Microsoft’s announcement this week that it is preparing to end support for machines running Windows XP SP2 not only represents a challenge for the thousands of businesses still running SP2, but also is the end of an era for both Microsoft and its customers.
By the time Microsoft drops support for XP SP2 on July 13, Windows XP will be nearly nine years old. The OS was released in August 2001 as a replacement for Windows 2000 and was the last full release of Windows before Microsoft started its Trustworthy Computing effort. Very soon after the famous memo from Bill Gates appeared, attention both inside and outside the company focused on hardening Windows XP.
The first release of Windows XP was not seen as much of a security upgrade over Windows 2000, and it became clear fairly quickly that it was going to need some serious help. And soon. Windows XP had a firewall installed with it, but it was turned off by default and wasn’t obvious to a lot of users.
With Service Pack 2 Microsoft set out to fix that and add a number of other security protections, as well. It wasn’t until 2004 that the final release of XP SP2 actually hit the streets. But when it did, it represented a huge step forward in security for Windows users. It wasn’t necessarily the feature set that mattered as much as the fact that the protections were enabled by default and taken out of the users’ hands.
Not only did XP SP2 turn on the Windows Firewall by default, which was a major upgrade. But the service pack also added hardware support for DEP (Data Execution Prevention), an important defense against buffer overflow attacks. This was at a time when worms such as Code Red, Nimda and others were tearing through networks around the world, exploiting memory vulnerabilities and paralyzing systems.
The combination of these security features and the addition of the Windows Security Center, which gave users a dashboard-type view of the status of their antivirus software, firewall and other protections, was a milestone in desktop security. Microsoft has continued to add security features to subsequent releases of Windows, but XP SP2 was the one that started it all.
And now, Microsoft is ending support for XP SP2, as well as for Windows 2000, a move that’s been anticipated for some time. (The company will still support SP3 for Windows XP.) It’s a decision that likely has as much to do with the company’s interest in having customers upgrade to a new version of Windows–or even a new machine entirely–as it does with the practical considerations of continuing to provide patches and tech support for outdated OS versions. But that doesn’t make it any less problematic for organizations that have plenty of XP machines happily humming along.
As Byron Acohido points out, this is not an insignificant problem.
“Such desktop PCs and servers are still widely used in corporate
networks globally. And as anyone paying attention knows, infected PCs in corporate
settings are in high
demand by cyber gangs controlling the botnets driving all forms of
cybercrime. Botnets are used to spread spam, steal data, hijack online
bank accounts, commit click fraud and conduct denial-of- service
attacks for extortion or political reasons,” Acohido writes.
Older machines often are prime targets for attackers, who know that these PCs are less likely to be fully updated. But they’re just as valuable to botmasters, spammers and other attackers as newer PCs are. A win is a win, regardless of the victim’s age.
For Microsoft and its customers, the end of support for XP SP2 is the end of the beginning of Microsoft’s security initiative.