still running SP2 level, while another recent survey by IT assessment services firm Softcheck found 77 per cent of organisations were still dependent on on SP2.

Computerworld runs through possible mitigation tactics for users who need to stick with Win XP SP2 for the time been, chief among which are dropping IE and continuing to patch third party apps. It also suggests sys admins should read Redmond's security vulns for clues on how to mitigate against further vulns in the absence of any patches, a process that sounds like a right old pain.

Dave Marcus, research and communications director for McAfee Labs, said enterprises needed to have a strategy in place to manage migration to supported versions of Windows.

"Many enterprises and consumer users still deploy and depend heavily on applications that run on this Windows build," said Marcus. "It is unclear how much risk and expense the end of support will cause users worldwide but we expect cybercriminals to capitalize on this opportunity."

"Users of Windows XP SP2 should consider migration options and robust security solutions to mitigate risk." ®

Related stories

• 4 in 5 surfers open to browser exploits from fixed flaws (18 February 2011)

  https://www.theregister.com/2011/02/18/browser_security_pants/

• MS security tool interferes with Chrome and Adobe updates (19 November 2010)

  https://www.theregister.com/2010/11/19/ms_security_tool_chrome_adobe_conflicts/

• MS preps service pack blocker tool for Windows 7, Server 2008 R2 (15 November 2010)

  https://www.theregister.com/2010/11/15/windows_7_service_pack_blocker/

• MS preps 9 bulletins for September Patch Tuesday (10 September 2010)

  https://www.theregister.com/2010/09/10/ms_patch_tuesday_pre_alert/

• Microsoft to set record with next Patch Tuesday (5 August 2010)

  https://www.theregister.com/2010/08/05/microsoft_august_2010_patch_tuesday/

• Dell sandboxes Firefox to boost corporate security (20 July 2010)

  https://www.theregister.com/2010/07/20/secure_browser_push/

• Patch Tuesday sounds death knell for Win XP SP2 (14 July 2010)

  https://www.theregister.com/2010/07/14/july_patch_tuesday/

• Windows Help update stars in MS Patch Tuesday (9 July 2010)

  https://www.theregister.com/2010/07/09/ms_patch_tuesday_pre_alert/

• Win XP SP2 support to cease in two months (14 May 2010)

  https://www.theregister.com/2010/05/14/winxp_sp2_support_cut_off_looms/

• Microsoft slams coffin lid on Vista (13 April 2010)

  https://www.theregister.com/2010/04/13/microsoft_windows_vista_end_of_life_support/

• Microsoft slams nails in Windows Vista, XP SP2, 2000 (26 February 2010)

  https://www.theregister.com/2010/02/26/microsoft_vista_xp_2000/