If you have worked for Microsoft, or any huge company, this will be no surprise; Microsoft has many groups working against each other or at least spending dollars in one department that could save or make millions in another. It’s not easy to align everything in a large company, especially when it has been run by the worst CEO in America for so long. Microsoft is regularly in the news “shutting down botnets” and doing other great pro-bono work to make the web safer. I applaud this!
Yet, in the core operating systems orgs, they have let Windows XP, still the second most used desktop OS, lag behind in security and will stop issuing patches in April of 2014. There is nothing wrong with XP, even the MS page on its retirement makes it clear that they don’t have to support it, by law, so they won’t. There are no claims related to it not being good or safe. I read it as, “There is no money in it for us, so we will spend the resources in a money making area”. If you add no context, this is a totally rational business decision. I won’t pretend to have all the data on the financial and opportunity costs of patching XP and enhancing it. I have no idea how much money it costs Microsoft to fund the groups that take down botnets. I also don’t know who the users of XP are, but I expect they are those who can’t afford to upgrade. This may be due to the cost of the OS, lack of skills to safely upgrade, or in the case of businesses, economy of scale making it very expensive.
Figure 1 All OSs on the Web
Figure 2 Windows OS Breakdown
Here is what I do know. MS will continue to support Server 2003 until July 2015. XP and Server 2003 are mostly built on the same code base, so patching XP isn’t a complete diversion from their business. If MS stops patching the OS that is nearly 30% of the desktop market, XP will become the most researched and exploited OS on the web in fairly short order. The MS team that is taking down botnets will sure have their hands full then. Maybe MS thinks that the fear of no patches will finally get users to upgrade. In the case of the enterprise, I would think so. In the case of small businesses and individuals, I expect this to be a boon for little IT shops; removing viruses and selling cheap fixes like host based firewalls, more anti-virus, anti-malware, and Advanced Persistent Controls.
Considering that Microsoft has zero legal or contractual obligations to improve or maintain XP, perhaps they can write off the cost of not turning the internet into a XP infested filthy virus zone. OK, intentional hyperbole aside, I vehemently urge Mr. Nadella to throw his predecessor under the bus and take up the cause of keeping XP healthy. This doesn’t just mean patching; it means a few basic enhancements that are needed.
OK, when I say, “there is nothing wrong with XP”, I know, it doesn’t have Address Space Layout Randomization and User Account Control, and many other benefits of post-XP OSs. Let’s not confuse the “need” for the next best OS for an actual need to get off a dangerous OS. I guess XP will be that OS soon, if Mr. Nadella doesn’t reconsider.
My in-depth focus on security is mainly around applied cryptography and identity management, so I welcome other suggestions in the comments. Below is my wish list for XP enhancements.
Upgrade to schannel. XP does not support Server Name Indication and TLS 1.2 with AES cipher suites. There are some patches for 2003 that add AES cipher suites, but with TLS 1.1 and below are vulnerable to BEAST attacks, as the added cipher suites use CBC mode. Make all these changes part of critical updates, not hotfixes. No one applies hotfixes unless they know about the issue.