Today's the day: Microsoft will serve up its final public patches for Windows XP.
Although Microsoft has pounded the "Kill XP" drum for years, the news broke out of the tech press ghetto today and stormy warnings, scare stories and Y2K-esque tales of doom were rife among mainstream media.
How did it come to this?
We'll answer that question, and others, about what wags have dubbed the "XPocolypse," the operating system edition of "The Walking Dead."
What's the deal?
Microsoft supports its Windows operating systems for a set length of time by giving customers free bug fixes and security patches. That timespan is usually 10 years, with the end of support tagged with the funereal "end of life" and the 10 years collectively called "product lifecycle." Yes, it has a certain The Lion King "Circle of Life" feel to it.
Use this Microsoft website to find the EOL of any Microsoft product.
But didn't Microsoft release Windows XP in 2001? That's more than 10 years. Do you have an addition problem?
Not at all. Okay, not that often. Really.
In January 2007, around the time Windows Vista debuted, Microsoft added additional years of support to Windows XP Home, which was originally to lose its patching privileges in January 2009. Windows XP Professional, the business class version of the OS, had already been awarded a retirement date of April 2014.
At 12 years, five months, Windows XP is the record holder as the longest-lived Microsoft OS.
What happens today? Does XP stop working?
No, an XP machine will boot up and run normally on April 9. But after today, Microsoft will stop serving the general public any security patches for vulnerabilities in XP that its researchers or outside bug hunters -- criminals included -- find.
Is that it? That's the big deal everyone's making a fuss over?
Pretty much. According to Microsoft, the lack of patches for XP will increase the likelihood of a malware infection by at least two-thirds. Most outside security experts agree, but have not pegged the increase with a number. (Microsoft based its 66% increase on what happened to Windows XP Service Pack 2 (SP2) users after it was retired in favor of XP SP3.)
Why will malware infections increase on XP after the patch retirement date?
Microsoft posits the following:
Because many vulnerabilities are found in multiple versions of Windows -- say, Windows XP as well as Windows 7 -- hackers will be able to suss out the bug in XP by looking at the still-served patch for Windows 7. By comparing the pre-patch Windows 7 with the post-patch Windows 7, they will be able to narrow the scope of their search for the flaw in Windows 7.
After that, they could look at Windows XP for the same or similar code, possibly locate the vulnerability, and then write an exploit that will allow them to compromise the PC and plant malware on it.
Sounds far-fetched. How likely is that?
No one knows. But hackers often use the code-comparison technique -- the difference between pre-patch and post-patch -- to help them focus on the most-likely file or component with the bug.
How is this any different than when any other edition of Windows leaves patch support?
Unlike earlier Windows' retirements, XP maintains a huge presence among computer owners worldwide. According to Web analytics company Net Applications, XP accounted for about 28% of all personal computer operating systems used to go online in March, and about 31% of those running one flavor or another of Windows.
It's the size of the pool still running XP that matters, not that there are people who continue to rely on the old OS.
I've heard that Microsoft will continue patching Windows XP, but that you have to pay. Any truth to that?
Sort of. While the general public will see no more patches after Tuesday, the largest customers can participate in what Microsoft calls "Custom Support," an after-retirement contract that provides patches for all vulnerabilities rated as "critical," the most serious ranking.
According to analysts, a Custom Support contract runs about $200 per PC for the first year and more each succeeding year. The U.K. government, for example, paid Microsoft more than 5.5 million (approximately $9.2 million) for Windows XP, Office 2003 and Exchange 2003 patches for the next 12 months.
Custom Support isn't available to consumers, or to smaller businesses.
Is Windows XP the only software heading into retirement?
No. Also slated for the guillotine is Office 2003, the productivity suite that launched -- you guessed right -- in 2003. Although it would behoove you to distance yourself from Office 2003 -- Microsoft will, for example, patch one flaw in Word 2003 later today -- there seems to be little concern, either on the part of Redmond or customers, about Office 2003's impending retirement.
I use Internet Explorer on Windows XP. Microsoft's going to keep patching IE, right?
Ah, no. When Microsoft says it won't patch Windows XP, it really means it: After Tuesday, it will not fix flaws in any version of IE that runs on the OS. That's IE6, IE7 and the newest suitable for XP, IE8.
You might think that's strange: After all, IE8 runs on Windows 7, and Microsoft's not putting that out to pasture. And you would be right. IE8 will get patches on Windows 7 until the operating system is retired, which isn't until 2020.
Holy crap. I won't be leaving XP behind real soon. But I spend a ton of time on the Web. What should I do?
Most security experts have advised XP users who are sticking with the old OS to switch to a different browser, like Google's Chrome or Mozilla's Firefox, both of which will continue to be patched for at least the next year.
Microsoft claimed different. In a recent blog, Tim Rains of the company's Trustworthy Computing group, contended that switching browsers would not help. "Changing browsers won't mitigate this risk, as most of the exploits used in such attacks aren't related to browsers," Rains said two weeks ago.
While the second half of Rain's statement is true -- most attacks don't rely on browser vulnerabilities but instead target extensions such as Adobe Flash or Java -- the first half is disingenuous at best, dishonest at worst: Dropping IE for Chrome, Firefox, or Opera Software's Opera will, if nothing else, eliminate IE-based drive-by attacks. That alone, and running a still-updated browser, can minimize the risk XP users take by continuing to rely on the unsupported operating system.
I'm spooked and want to get out of XP. What are my options?
Two, really. First you can try to upgrade your current PC to a newer Windows. Second, you can buy a new device, not necessarily a PC, not necessarily something powered by Windows, and move what you need, important files and photos, for example, from the old to the new.
Both are fraught with pitfalls and can easily run into the hundreds of dollars to complete. Neither can be fully spelled out here -- that's outside the scope of this FAQ -- but we'll cover a few of the basics.
How do I know if I can upgrade XP to Windows 7 or Windows 8.1?
To check whether your XP hardware can be upgraded to Windows 7, download and run this Windows 7 Upgrade Advisor utility. (A step-by-step set of instructions is here.) A similar tool for a Windows 8.1 upgrade, called the Windows 8 Upgrade Assistant, is available from a link on this page.
Should I replace Windows XP with Windows 7 or Windows 8.1?
That's not the right question to ask. If you're not going to get rid of that old PC, you've already made the decision: Go for a Windows 7 upgrade.
Why? Because although Microsoft's made strides to accommodate keyboard-and-mouse users with changes to Windows 8, it's not yet gone far enough to make an XP-to-Windows 8 transition any less jarring than if you'd been boiling coffee on a campfire for decades and all of a sudden changed to an in-home, kitchen-counter-hogging espresso machine.
Two months ago Microsoft appealed to its technically-astute customers, asking them to help friends and family migrate from XP to Windows 8.1. Those users hooted Microsoft down, telling the company that would be the last thing they did before the friends and family broke off the relationship.
If you want Windows 8.1, bite the bullet and buy new hardware that has a touch screen.
But hasn't Microsoft stopped selling Windows 7? Where do I get a copy?
True. Microsoft halted sales of Windows 7 last October on its own e-store, and stopped shipping new copies to distributors around that same time. But copies of Windows 7 are easily found online, including at stalwart outlets like Amazon.com and Newegg.com, which have stockpiled the OS. Windows 7 will be available for years, even to consumers and very small businesses.
What about a new device?
You don't have to buy another Windows-powered PC. This would be a perfect time, if you're so inclined, to shift platforms, say, to a cheap Chromebook, a tablet, or a more-expensive MacBook Air or MacBook Pro from Apple.
After you choose a platform -- Windows, Chrome OS, Android, OS X or iOS -- you can upload the important files from your old Windows XP machine to a cloud-based storage service, like OneDrive, Google Drive or iCloud using the respective browser-based interface. Once in the cloud, those files can be accessed from or downloaded to your new device.
I'm going to stick with Windows XP. What can I do to stay safe, or at least safer, even if Microsoft doesn't patch the OS anymore?
Recommendations from both Microsoft and outside security experts have focused on two broad moves: Try to secure the PC, operating system and other software as much as possible, and second, limit what an XP-powered machines does. The former attempts to defend the machine as best as one can from exploits, while the former hopes to avoid the most common attack vectors.
On Defense No. 1 -- securing the PC -- there are numerous bullet-point recommendations from both industry experts, like this one from Directions on Microsoft, and security professionals, such as this one from Sophos. Both urge users to run up-to-date antivirus software and keep other components, which are hacked far more frequently than the OS, like browsers, browser plug-ins, and popular platforms like Java and Adobe Flash, patched.
Defense No. 2 may work for some companies -- which can isolate some or all of their XP machines -- but is nearly worthless for consumers. Why? If they stop browsing and stop reading email, what's the point of owning the PC in the first place? These days, when legitimate websites serve malware and cyber criminals have had years to hone their phishing pitches, it's nearly impossible for most users to never stray into the darker alleys of the Internet.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is email@example.com.
Read more about windows in Computerworld's Windows Topic Center.