A week has gone by since the expiration of Windows XP support from Microsoft, and the internet has not yet imploded. That's awesome, but don't get too excited — it's really just a matter of time. The simple reality is that the risk to Windows XP systems — as well as the risk XP systems pose to the rest of the internet — will only continue to grow with each passing week.
The good news is that many users apparently paid attention and heeded the avalanche of warnings from Microsoft and security experts to finally migrate off of Windows XP. According to Qualys CTO Wolfgang Kandek, Qualys tracked a marked decline in Windows XP use among its customers as we approached April 8.
General worldwide estimates still put Windows XP at nearly 30% of the overall desktop operating system market as of the end of March, but Qualys found usage to be around 10% for enterprise and consumer customers. As Kandek notes in the blog post, Qualys users are assumedly more security conscious than average, so the Qualys metrics are good news but possibly not indicative of any broader trend.
Based on how Windows XP has trended since May of 2013 on Net Market Share, it could take another two years or more before the operating system is completely extinct. That is a long time for businesses and consumers to rely on an insecure operating system.
The sky isn't completely falling, though. Not yet, at least.
A large percentage of the Windows XP systems still in use will continue to receive extended support from Microsoft. Support has not yet expired for Windows XP Embedded systems, and Microsoft has reportedly agreed to extend support for Windows XP in China, where XP still accounts for more than 50% of desktop market share. Some government and large enterprise customers have also paid millions for extended Windows XP support.
However, if you're not a government or enterprise, and you don't live in China, the risk of exploit or compromise of your Windows XP system will increase over time. Qualys' Kandek explains, "I expect Windows XP defensibility to deteriorate quickly over the next few weeks and months as attackers will find ways to exploit certain aspects of the operating system, internet browser, mail programs, office software (Office 2003 is also EOL), and even third-party programs such your PDF reader (Adobe says they will not update Adobe Reader on XP anymore)."
Starting with the next Patch Tuesday in May, Microsoft will only release patches and updates to fix flaws in supported versions of Windows. Microsoft won't test Windows XP to verify whether or not those same flaws exist in the legacy OS, nor will it develop a patch to fix the unsupported platform. Attackers, however, will be able to reverse engineer the updates Microsoft develops for later versions of Windows to identify the vulnerabilities patched, figure out if those same holes exist in Windows XP, and craft exploits to compromise the vulnerable systems.
Those who ignore the mountain of warnings and continue to use Windows XP do so at their own risk. Unfortunately, their risk is also our risk, because compromised systems end up in botnets, distributing spam, or hosting and distributing malware. Continuing to use Windows XP on the public internet is akin to going out in public with an active virus and coughing on people.
Do yourself and everyone else a favor. Either make a switch to a supported operating system... or move to China.
Tony Bradley is a principal analyst with Bradley Strategy Group. He is a respected authority on technology, and information security. He writes regularly for Forbes, and PCWorld, and contributes to a wide variety of online and print media outlets. He has authored or co-authored a number of books, including Unified Communications for Dummies, Essential Computer Security, and PCI Compliance.