It’s time to upgrade: Windows XP:

If you, or your workplace, are still using Windows XP, it’s time to move on. 

Microsoft will officially end support for the 2001-vintage platform on April 8, 2014.

That means no more service packs, no more updates and, most importantly, no more security patches.

Windows users generally receive periodic updates from Microsoft via its Windows Update service. These fixes often patch irregular behaviour in the operating system.

XP users are, of course, welcome to continue using their OS of choice after April 2014, but this behaviour entails a number of risks.

Windows lifecycle fact sheet:

Every Windows product has a lifecycle. The life cycle begins when a product is released and ends when it’s no longer supported or sold. Knowing key dates in this lifecycle helps you make informed decisions about when to upgrade or make other changes to your software. Here are the rights and limits of the Windows lifecycle.

* Support for Windows 7 RTM without service packs ended on April 9, 2013. Be sure to install Windows 7 Service Pack 1 today to continue to receive support and updates.

Why is Microsoft ending support for Windows XP and Office 2003?

In 2002 Microsoft introduced its Support Lifecycle policy based on customer feedback to have more transparency and predictability of support for Microsoft products. As per this policy, Microsoft Business and Developer products, including Windows and Office products, receive a minimum of 10 years of support (5 years Mainstream Support and 5 years Extended Support), at the supported service pack level.

What is the risk of continuing to run Windows XP after its end of support date?

When Microsoft releases a security update, security researchers and criminals will often times reverse engineer the security update in short order in an effort to identify the specific section of code that contains the vulnerability addressed by the update. Once they identify this vulnerability, they attempt to develop code that will allow them to exploit it on systems that do not have the security update installed on them. They also try to identify whether the vulnerability exists in other products with the same or similar functionality. For example, if a vulnerability is addressed in one version of Windows, researchers investigate whether other versions of Windows have the same vulnerability. Microsoft Security Response Center (MSRC) releases security updates for all affected products simultaneously.  This practice ensures customers have the advantage over such attackers, as they get security updates for all affected products before attackers have a chance to reverse engineer them.

But after April 8, 2014, organizations that continue to run Windows XP won’t have this advantage over attackers any longer.  The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities.  If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP.  Since a security update will never become available for Windows XP to address these vulnerabilities.

Security technology in Windows XP was never really that great, even if it got a lot better with SP2, but the product was a runaway smash hit to such an extent that we may never be rid of it. Next April will be 12 years since Windows XP was made generally available; this is an astonishingly long time to keep supporting a software product. Nobody else keeps support life spans like Microsoft; with Windows XP they actually extended the normal 10 year life by 2 years.

As for the security mitigations that Windows XP Service Pack 3 has, they were state of the art when they were developed many years ago.  But we can see from data published in the Microsoft Security Intelligence Report that the security mitigations built into Windows XP are no longer sufficient to blunt many of the modern day attacks we currently see.  The data we have on malware infection rates for Windows operating systems indicates that the infection rate for Windows XP is significantly higher than those for modern day operating systems like Windows 7 and Windows 8.

                                         Infection rate (CCM) by operating system and service pack in the fourth quarter of 2012 as reported in the Microsoft Security Intelligence 

Source: Microsoft, ZDNet, TechNewsdaily,  Technet blog