Even though the deadline for any type of support for Windows XP was up last April, many organisations are still using the venerable operating system to power their PCs and the applications that run on them.
But XP was never a truly secure OS to begin with and despite numerous patches over the years, new vulnerabilities have been found. Of course, since April 2014, no more updates have been provided by Microsoft on general release and this has left anyone still running XP very much exposed to hacking and security breaches.
According to figures from IT security firm Secunia taken from scans by its Personal Software Inspector, around 15.17% of computers around the world are still using Windows XP. Nearly 18% of users are still running with an old version of Internet Explorer.
Kasper Lindgaard, Secunia's Director of Research and Security, advises that small businesses should definitely migrate away from Windows XP if they want to protect their data.
"Generally speaking, newly discovered vulnerabilities in XP are unpatchable for private users. XP users are 'free-for-all' to hackers, who can create and use exploits at will," he says.
"Additionally, patches to the other Windows operating systems are likely to be reverse engineered by hackers, to discover which vulnerabilities were fixed by Microsoft, and can be modified to work against Windows XP."
Hype and noise
The hype around the XP deadline was similar to that of Y2K, says Sergio Galindo, general manager at GFI Software, and while the date came and went, nothing blew up.
Galindo notes: "XP attacks do continue, but all the other operating systems remain under attack as well. Although continuing to use Windows XP and older versions of Internet Explorer is unsafe and not recommended, ultimately the question businesses must ask themselves is: how much risk are we willing to take, and how does it compare to the cost of an upgrade?"
Keep on running
But why do firms still insist on running the software? While reasons can range from anything to do with their familiarity with the system, to training requirements or anticipated costs attached to upgrading, the big issue is compatibility as many companies have an aged estate of apps with either OS or IE dependencies, according to HP's Chief Technologist James Morrish.
Microsoft does offer emulation modes, but most companies don't trust this, and the process can be complex to setup and test.
"The challenge is that most businesses have thousands of applications, and typically a Windows 7 migration will also include either extensive application testing or rationalisation and modernisation which would be a huge amount of work," says Morrish. "Many businesses have been avoiding the changeover because they fear the lack of compatibility and loss of productivity during the transition."
"So also, to a certain extent the issue is wrapped up in the cost equation. For the most part, it isn't just that companies can't afford to refresh their hardware, it is that they don't also have the budget and time to test the compatibility of the thousands of applications that the company runs."
Is it possible to safely use XP and IE now there is no more support? It is possible, says Andrew Avanessian, EVP of consultancy and technology services at endpoint security firm Avecto, but he doesn't recommend it.
He says firms that are forced to keep using legacy operating systems can significantly reduce the chance of a cyber-attack by adopting a proactive defence in depth approach to security.
"The default for these old systems is that users are given administrative rights, but removing admin privileges and dealing with the challenge areas with privilege management solutions has been found to mitigate 92% of critical Microsoft vulnerabilities, and can therefore significantly reduce the attack vector," says Avanessian. "Layering other defences on top of that, such as application whitelisting, will mitigate most targeted cyber-attacks."
Cost appears to be the main issue in moving away from XP, so how can organisations migrate from the platform in a cost-effective manner?
Galindo suggests organisations isolate the XP machines from the internet or the network if possible, then purchase low-cost replacements to fill in the functionality that is not achieved on XP.
"In some instances, it may be viable to run XP and any applications that need it in a virtual machine on a modern Windows or Mac computer, allowing the organisation to decommission the older hardware, whilst still allowing legacy software to work," he observes.
But Daniel Simmons, Technical Architect at Trustmarque, says that while replacing non-compatible applications or hardware with a new version is certainly the most reliable method, unfortunately, it's the most expensive as well.
If the application is mission-critical or otherwise strategic to operations, then if possible, this is the preferred route. Otherwise, there are a number of tools that can be used together to fix some compatibility problems when migrating operating systems, such as group policy and shims.
"This is the more cost-effective route, and might be the only option if the application vendor is no longer around. There are also a number of third-party tools, such as AppZero, that can help bridge compatibility issues and can be very useful in migration strategy," says Simmons.
Stuck on you
We can talk about moving away, but will organisations ever truly move away from XP and IE? Morrish thinks it will eventually happen but will take time. "Pockets of XP will remain, but proportionally they'll become fewer and more niche."
Galindo says that as long as Windows XP and older Internet Explorer versions keep working, there will be businesses out there that will carry on using them. "It wouldn't be a surprise if we still see XP in use at a business for at least the next five years," he says.