Microsoft Extends Updates For Windows XP Security Products Until July 2015

An anonymous reader writes "Microsoft today announced it will continue to provide updates to its security products for Windows XP users through July 14, 2015. Previously, the company said it would halt all updates on the end of support date for Windows XP: April 8, 2014. For consumers, this means Microsoft Security Essentials will continue to get updates after support ends for Windows XP. For enterprise customers, the same goes for System Center Endpoint Protection, Forefront Client Security, Forefront Endpoint Protection, and Windows Intune running on Windows XP."

*sigh*

If companies claim they haven't had enough time to upgrade their OS or update/rewrite their software, it is because they never will.

Re:*sigh*

[epyT-R]

..or maybe xp is good enough for them and the newer versions of windows don't offer enough incentive to upgrade. Considering how bad current microsoft contracts are, it might actually make more sense to wall those machines off from the net and keep using them instead of staying on that one-more-patch-tuesday-til-I'm-secure treadmill.

Re:*sigh*

[roc97007]

Or because they've lost the source code, or because the only person who knew the software has long since left the company, or they've tried three times since 2003 but each time was over budget and did not deliver usable code, or development has been at a standstill since they offshored the development team. Or because they don't have the budget to push out new hardware in a down economy. Or, yes, ok, because they never will.

Re:*sigh*

[mythosaz]

It's not so simple.

I'm sitting here now, virtualizing applications in App-V for an XP --> 7 migration project. Most people have no idea the scope of applications used by any sufficiently large company, the sort of resources it takes to locate, acquire, and upgrade existing products, or the skill necessary to shoe-horn old applications business can't move quickly away from into an operating system they were never intended for.

My previous employer had 40,000+ endpoints at 40+ facilities. Each of those facilities was part of a loose federation of medical providers and hospitals, each running their own software, each with dozens of departments with unique applications. Their migration to Windows 7 wasn't going to be free. It took money and manpower, and that doesn't happen overnight.

My current situation is similar, just reduced in size by an order of magnitude. Still nearly a thousand applications -- sure, you can throw a lot of them away, but that takes meeting endlessly with department heads and finding replacements - and testing them - and packaging them for distribution to your new OS in the new tool, since the old tool needs to be replaced along the way. Not everyone had a direct upgrade path to the next version of System Center.

Entire infrastructures needed replaced in a LOT of companies. You can spin up a HP Client Automation infrastructure in a day - if you're the only guy in an IT department, and don't need to wait for a change window to have DBAs configure your backend, and need to wait for networking to make sure machines outside the DMZ can still patch. People over-simplify what has to happen in the "simple" upgrades, and Windows 7 migrations were more than just going out to a PC with a copy of USMT and swapping their hardware.

Oh, and I hope you have an enterprise agreement with Microsoft, and you budgeted all of this years ago in your long-term financial plan, and you're not middle-way through any other initiatives that might cause you to have a moving target - like desktop or application virtualization. If you're going to pull off the bandaid, pull the damned thing off already. Lets get off physical boxes too! I'm sure we'll have all the USB printer issues worked out on the non-persistent desktops soon enough.

You can lose days in finding keys for "critical" one-off licensed software for a machine swap. God forbid you're moving to 64-bit and dealing with old .NET apps that nobody's going to ever re-write. It's not just walking around and swapping out some PCs.

Anyone who tells you otherwise is being willfully ignorant.

Re:*sigh*

[Chaos+Incarnate]

Windows XP Mode is just an XP VM. It will still have the same vulnerabilities as an unpatched Windows XP.

Re:*sigh*

[mlts]

Don't forget having a KMS infrastructure where every single machine in the company can contact an activation server every 180 days. Yes, one can use MAK type of keying, but if a box needs a reinstall, that means one has to burn another install key.

In a previous life, I've encountered cases with legacy apps as well, where the client was 32 bit... but just would not work on Windows 7 for love or money. I ended up having to use virtual machines running XP for the dedicated program.

Of course, there is the server infrastructure Windows 7 requires. New GPOs, more disk space for updates for WSUS, more PXE images, etc.

So, a move to Windows 7 (or a major OS update for the clients for that matter) isn't something to be taken lightly in a company, because one mistake can trash hundreds to tens of thousands of desktops. At minimum, it requires a test lab and running upgrades to see what ugly issues will rear their heads.

Re:*sigh*

[bobbied]

Bad planning is all too common especially when the eventual demise is a year or more away. You are talking a long term plan when management is in tactical mode trying to make the numbers for the quarter. If you are there talking about the sky falling in 4 years, you WILL be ignored. It's the nature of how publicly traded companies run. Remember that the last 5 years have been a *serious* problem world wide economically. Most companies are struggling to keep afloat without just throwing in the towel and everybody is dying waiting for any sign of recovery, which so far has not been really seen.

In a business down turn, where you are downsizing, EVERYTHING is tactical and strategic planning is out the door, like the last wave of RIFed off employees. The quickest way to get to follow all those people you used to work with out the door is to start making noise about spending money. Especially if you are in executive management hired and fired by the board. Best you can hope for is to pull the golden parachute rip cord before the chickens come home to roost and let the next poor soul who gets your job deal with it. Even in the best of times, many companies struggle with the "manage to quarter" mentality. It's always about stock price NOW not years down the road.

I for one am not surprised that a lot of companies have buried their heads in the sand and ignored this XP EOL date. So don't castigate the guy describing the problem he faces for not planning ahead. Seems to me, he's on top of the problem and fully knows what needs to be done, but he's not been given the necessary mandate and resources to actually get the problem fixed and work a viable plan. It's not HIS lack of planning, but a result of management choosing the expedient over what is best in the long term.

Re:*sigh*

[vux984]

Windows Vista introduced a proper security model. 7 was a substantial improvement, 8 was a bit cleaner and 2 steps backwards in usability, 8.1 is about on par with 7 really, with a start screen instead of a start menu.

Without getting into whether 8.1 is better than 7, anything from Vista onwards got the new security model, and THAT is a reason to upgrade.

But remember, security doesn't sell, and this thread just shows how deeply that goes. Because here on /. we spent over a DECADE mocking Windows XP and previous versions running as administrator (aka root), and the majority of users running as administor.

And then Microsoft finally fixed that, and today Windows security and reliability is a lot better as a result, but here we are on /. no less, listing to people tell us with a straight face that there is no reason for them to upgrade from XP.

Security just doesn't sell, not even here. That's sad.

familiar

Like Duke Nuke'm Forever, except opposite.

Final Update to XP

I want to see Microsoft issue one last update to every version of IE available on XP that replaces all of their cryptic as fuck SSL errors so instead of saying "the site you are trying to go to is broken" they say "The site you are trying to go to requires a higher level of security than is available on windows XP". Hell, throw a store link in there so they can go buy windows 9 or whatever and upgrade their security, damned if I care.

Until then, it is single-handedly holding back TLS 1.x (>0) and SNI adoption. I can't turn it on on my server or half my customers will call to blame me for my server being "down".

Windows XP or security products?

[sqrt(2)]

In case some people don't RTFA,

In other words, while Windows XP will no longer be a supported operating system come April, companies will be at least partially protected (the actual OS still won’t get security updates) until next July.

Emphasis mine. XP updates ARE ending, but MSE/Forefront will still get updated. XP will still be susceptible to any zero day until it gets detected by MSE--if it's even installed at all. This is a marginal increase in safety for XP post-EOL, at best. The apocalypse is still nigh.

My advice for fellow ITAs. Don't mention this to your boss at all if you're still trying to migrate. It's not really relevant to the threat posed by XP's end of support. If they get wind of it on their own, emphasize that XP itself is still going to be wide open. At best all MSE does is let you know you've been owned after the fact once MS gets around to updating the definitions. MSE already has a pretty poor record for detecting even older threats. It's better than nothing but you shouldn't be relying on it.

Re:Oh great...

[Jagungal]

This only refers to updates to their AV and Anti Malware products, the OS update will still stop on that date.

It is a good excuse to get Management that might have been dragging their tails up update to something more modern.

No, this is smart. This is to keep the customers.

The idea that people won't ever move off is absurd. They will. Problem is, if they do so this year a good number are going to OS X, Ubuntu, Chromebooks, etc. Then those new Mac/Linux/Googlized people will begin experimenting with alternatives to Microsoft Office as well. Fuck.

If Microsoft can have those people wait for Windows 9 and Windows 9 is an improvement of any sort, they stand a better chance of keeping the customers. That's all this is.

Re:Oh great...

[zerofoo]

Or they deployed Chromebooks for the reasons we did:

1. Low hardware cost - our Samsungs cost $249 each.
2. Enough web based software to do the job (google apps plus 3rd party apps are VERY good in an education environment).
3. Central data storage that doesn't require lots of backup hardware and software or server hardware.
4. Great management tools for deploying policies and apps.
5. The big one - FREE after the initial hardware purchase - WITH SUPPORT.

Show me another ecosystem that offers this much for so little cost.

If Google is beating us with a stick, I'll take it any day of the week over the Microsoft/Apple stuff we were running.