Microsoft Extends Updates For Windows XP Security Products Until July 2015

An anonymous reader writes "Microsoft today announced it will continue to provide updates to its security products for Windows XP users through July 14, 2015. Previously, the company said it would halt all updates on the end of support date for Windows XP: April 8, 2014. For consumers, this means Microsoft Security Essentials will continue to get updates after support ends for Windows XP. For enterprise customers, the same goes for System Center Endpoint Protection, Forefront Client Security, Forefront Endpoint Protection, and Windows Intune running on Windows XP."

*sigh*

If companies claim they haven't had enough time to upgrade their OS or update/rewrite their software, it is because they never will.

Re:*sigh*

[epyT-R]

..or maybe xp is good enough for them and the newer versions of windows don't offer enough incentive to upgrade. Considering how bad current microsoft contracts are, it might actually make more sense to wall those machines off from the net and keep using them instead of staying on that one-more-patch-tuesday-til-I'm-secure treadmill.

Re:*sigh*

[roc97007]

Or because they've lost the source code, or because the only person who knew the software has long since left the company, or they've tried three times since 2003 but each time was over budget and did not deliver usable code, or development has been at a standstill since they offshored the development team. Or because they don't have the budget to push out new hardware in a down economy. Or, yes, ok, because they never will.

Re:*sigh*

[mythosaz]

It's not so simple.

I'm sitting here now, virtualizing applications in App-V for an XP --> 7 migration project. Most people have no idea the scope of applications used by any sufficiently large company, the sort of resources it takes to locate, acquire, and upgrade existing products, or the skill necessary to shoe-horn old applications business can't move quickly away from into an operating system they were never intended for.

My previous employer had 40,000+ endpoints at 40+ facilities. Each of those facilities was part of a loose federation of medical providers and hospitals, each running their own software, each with dozens of departments with unique applications. Their migration to Windows 7 wasn't going to be free. It took money and manpower, and that doesn't happen overnight.

My current situation is similar, just reduced in size by an order of magnitude. Still nearly a thousand applications -- sure, you can throw a lot of them away, but that takes meeting endlessly with department heads and finding replacements - and testing them - and packaging them for distribution to your new OS in the new tool, since the old tool needs to be replaced along the way. Not everyone had a direct upgrade path to the next version of System Center.

Entire infrastructures needed replaced in a LOT of companies. You can spin up a HP Client Automation infrastructure in a day - if you're the only guy in an IT department, and don't need to wait for a change window to have DBAs configure your backend, and need to wait for networking to make sure machines outside the DMZ can still patch. People over-simplify what has to happen in the "simple" upgrades, and Windows 7 migrations were more than just going out to a PC with a copy of USMT and swapping their hardware.

Oh, and I hope you have an enterprise agreement with Microsoft, and you budgeted all of this years ago in your long-term financial plan, and you're not middle-way through any other initiatives that might cause you to have a moving target - like desktop or application virtualization. If you're going to pull off the bandaid, pull the damned thing off already. Lets get off physical boxes too! I'm sure we'll have all the USB printer issues worked out on the non-persistent desktops soon enough.

You can lose days in finding keys for "critical" one-off licensed software for a machine swap. God forbid you're moving to 64-bit and dealing with old .NET apps that nobody's going to ever re-write. It's not just walking around and swapping out some PCs.

Anyone who tells you otherwise is being willfully ignorant.

Re:*sigh*

It just sucks that MS doesn't make a 32b, legacy, low footprint OS for those that need to run old software.

First, you can get Win 7 Pro in a 32 bit version. And let's not forget about this?

Re:*sigh*

[Chaos+Incarnate]

Windows XP Mode is just an XP VM. It will still have the same vulnerabilities as an unpatched Windows XP.

Re:*sigh*

God forbid you're moving to 64-bit and dealing with old .NET apps that nobody's going to ever re-write.

Oh, it's more insidious than that. One of the 64-bit issues we had to deal with was Microsoft's IPv6 extensions to proxy.pac files. Even though the apps were 32-bit and the machines were on an IPv4-only network, you had to have essentially-duplicate FindProxyForURLEx() functions in the proxy.pac file if the machines were Windows Vista/7/8 64-bit. Contrary to documentation, the 64-bit machines weren't even using the FindProxyForURL() functions. And forget about what happens when ClickOnce is involved.

Re:*sigh*

[argStyopa]

The FACT is that most of them run just fine and don't NEED to upgrade.

Just because someone says "get on this treadmill" doesn't mean you need to.

Depending on what you want to do with a computer, you could be running flippin' DOS and be perfectly fine (not to mention have your pick of pretty-much-free machines in the dustbin that would run whatever ancient apps you need SCREAMINGLY fast).

Re:*sigh*

[Immerman]

>Being 64b is an *actual* reason to upgrade

For office drones? Really? That 3.5GB RAM limit was a bit of a nuisance for some specific things, but realistically how many office computers ever run up against it? No argument that servers and "Big Iron" can benefit substantially *if* the dataset is large enough to be seriously RAM limited. Even serious gaming rigs can often benefit dramatically from all that extra RAM and vectorization potential. But how many office applications can actually benefit notably from vectorized instruction optimizations? They spend almost all their time waiting on the user anyway, it doesn't really matter how fast they do it.

Re:*sigh*

[mlts]

Don't forget having a KMS infrastructure where every single machine in the company can contact an activation server every 180 days. Yes, one can use MAK type of keying, but if a box needs a reinstall, that means one has to burn another install key.

In a previous life, I've encountered cases with legacy apps as well, where the client was 32 bit... but just would not work on Windows 7 for love or money. I ended up having to use virtual machines running XP for the dedicated program.

Of course, there is the server infrastructure Windows 7 requires. New GPOs, more disk space for updates for WSUS, more PXE images, etc.

So, a move to Windows 7 (or a major OS update for the clients for that matter) isn't something to be taken lightly in a company, because one mistake can trash hundreds to tens of thousands of desktops. At minimum, it requires a test lab and running upgrades to see what ugly issues will rear their heads.

Re:*sigh*

[bobbied]

Bad planning is all too common especially when the eventual demise is a year or more away. You are talking a long term plan when management is in tactical mode trying to make the numbers for the quarter. If you are there talking about the sky falling in 4 years, you WILL be ignored. It's the nature of how publicly traded companies run. Remember that the last 5 years have been a *serious* problem world wide economically. Most companies are struggling to keep afloat without just throwing in the towel and everybody is dying waiting for any sign of recovery, which so far has not been really seen.

In a business down turn, where you are downsizing, EVERYTHING is tactical and strategic planning is out the door, like the last wave of RIFed off employees. The quickest way to get to follow all those people you used to work with out the door is to start making noise about spending money. Especially if you are in executive management hired and fired by the board. Best you can hope for is to pull the golden parachute rip cord before the chickens come home to roost and let the next poor soul who gets your job deal with it. Even in the best of times, many companies struggle with the "manage to quarter" mentality. It's always about stock price NOW not years down the road.

I for one am not surprised that a lot of companies have buried their heads in the sand and ignored this XP EOL date. So don't castigate the guy describing the problem he faces for not planning ahead. Seems to me, he's on top of the problem and fully knows what needs to be done, but he's not been given the necessary mandate and resources to actually get the problem fixed and work a viable plan. It's not HIS lack of planning, but a result of management choosing the expedient over what is best in the long term.

Re:*sigh*

[Luckyo]

Actually most modern games still run on 4GB RAM just fine even on w7 64bit. There is a very small subset of games that do require more, most of them terribly optimized and usually still in alpha/early beta.

Extra RAM on windows mainly helps mitigate memory leaks and hide the fact that Vista/7 is a huge memory hog with massively greater RAM requirements for OS overhead than XP ever was. Which doesn't impact you if you stay on XP. Microsoft also claims it helps caching, and to a certain extent it does. But in most cases, this advantage is negligible.

So more RAM makes sense on 7. But XP? Not so much. Which is another reason NOT to move from XP.

Re:*sigh*

[epyT-R]

Of course it isn't. It's just not that much worse to justify changing it over, especially for old hardware. No version of windows is safe from the internet. I guess I'm saying that if the need for security is important enough, it's better to cut access to the net for the average workstation regardless of windows version.

Most of those infected xp machines are owned by careless/clueless users who will soon be just as infected on windows 8 as they were under xp.

Re:*sigh*

[peragrin]

the larger the organization the harder it is to change. it is why large government projects fail so hard. How many tries did it take the FBI to update it's systems?

I know one company(80 people) that tried for 5 years to find a fairly simple path to upgrade obsolete IBM server. they still haven't done so. and still connect to the server through special terminal programs.(IBM used an IBM only terminal emulator which they no longer have source code for).

The company i currently work for(20 people) did an ERP switch. the actual data transfer went mostly painlessly. training the users in the much simpler and effective UI took a month of dedicated training, and 6 months of answering "how do I" questions. every once in a while those questions still appear but that is normal.

Now image trying that with a couple of thousand employees, and you have a nightmare.

Re:*sigh*

[LordLimecat]

For office drones? Really? That 3.5GB RAM limit was a bit of a nuisance for some specific things, but realistically how many office computers ever run up against it?

1) Anyone doing heavy duty spreadsheet, graphics, or database work is going to need a decent chunk of RAM
2) Modern webpages absolutely gobble up RAM. You can blame the browser, and that works, until you look at the competition and see that, wow, 5 tabs really does eat up ~500MB RAM no matter what browser you use
3) On my prior work computer, with 4GB RAM, I was booting to 3.2GB consumed off the bat. It was windows 7, granted, but the lions share of it was security and compliance crap. Start up my powershell environment, open a few browser tabs, and open a document or two and Im eating into the page file like disk thrashing was going out of style.

Re:*sigh*

The "office drones" fallacy is just another version of the "typical home user" who doesn't need anything more than a PC that can do web surfing and basic word processing. It's where ignorant people make the assumption that just because there are a handful of tasks common to most users that this somehow means that all of those people only do those basic tasks and only the extreme minority actually do other things that need somewhat decent hardware. Obviously that isn't true at all otherwise the PC market would have died out 10 years ago.

Re:*sigh*

[exomondo]

Because Apple products don't go end of life, they go out of fashion.

Re:*sigh*

[chipschap]

Because, uh, Linux upgrades are free, and generally automated?

Free for sure, but generally automated? Not on every distro. It's often easier to do a full save, a fresh install, and then restore whatever you need. My Linux Mint upgrades take about a day of work to get everything back to where I want it. That occurs maybe every 18 months, so I don't mind it so much, and I have complete control over the process and a very high probability of complete success (100% success so far, going back many years before Mint, to Ubuntu and Suse before that). It's an annoyance, but hardly fatal.

Re:*sigh*

[Billly+Gates]

Its 2014. Time to move on. You can get 4 gigs of ram for $50. Bare in mind Windows 7 disk and ram usage is over reported as it buffers things if the kernel detects extra ram. Disk usage is inflated from SXS which means Windows keeps extra dll versions that dynamically linked. That is a feature and you can trim with disk cleanup.

XP is a security nightmare and most MBA managers do not know or calculate this. XP doesn't scale well past 2 cores and is not optimized with CPU instructions from more modern CPUs

Re:*sigh*

[vux984]

Windows Vista introduced a proper security model. 7 was a substantial improvement, 8 was a bit cleaner and 2 steps backwards in usability, 8.1 is about on par with 7 really, with a start screen instead of a start menu.

Without getting into whether 8.1 is better than 7, anything from Vista onwards got the new security model, and THAT is a reason to upgrade.

But remember, security doesn't sell, and this thread just shows how deeply that goes. Because here on /. we spent over a DECADE mocking Windows XP and previous versions running as administrator (aka root), and the majority of users running as administor.

And then Microsoft finally fixed that, and today Windows security and reliability is a lot better as a result, but here we are on /. no less, listing to people tell us with a straight face that there is no reason for them to upgrade from XP.

Security just doesn't sell, not even here. That's sad.

Re:*sigh*

[epyT-R]

..and instead of making assumptions, you could just explain why you think the meme is stupid, or just not comment.

It's general practice to use a firewall at least. Ask yourself why that is. If your machines are bare or just depend on the built-in firewall, they are not secure.

Re:*sigh*

[Billly+Gates]

4,000 employees waiting 10 minutes for their workstations to boot as XP lacks a registry defragger and runs apps which cause winrot, not to mention lack ahci command queing for data so your disks can only handle one thing at a time, plus an added batshit paging and swap algorithm will do just that.

Now add no work for 4 hours during your mccrappy virus scan and that is more money lost. Cryptolocker locking a share randsom due to security not up to par as Windows 7 and more $$$$.

Should I go on?

You also can keep that IE 6 shitwareERP by insecure ltd by using Citrix or VMware and run it in a browser. Even your IPad has access.

The licensing savings will pay for this due to not upgrading.

That is what a good IT professional does. He is proactive and not reactive who lets harm come in by being lazy.

Re:*sigh*

[Immerman]

I think you mean 0.5GB of RAM lost. Lot's of funky memory mapping stuff using the address space above 3GB, but the first three had no major issues, and you were able to use much of the forth GB as well. And if you need enough compliance and security software running at all times to consume a GB or two of RAM I have to suggest that you're not a typical office user.

As for performance - I rarely have fewer than 20 Firefox tabs open, and often several times that, and it's not all that uncommon to also simultaneously be running an IDE with a mid-sized hobbyist application, a few multilayer images in GIMP, maybe a few vector graphic files in Inkscape, and a handful of Sketchup scenes spread across a half-dozen virtual desktops. Nothing really huge, but a lot more active data than most office workers are dealing with at one time. And this all runs reasonably smoothly on my horribly outdated 32-bit single-core XP gaming rig with only 2GB of RAM. (what can I say, I don't game like I used to and just can't justify spending $1000+ for prettier graphics in the same games). Admittedly I have done some non-standard optimizations to help things out a fair bit (the biggest one - setting the minimum swap file size to 6GB and making sure it's completely defragmented and at the front of the disk where access is fastest). Things are a bit snappier feeling on the more modern systems I use, but realistically I doubt the difference is enough to save me even a minute a day in actual productivity. If you're seeing drastically worse performance then I would suggest you may have other issues lurking within the system. Or you're just using some seriously resource-hogging applications.

Oh great...

Now I look like an asshole for telling my boss that he ABSOLUTELY HAD to upgrade everything because even Microsoft was killing security updates.

Re:Oh great...

[Jagungal]

This only refers to updates to their AV and Anti Malware products, the OS update will still stop on that date.

It is a good excuse to get Management that might have been dragging their tails up update to something more modern.

Re:Oh great...

[zerofoo]

Or they deployed Chromebooks for the reasons we did:

1. Low hardware cost - our Samsungs cost $249 each.
2. Enough web based software to do the job (google apps plus 3rd party apps are VERY good in an education environment).
3. Central data storage that doesn't require lots of backup hardware and software or server hardware.
4. Great management tools for deploying policies and apps.
5. The big one - FREE after the initial hardware purchase - WITH SUPPORT.

Show me another ecosystem that offers this much for so little cost.

If Google is beating us with a stick, I'll take it any day of the week over the Microsoft/Apple stuff we were running.

Re:Oh great...

[melstav]

Dude. Some shit ain't going to get upgraded no matter how many times you taze that dead horse.

Hell, I've still got SunOS 4.0 in production.

Re:Oh great...

Security. Windows Vista, 7, 8, and 8.1 all offer better security than XP.

Performance. Windows Vista, 7, 8 and 8.1 have better support for SATA controllers and SSDs than XP.

Modern hardware support. Eventually those 5+ year old PCs die and you have to buy new stuff.

IE > 8. See security.

Bitlocker encryption.

This is just a start. There are many reasons to upgrade past 2002 technology. XP fan boys should be shot at this point.

familiar

Like Duke Nuke'm Forever, except opposite.

Final Update to XP

I want to see Microsoft issue one last update to every version of IE available on XP that replaces all of their cryptic as fuck SSL errors so instead of saying "the site you are trying to go to is broken" they say "The site you are trying to go to requires a higher level of security than is available on windows XP". Hell, throw a store link in there so they can go buy windows 9 or whatever and upgrade their security, damned if I care.

Until then, it is single-handedly holding back TLS 1.x (>0) and SNI adoption. I can't turn it on on my server or half my customers will call to blame me for my server being "down".

Pffft....... Thanks, Oba-

[thatshortkid]

Oh.

Dear Microsoft,

[Irate+Engineer]

We really liked Windows XP. Windows 7 is OK too, but please stop churning your OS versions for planned obsolescence and give us what we really want: a stable, updated, secure OS that will last as long as our hardware.

We would be pleased to consider a reasonable subscription fee for such updates as it would afford us significant peace of mind and stability.

Signed,

Many Customers

Re:Dear Microsoft,

[LordLimecat]

Dear Microsoft,
Please shutter the part of your company that makes money, and provide us updates and support as a charitable donation for the life of my computer.

Signed,
Irate Engineer
FTFY

Re:Dear Microsoft,

[LordLimecat]

Except that OSes dont have near that long of a lifespan.

2001 was Linux kernel 2.4 2000 was 2.2. Both have long since been EOL'd If you want to look at a full OS, I think Red Hat Linux 7.2 would be right about the same age as XP; it was EOL'd in December 31, 2003 (source).

Microsoft has gone way beyond what any other OS vendor has ever done, excepting perhaps IBM with some of their ancient AIX boxes.

Re:Dear Microsoft,

[Kjella]

No-one cares when Microsoft started selling XP. They care about when Microsoft STOPPED selling XP, which was only a few years ago. There are a ton of XP machines only three or four years old that work fine and are deliberately being made obsolete just so Microsoft can make money.

Well, if they stopped selling XP back in 2007 and told everyone to STFU and switch to Vista we'd be screaming bloody murder about that so damned if you do and damned if you don't. All their support lifecycle clocks start running from when they release the N+1 product (and N+2 for extended support), now that Windows 8 is out the countdown towards Windows 7 EOL is ticking even though they still allow you to buy a Windows 7 machine. Mainstream support ends January 13, 2015 and extended support January 14, 2020. It's not like this is a bloody secret, the policy has been published and the dates set long ago. In short, if you bought XP after April 14, 2009 you know (or should have known anyway) that you were buying an OS already in the extended support phase. Why is ignorance an excuse in the tech world?

Stupid! Stupid!

[Nethemas+the+Great]

How do you (Microsoft) expect to get people off of that d*mn OS if you keep patching security holes. That was the one lever that might just have been able to do it and now you've gone an f**ked that up. To make matters worse, your piecemeal security patching (MSE, etc.) but not the OS proper will give these holdouts the false impression that their systems are secure when nothing could be further from the truth. Windows 9 won't move them off any more than Windows 8 was able to. All you're doing is hanging yet another neon sign pointing to the ragged, fetid and diseased hole of the malware whore these XP boxes have become.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Windows XP or security products?

[sqrt(2)]

In case some people don't RTFA,

In other words, while Windows XP will no longer be a supported operating system come April, companies will be at least partially protected (the actual OS still won’t get security updates) until next July.

Emphasis mine. XP updates ARE ending, but MSE/Forefront will still get updated. XP will still be susceptible to any zero day until it gets detected by MSE--if it's even installed at all. This is a marginal increase in safety for XP post-EOL, at best. The apocalypse is still nigh.

My advice for fellow ITAs. Don't mention this to your boss at all if you're still trying to migrate. It's not really relevant to the threat posed by XP's end of support. If they get wind of it on their own, emphasize that XP itself is still going to be wide open. At best all MSE does is let you know you've been owned after the fact once MS gets around to updating the definitions. MSE already has a pretty poor record for detecting even older threats. It's better than nothing but you shouldn't be relying on it.

No, this is smart. This is to keep the customers.

The idea that people won't ever move off is absurd. They will. Problem is, if they do so this year a good number are going to OS X, Ubuntu, Chromebooks, etc. Then those new Mac/Linux/Googlized people will begin experimenting with alternatives to Microsoft Office as well. Fuck.

If Microsoft can have those people wait for Windows 9 and Windows 9 is an improvement of any sort, they stand a better chance of keeping the customers. That's all this is.

holy fucking nut balls

[slashmydots]

I did not see this coming. I'm CIO and for the last 2 years I've warned the bosses about the problem @ about 95% XP and so far in those 2 years we've replaced negative 2. We added 2 seats and replaced zero lol. Every 100 days (the pattern I developed) they kicked it to the next period. Time to spend the $20 we do have in the IT budget to get a cake tomorrow and I'll announce it to the bosses!
But seriously, our shared and internet surfer and PoS computers are just fine with a socket 775 HT Pentium chip and 2GB of RAM. Why pull them just for XP?

Competition will Support XP

[ScottCooperDotNet]

Other Anti-Virus vendors like Symantec, McAfee, and Kaspersky are going to continue to support XP past April, so why should Microsoft concede market share to these competitors?

Also, Microsoft is going to look pretty bad if a new virus makes a major impact, so having their security product database updates continue will mitigate that. Doing otherwise could easily be spun as irresponsible.

Re:No, this is smart. This is to keep the customer

[WaffleMonster]

Actually he's correct and you're the one with no clue. Modern attack vectors are not the OS holes - they are browser holes, email software holes, PDF reader holes and so on. In fact, essentially all OS holes that can be exploited directly without third party are secured by a solid third party firewall.

I've noticed a number of GDI and Font type patches drop over the last years... these can get thru firewalls and exploit OS specific issues from any number of browsers or document rendering technology. Coupled with a few privilege escalation vulns of which there are infinite numbers and the result is you can still get owned pretty quickly hiding behind your firewalls.

Re:No, this is smart. This is to keep the customer

[exomondo]

Yeah i'm sure all those people who were confused by the lack of a start menu while retaining existing application compatibility are going to be real happy with another OS that also doesn't have a start menu and discards existing application compatibility.