Original URL: https://www.theregister.com/2014/04/08/end_of_xp/

Windows XP is finally DEAD, right? Er, not quite. Here's what to do if you're stuck with it

Lock down and look sharp, it's the hackers' game now

By Gavin Clarke

Posted in Software, 8th April 2014 14:24 GMT

Today will be like no other day because it’s the last Patch Tuesday for Windows XP. Yet there's good news if you're still using XP. For starters, you're not alone.

Thirteen years after it was released, Windows XP remains the world’s second most popular PC operating system. It's running on 27.69 per cent of consumer machines, according to market stats from beancounters Netcraft. For businesses and governments, the numbers are thought to be slightly lower but not by much. Windows 7 is the number one OS.

Gartner reckons up to a quarter of enterprise systems and 10 per cent of “large” organisations are still running Windows XP. That means SMEs, corporations, multinationals, utility companies, retailers, and government – both local and national – and hospitals are all in the same boat.

And it’s not just PCs.

Seventy-seven per cent of UK organisations have the 13-year-old operating system running “somewhere”, according to UK software company AppSense.

That “somewhere” can mean anything that’s not a PC – so passenger information systems, kiosks and airline ticketing systems.

And let's not forget ATMs: two-thirds of the country’s 60,000 cash machines are also, as of today, still trucking along on Windows XP.

Yet for every silver lining there is a cloud: from now on, you're alone when it comes to security. As of now, if a new vulnerability is written that targets the operating system, Microsoft won't come riding to your safety with a software fix.

Security experts fear the worst: that rather than malware writers discovering new code, they’ve been hoarding a back catalogue of badness that they’ll release.

Microsoft’s last security patch contained two fixes for Windows XP and for Office 2003, which also runs out of gas on Tuesday.

From now on, the only protection you have is if you’ve got loads of money to fling at Microsoft. If so, you can afford a custom-support agreement priced at $200 per desktop, meaning Microsoft will keep on making security fixes for your machines.

Such agreements, though, are only for the biggest of the big – and you also need to prove to Microsoft you’ve got a migration plan in place.

Plenty in the private sector who’ll be running Windows XP after today have swallowed the price and taken out cover. Application migration specialist Camwood reckons at least 10 large enterprises it knows of have paid up.

Often the price is factored into the overall project costs of migrating off of Windows XP, with a view that the migration will be finished in a year and they won’t need to pay for a second, more expensive, year of custom Windows XP security.

Last week, the British Government became the latest to take out just such a deal.

A one-year deal priced at £5.584m will provide support for Office 2003 and Exchange 2003, which is also no longer supported by Microsoft. Crown Commercial Services, the commercial arm of the Cabinet Office, reckons the deal will save £20m over the standard pricing of such Microsoft Windows XP deals. Cover is available for tens for thousands of PCs in Whitehall, the NHS and other government bodies struggling with upgrades. These organisations will remain on Windows XP for at least another year.

There is an upside to this tale: in about a year’s time, most of the outstanding Windows XP users in business and government should have gone, thereby closing down a large attack vector open to hackers and malware writers. Many are already migrating, it’s just that the completion dates shoot well out past the April 8 end date.

They haven’t buried their heads in the sand. Well, mostly they haven't.

“There are customers we are talking to that are still talking and who haven’t started yet or in the process of just starting their Windows XP migration programs,” Avanade's head of technology infrastructure, Paul Marsh, tells The Register.

He has seen a stream of customers moving to either Windows 7 or Windows 8 in financial services, manufacturing, and utilities.

Recent headlines in publications such as The Reg about the Government’s £5.584m deal have been responsible for a sudden, late rush to action, too.

“There’s been a lot of headlines recently – the government extended its support deal to the NHS and lots of government agencies,” added Simon Body, chief technology officer for app migration bods Camwood. “Lots of customers are coming to us are talking to us about doing a very fast migration. It pricks the realisation there must be one risk they [government] do not know about and they [customers] are pressing the button.”

Camwood found 15 per cent running Windows XP didn’t know the end date was coming in March 2014. A year on, that number has decreased by nine per cent, Body said, adding that he reckons SMBs are only now waking up to the problems caused by XP's demise.

Fellow app migration specialist 1E reckoned that private sector projects are moving faster and are more focused than those in the government sector. Finance and healthcare companies are moving fastest because of concerns about the “business impact” and security risks.

For “business impact”, read lost income or fear of fines for breaches resulting from the fact they are running a desktop operating system lacking the latest security features.

Those without a company or organization-wide plan are seeing business units move on their own – phasing out Windows XP PCs only as they reach end-of-life.

But why have so many people so comprehensively missed the date? It’s not like nobody knew Microsoft was going to finally kill all updates for Windows XP.

Installing a new operating system is relatively simple, and we’ve been here before. Windows 98 and Win 2000 did gave way to XP, after all.

It's all about the money, money, money...

Gartner estimates the cost of upgrading a Windows XP machine at between $1,205 and $2,069, for a 10,000-PC environment. That’s money that could be spent on better, more business-enhancing IT projects, in the view of some Reg sources.

Others we spoke to blame a lack of leadership in government circles – for example, the UK's Cabinet Office has been too busy on high-profile digital projects like G-Cloud to pay attention to the looming XP zombie. There’s been no Y2K-style government czar to raise awareness and drive a migration campaign.

But there are deeper tactical issues, too.

The first big problem was the hardware. Be it PCs, kiosks, ATMs or anything else running Windows XP, such hardware probably won’t be able to run Windows 7 – and certainly not Windows 8.

That’s changed the complexity of the problem. Suddenly you need to actually buy new PCs, a process that involves budgets and finance people.

But there’s an even bigger problem than this – and that’s the apps.

Grappling with the applications on Windows XP, either from a project planning or an execution point of view that’s proving to be the killer.

Unlike Windows 98 and Windows 2000, Windows XP had plenty of time to bed down. There was a time when Microsoft would release a new desktop operating system every two to three years, forcing upgrades and application compatibility.

However, Microsoft has screwed that particular pooch twice, first with Windows Vista and now with Windows 8, both of which have been avoided en masse.

That’s given Windows XP more than a decade to become the standard in off-the-shelf machines and in custom applications such as ATMs. More than a decade’s worth of “business critical” apps have been built to run on Windows XP – SAP, payroll, manufacturing or CAD – not to mention billions of macros and plug-ins for Office 2003. Some are hardwired into Internet Explorer 7, too, which won’t work on Windows 7 or 8.

The browser-tie in has been the biggest thorn – a reason IE 7 is still counted in browser-market share stats.

The options have been to re-write apps – costly and time consuming – or use a work around. Some have taken the latter route, using a piece of software from Browsium called Ion that lets IE-7 dependent apps run on new versions of the browser. Customers include HMRC, who are moving more than 85,000 PCs off Windows XP.

For non-browser apps, the problem has become a matter of application management and IT strategy.

HMRC

HMRC are moving 85,268 PCs off Windows XP

That means finding out what applications you have, whether they are still used or needed, chopping and consolidating, moving the rest or buying a new version. It’s not as easy at it sounds.

In more than 10 years, organisations have built their own apps, inherited or lost apps through mergers, or apps have lost users through downsizing. Meanwhile, the number of apps inside organisations will have mushroomed.

A source at one large systems integrator who wished to remain anonymous told The Reg that he’s worked with one client who’s consolidated 1,500 apps down to 500.

“A lot of organisations have been trying to reduce their number of apps,” he said.

In many cases, 80 per cent of staff will be using just 20 per cent of apps – things like Office, IE, Adobe’s Flash or some form of SAP. However, finding that lost 20 per cent, so that it doesn’t come back to bite you down the line – there lies the rub.

Managing this is a problem at any scale. 1E reckoned it knows of one company with 2,500 systems that’s been migrating for two years and is still not finished.

On the other end of the scale, 1E has been working with a 70,000-seat organization that managed its move in just three months. 1E reckons on six to 12 months for an average migration of 80,000 seats.

Illustrating the problem is the Home Office. The Reg understands the department, which has 10,000 users, has only just started a Windows 7 pilot, looking at delivering Windows 7 as a piece of thin-client software.

The Home Office refused to comment

On the other end of the spectrum is HMRC, with 85,268 Windows XP PCs. It’s had a migration project running since 2012 and expects to finish by the end of this year.

Vice president of marketing Paul Parke said: “The difference between the two is the amount of manual effort required and how much can be automated.”

It’s not just sheer numbers of apps that’s queering the pitch on this move. It’s the types of apps that’s causing a problem. Some apps just won’t work on Windows 7, never mind the touch-friendly Windows 8 user interface. Among the offending apps, we’re told, is the Land Registry’s planning application app that doesn't work on Windows 7. It’s been turned into a browser-based app to get around this.

Other app migrations will cause problems that’ll lead to staff re-training, such as moving from Office 2003 to Office 2007, which comprises a complete interface overhaul and that introduces the rather controversial Ribbon interface

And there’s yet another wrinkle that’s made things even more complicated: the question of whether, and how, to use the Windows XP migration to set a new IT strategy.

Those on Windows XP are running an operating system dating from 2001, a time before smartphones and tablets, touch based input and cloud services.

It's not a simple case of just moving to Windows 7

Going to Windows 7, as many have done, brings you closer, but it’s not a touch-enabled OS. Windows 8 is touch, but Microsoft’s made such a pig's ear of it, it takes the truly open-minded, self confident or those on the receiving end of some handy account help from Microsoft to take the decision to commit to Windows 8.

It’s this thicket that’s meant so many Windows XP upgrades have gone past the April date, as upgrading became not an IT matter but a business issue.

“Nobody can claim to have woken up to it late,” Marsh said. “It’s been they’ve struggled to engage the business, to get the buy in around the budget spent, struggled to get engagement around consolidation of apps, to understand the business change impact, it’s not looking at it as a holistic perspective - you are not just upgrading the operating system, it’s the whole program.”

Here’s another twist: Windows 7 has been the lifeboat for most but it’s already five years old and mainstream support for that finishes on January 13 next year.

Extended support and security fixes – the period just finished for Windows XP – end for Win 7 on January 14, 2020.

Windows 8 is new and has a longer lifespan. People who’ve postponed going to Windows 7 might now defer to Windows 8 as their platform of choice.

Another option is to unload the job of supplying the devices on the employees, a strategy known as Bring Your Own Device (BYOD). That saves you, the company, having to supply and upgrade end-points in the future but you’ll need the network, security, privacy and regulatory infrastructure and frameworks in place.

"Businesses need to understand if there’s a problem what can happen and what’s the action plan around it, and not run around like headless chickens."

And after all that, it still might not work. Camwood’s Body is a former chief architect at Astra Zenica whose also worked with large financial institutions and oil and gas companies. He reckons on companies in the US who’ve embraced BYOD only to reverse it later owing to the complexity of the set up or data getting lost.

“At the moment BYOD is hype. When customers start working out the issues, then it becomes reality,” he said.

It’s like Vietnam out there. What happens next?

Most people The Reg spoke to think there’s very few who’ve actually not started Windows XP upgrades. All believe the next 12 months will see sustained work, with the majority of projects coming to an end. A relatively small number will roll over.

At this stage, it looks like a large number have decided to tough it out: that is, turn off old Windows XP machines as they die and bring in new systems running Windows 7 or Windows 8 as required. That's what happened when Windows NT bit the dust.

For those trying to avoid this death by a thousand cuts, Marsh recommends putting a constructive case forward beyond a simple need to upgrade.

“If you are trying to justify a transformation program and if it’s seen as an expensive upgrade, then that will slow down any approval but in the budget from the business and adoption from the user community who don’t see the benefit. Introducing new capabilities is a way of helping speed adoption because you can get better buy-in down the chain from executive to the coalface,” Marsh said.

There’s still the mid-term problem of what to do if you’re still on Windows XP and have paid Microsoft for extra cover.

AppSense reckoned 84 per cent expect to be clear of Windows XP within the next year but that 68 per cent don’t plan on paying Microsoft for extended support despite warnings about possible vulnerabilities over exploits and malware. How do you protect yourself?

Also, look at the best way to protect your IT estate. Here’s some recommendations:

You also need a plan, should the worst happen and Windows XP is breached after the support has been killed off.

Marsh said: “Businesses need to understand if there’s a problem what can happen and what’s the action plan around it, and not run around like headless chickens.”

The next 12 months should see more people come up with an answer to where they go after Windows XP. The challenge will be whether they arrive at their planned destination without being harried by the bad guys along the way.

Even then, though, Windows XP is likely to have the last laugh. Such was its run and so deep its penetration, it will lurk for quite some time yet, beyond even the next 12 months – a ticking time bomb in an isolated pocket somebody somewhere forgot they had. ®