Microsoft Delays Windows XP Antivirus Doomsday

Security Essentials for XP gets 15-month extension, but some antivirus vendors promise updates through 2017 and beyond.



7 Mistakes Microsoft Made in 2013 (Cick image for larger view and slideshow.)

Microsoft announced Wednesday that even after it ceases support for its aging Windows XP operating system in April, it won't stop issuing new signatures and updates for its XP antivirus software engine until mid-2015. That represents an about-face by Microsoft, which previously said that as of April it would cease updating all of its XP-compatible security software, including the free Security Essentials.

Microsoft's Malware Protection Center, which announced the extension, pitched it as a way to help businesses and consumers move to a newer version of Windows. "To help organizations complete their migrations, Microsoft will continue to provide updates to our anti-malware signatures and engine for Windows XP users through July 14, 2015," Microsoft's malware protection team said in a blog post.

But the post also emphasized that Windows XP will still receive its final set of operating system security patches and other updates on April 8, 2014. "After this date, Windows XP will no longer be a supported operating system," it read. (Aficionados of the impending Windows XP update doomsday can follow along at home by downloading Microsoft's free Windows XP End Of Support Countdown Gadget.)

[What will happen to all those XP machines and their networks on April 8? Read Windows XP Won't Go Quietly.]

The reprieve means that for Windows XP enterprise users, Microsoft will continue to maintain -- for the next 18 months -- System Center Endpoint Protection, Forefront Client Security, Forefront Endpoint Protection, and Windows Intune. Meanwhile, for Windows XP consumer users, Microsoft will continue to keep Microsoft Security Essentials updated.

The Microsoft security team cautioned, however, that using up-to-date antivirus still might not protect Windows XP users against post-April attacks, especially because attackers may then be able to reverse-engineer new patches for more recent Microsoft operating systems to find exploitable vulnerabilities in Windows XP: "Our research shows that the effectiveness of anti-malware solutions on out-of-support operating systems is limited. Running a well-protected solution starts with using modern software and hardware designed to help protect against today's threat landscape."

The research referenced by Microsoft refers to figures first detailed in October 2013 by Mike Reavey, Microsoft's Trustworthy Computing general manager, who said, "Windows XP is six times more likely to be infected than Windows 8, even though it has the same malware encounter rate." In no small part, the relative susceptibility of Windows XP to malware has to do with the security protections that Microsoft has built into more modern versions of Windows as well as Internet Explorer.

Despite the impending security risks, a NetMarketShare study found that as of December 2013, Windows XP still commanded 29% of the Windows market share -- behind Windows 7 (48%) but well ahead of Windows 8 (11%) and Windows Vista (4%).

What will be the impact of Microsoft's antivirus software reprieve? Later generations of Windows XP were built to install Microsoft's Security Essentials antivirus software by default, if no other antivirus tools were detected. Accordingly, Microsoft's extension could be a boon to any businesses or consumers who currently rely on Microsoft's own antivirus tools, even if they don't know that it's running. Furthermore, on the immunology tip, keeping up-to-date antivirus software installed on more Windows XP machines will help provide herd immunity for Internet users at large.

Make no mistake, however: Continuing to use Windows XP after April 2014 will become a riskier endeavor. "Anyone connecting a Windows XP computer to the Internet after Microsoft drops its support in April 2014 is not only putting themselves at risk, but also endangering all of us on the Internet -- as their computers may be hijacked into botnets and used to spread malware and spam attacks," independent security researcher Graham Cluley warned last year.

XP holdouts needn't stick with Microsoft's antivirus offerings. Independent German security software testing lab AV-Test recently queried 27 different vendors and found that all plan to continue XP support for at least the next two years. "Trend Micro, for example, has already confirmed that it will keep its products up to date until at least 2017, while Webroot even plans to delay the cancellation of updates for its products on Windows XP systems until at least April 2019," AV-Test said Wednesday in a blog post.

The testing firm said that it will continue to evaluate the effectiveness of vendors' security suite software running on Windows XP. Even so, anyone who continues to use Windows XP after April 2014 must take additional steps to protect themselves beyond using up-to-date antivirus engines and signatures.

For starters, AV-Test recommends that after April, Windows XP users should spend as little time connected to the Internet as possible, and never do so using Internet Explorer. "We also recommend the use of an alternative browser such as Google Chrome or Firefox, which will continue to be kept up to date with the best possible security, if the announcements made by their developers are anything to go by."

Outlook Express users should also ditch that email client. "Switch from Outlook Express to another mail program because Outlook Express is part of the XP operating system and will therefore also receive no updates whatsoever after the end of support," said AV-Test. The testing firm noted that among the many alternatives, perhaps the best known is Thunderbird, which Mozilla has promised to continue updating for Windows XP, at least for the foreseeable future.

Having a wealth of data is a good thing -- if you can make sense of it. Most companies are challenged with aggregating and analyzing the plethora of data being generated by their security applications and devices. This Dark Reading report, How Existing Security Data Can Help ID Potential Attacks, recommends how to effectively leverage security data in order to make informed decisions and spot areas of vulnerability. (Free registration required.)