A Windows Secrets reader recently commented that he'd be more than willing to pay Microsoft a perpetual fee to continue supporting Windows XP. To gain significant traction, the subscription would have to be priced reasonably for the average PC user — perhaps U.S. $25 a year.
It's an interesting concept. How much money could Microsoft rake in for ongoing XP support? Let's take a quick look at the math. There are roughly 300 to 500 million PCs in the world still running Windows XP; let's split the difference and say there are 400 million. Some portion of that figure includes government agencies and major corporations that are already paying Microsoft significant fees for extended XP support.
So let's cut the number in half and say there are 200 million consumers still using the now unsupported Windows XP. Assuming most of those individuals are willing to pay $25 per year to avoid upgrading to a more modern operating system, Microsoft might see roughly $4 billion in annual revenue.
That's hardly chump change, especially given that Microsoft's entire net income for the most recent fiscal quarter was $5.66 billion. And there would be almost no cost to Microsoft; it's already investigating flaws and developing patches for the supported versions of Windows. At face value, it seems like a win for both Microsoft and Windows XP users.
It isn't — and Microsoft knows that. There's almost no chance that the company will implement any consumer-based, pay-for-support program for XP. And we should all be thankful for that fact. The issues with Windows XP run much deeper than just patching known vulnerabilities on the second Tuesday of each month. Moreover, Microsoft has motives and concerns that go beyond patching XP vulnerabilities and fighting off exploits.
An OS that's now insecure by design
No, Windows XP wasn't built to be vulnerable; but its architecture has made it so over time. Back when the Internet was relatively new, XP was a great operating system. It's still a perfectly functional OS — for applications that do not require a network or Web connection.
But from a security standpoint, XP is now simply too archaic. Connecting the OS to the Internet is like speeding down the highway in a car with no seat belts. It's not only dangerous for you; today's malware makes it hazardous for every other PC with a shared network or Internet connection.
Patching XP won't provide the security tools introduced with Windows Vista and enhanced with Windows 7 and Windows 8. Security features such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) can't be backported to XP without an extraordinary amount of coding effort. (DEP and ASLR aren't invulnerable, but they do provide additional layers of defense that significantly raise the time and effort an attacker must invest to develop a successful exploit.)
More current versions of Windows also include User Account Control (UAC), which helps protect users running in administrator mode. (Many users are running in admin mode by default.) UAC helps enforce the concept of least privilege: it forces even admins to approve specific changes to Windows, such as installing or updating applications. Most Windows XP users run in an admin-level account, putting themselves at significant risk. It lets an attacker run malicious code with full administrator privileges.
The upshot? All else being equal, Windows XP is almost always at significantly greater risk than newer versions of Windows — even when it's the same vulnerability across all versions. That fact can skew Microsoft's vulnerability ratings because any particular flaw's overall rating is based on the OS most threatened. So a vulnerability rated critical might be rated important or even moderate if Windows XP is removed from the equation.
How XP holds third-party vendors hostage
The liabilities of XP are not limited solely to Microsoft. Third-party hardware and software vendors are also affected. As long as Microsoft supports a legacy operating system, hardware and software vendors typically feel obligated to do so, too. If Microsoft initiated a paid-support subscription for individual XP users, the makers of monitors, keyboards, webcams, and software would also have to continue investing resources to keep their products compatible with Windows XP.
Tripwire security research manager Tyler Reguly recently told me, "No mainstream consumer OS has ever been supported as long as Windows XP. Look at server platforms; even Solaris 8 and AIX 5 [both released after XP] are past their end-of-life dates. Apple released OS X 10.6 [Snow Leopard] in 2009 and dropped support for the OS less than five years later — less than half of the 12 years Microsoft has supported XP."
So our cost equation isn't limited just to Microsoft. Adding in the many hardware and software vendors tied to a PC makes the math far more complicated. If you factor in the entire Windows XP ecosystem, that $4 billion of revenue for Microsoft could be offset by many more billions spent by other vendors.
Things change; it's past time to move on
Not to be facetious, but there were probably people who would've paid for continued support of eight-track tapes — or 5.25-inch floppy drives. Technologies evolve, and so do threats to those technologies — and in most cases, the older the technology, the greater the hazard. Most of us are very happy that our cars have seat belts, crumple zones, airbags, and more cup holders.
Windows XP users are still welcome to continue using the aged OS — just as there are those who will still get some use from their effectively obsolete 3.5-inch floppy drive. But all security experts strongly recommend limiting the use of XP to standalone applications. Don't connect it to the Internet, especially if it shares a network with other PCs. A successful infection on an XP system could easily spread to other machines.
Regardless of whether and how you choose to continue using Windows XP, the concept of paying for support just doesn't add up. Not for users and not for vendors — not even for $4 billion a year.
No comments:
Post a Comment