Microsoft May End Antivirus Updates for Windows XP Too

News
By Kevin Parrish
published

A spokesperson for Microsoft told ZDnet that the company will not guarantee updates of its antimalware signature and engine after the Windows XP end of support date of April 8, 2014. The news arrives after Tim Rains, Director of Trustworthy Computing at Microsoft, explained why Windows XP and Office 2003 users will be left so vulnerable to attackers.

"Running antivirus on out of support operating systems is not an adequate solution to help protect against threats," the rep told ZDNet on Monday. "Running a well-protected solution starts with using modern software and hardware designed to help protect against today’s threat landscape."

"In addition, Microsoft recommends best practices to protect your PC such as:  1) running up to date antivirus, 2) regularly applying security updates for all software installed, and 3) using modern software that has advanced security technologies and is supported with regular security updates," the rep added.

Last week Rains said that Windows XP users are more vulnerable now than they were years ago because the company has steadily incorporated defensive technologies into Windows with each new version. According to the report, the only major technology Windows XP has is Data Execution Prevention, or DEP, which was improved in subsequent versions.

In a chart provided by Microsoft, the number of Common Vulnerabilities and Exposures (CVEs) mitigated by Windows XP's built-in DEP were finally surpassed by the CVEs that could bypass XP's baked in protection in 2011; by 2012, that bypassing number of CVEs appear to have doubled. Now imagine the number for 2013 and beyond, as unpatched vulnerabilities will begin to emerge after April 8, 2014, some of which will have been saved by hackers to use after the death of Windows XP.

Rains also points out that Microsoft will patch vulnerabilities in Windows Vista and above, but "malicious" researchers will likely reverse engineer these updates, test to see if they affect Windows XP -- which most of them will according to the report -- and write exploits for those vulnerabilities, targeting the older Windows XP platform.

Individuals and companies holding off on upgrading from Windows XP may want to reconsider, especially if they're handling private, sensitive data. This isn't a sales pitch, but more of a plea to move away from the dying platform to at least Windows 7, a sleeker and safer platform using newer technologies that help protect your sensitive information better than Windows XP.

Follow us @tomshardware, on Facebook and on Google+.

Kevin Parrish
23 Comments Comment from the forums
  • lp231
    XP is old, but there are other free ones like AVG and Avast
    Reply
  • jerm1027
    11864370 said:
    XP is old, but there are other free ones like AVG and Avast

    As much as I'm skeptical of anything those folks have to say, they make a point. If you bothered reading the article, you'd know that one of the first things said was anti-virus wasn't enough. There are inherent vulnerabilities within the OS itself that, presumably, anti-virus can't protect against. Windows XP really doesn't have any built-in security outside of DEP, and that dated version can only do so much.
    In a chart provided by Microsoft, the number of Common Vulnerabilities and Exposures (CVEs) mitigated by Windows XP's built-in DEP were finally surpassed by the CVEs that could bypass XP's baked in protection in 2011; by 2012, that bypassing number of CVEs appear to have doubled. Now imagine the number for 2013 and beyond, as unpatched vulnerabilities will begin to emerge after April 8, 2014, some of which will have been saved by hackers to use after the death of Windows XP.
    Reply
  • fleakiller
    And what sucks for me on my work computer is that most crane and engine manufacturers software only work on XP.
    Reply
  • Darkk
    @fleakiller - It's not really an issue long as those PCs don't connect to the internet. It'll run perfectly fine for several more years until the new version of the software requires newer version of the OS to run it.
    Reply
  • s997863
    "Running antivirus on out of support operating systems is not an adequate solution to help protect against threats,"
    In my experience back when WinXP was new, browsing the internet without ANY protection on Win98 caused no ill effects whatsoever, but using IE on XP without a firewall immediately started messing up your machine with worms/trojans even if you were just browsing only. So it's quite the opposite. Apparently, if it's not popular (not many users), it's much less likely to be targeted.
    As for Antivirus: never ever used any antivirus in my life, and never had any problems. Just use common sense:
    1. don't download/run/install untrusted programs.
    2. keep hidden-files & system-files veiw always ON in folder options.
    3. disable autoplay for all USB/cd drives. Never use autoplay ... ever.
    4. keep "file extensions" view ON always. (so you can see image.jpg.exe for what it really is)
    5. delete the hidden folder containing the wierd EXEs in the flash drive someone just gave you.
    6. do the opposite of whatever MS reps say.
    Reply
  • taz-nz
    @Darkk - That's only true if you also:

    - Remove the optical drive and other removable media drives.
    - Remove any wireless or bluetooth adapters.
    - Block up the network port.
    - Remove any peripherals that have their own data inputs, multifunction printers, flash card readers etc.
    - Block up all the USB ports, unless they are needed for keyboard on mouse, in which case super glue those devices into the ports.
    - Block up any other port such and Firewire or Thunberbolt.
    - Tack weld the case shut.

    Then maybe the computer will be safe for the next couple of years, of course it will impossible to get data on or off the computer, other than manually enter it or print it out, there will also be no way to backup, but hey it will be safe, as long as the hard drive doesn't fail.

    Air Gapping a PC only works if you have total control over what is connected to it at all times. I can't count the number of PC I've seen total owned by a virus, because someone thought because it wasn't on the network it was safe. But of course they want to get files on off the pc using a flash drive, or they wanted that one file off the backup media over the long weekend, so they opened it on their home PC, or someone needed a convenient USB port to charge there smartphone. Then it's as helpless as the Indians were to smallpox.

    In the typical work environment an Air Gapped computer is a lamb to the slaughter, an internet connected computer with a modern OS, antivirus, and the ability to keep itself up to date, has a hell of a lot better chance of staying virus free.

    Reply
  • somebodyspecial
    ROFL. Get comodo internet security (firewall/av/sandbox etc included) etc...FREE, better than MS already. Viola...Problem solved. Combo this with THREATFIRE (again free) and you're good to go. I do this on Win7 and I don't run around on just "regular" websites...ROFL. You can get system restore type apps better than built in also free. At one point I had XP on a machine that hadn't been updated for 2+ years with windows updates (just as a test project) which never had issues. The combo above kept anything bad from happening even knowing gaping holes were in my OS/Office 2007 (had that on at the time, also out of date for 2yrs). I'm in IT so we do some crazy crap like that at home...LOL. I've tested other AV/Firewalls also but ended on this combo since the family likes it and has less issues it seems (nobody liked kaspersky...Wasted money for 3 houses on that stuff, turned it off in weeks...LOL). I used to really like ZoneAlarm but that ended ages ago for various reasons (and cost). Everyone is now used to how to sandbox stuff etc in comodo so I don't see us paying anyone for a while and threatfire pretty much just works silently with a popup once every few months trying to get you to upgrade to their product (one click it's over).

    Don't panic people, just get some good free tools that are highly rated by cnet, pcmag etc or grab what I named above.
    Reply
  • h0llow
    easy thing to do.. don't do anything stupid online.. get some good AV + antispyware.. good enough.. get a lot of issues still? well.. spend the money and get a new pc or os.. running a 10-13 yrs old pc is pretty slow compared to new stuff anyways USUALLY according to all my computer clients stubborn to get rid of their pc or buys a 13 year old machine used. not to be prideful or anything but i've also never needed any sort of AV software and extremely rare that i get anything bad.
    Reply
  • danwat1234
    You don't need to upgrade from XP, just use a good security suite and common sense.
    Reply
  • digiex
    Enough of these scare tactics on XP, I'm really very scared at this moment, Ok, ok, I'll switch,...

    ...to Linux
    Reply