NEW YORK (CNNMoney) — Microsoft ended support of Windows XP on Tuesday, leaving the many still clinging to the outdated software exposed to cyberattacks.
The operating system is now 12 years old, so Microsoft is no longer providing security updates that patch holes in the software. The danger now is that hackers who find bugs in XP will be able to exploit them freely.
Windows XP isn’t just running on the dusty, discarded PC in your closet. It’s everywhere, threatening devices that store sensitive information and computers that keep the city lights on and water running.
An estimated 95% of bank ATMs run on XP. GE Intelligent Platforms, which sells industrial software, discovered 75% of its utility customers still use it. Cybersecurity provider Cylance says one of its clients is a major hospital where XP is still on more than 100,000 devices, including computers that hold patient records.
“It’s literally everywhere still,” said Cylance chief scientist Ryan Permeh. “Every point that’s running XP is ripe for worms. They haven’t been much of a common occurrence in modern times, but any new vulnerability could result in mass infection with very little remediation.”
That includes point-of-sale systems at about 30% of retail stores, according to Greg Rosenberg, a security engineer at Trustwave. That lowers the bar to recreate the massive Target hack that happened late last year.
So, what do you do? It’s simple. Upgrade.
The best strategy is to use an operating system that still receives updates from Microsoft. For that, loading your computer with Windows 7 or Windows 8 will do. You’re better off with Windows 8, because Microsoft plans to keep supporting it until 2023.
If you’ve been holding off because of Windows 8’s missing start button, have no fear. Microsoft is adding that feature in the next update. Plus, the company is giving away $100 in credits for new PCs.
If that isn’t reason enough, try this: Windows XP computers are already six times more likely to get infected, by Microsoft’s account.
For the stragglers, Microsoft is offering extended service for a pretty penny. The United Kingdom is reportedly paying £5.5 million to get another year of tech support, as 85% of its desktops at the National Health Service remain on XP.
Here’s the good news. There are signs the software exodus has already begun. From early 2013 to 2014, the share of computers using XP dropped from 35% to 14%, according to cloud security provider Qualys. The company’s chief technical officer, Wolfgang Kandek, expects that to drop to 10% by April’s end.
Qualys numbers show the transportation and health care industries managed to cut down their Windows XP usage significantly. And a CNNMoney review of federal contracts shows that tens of millions of dollars have been spent in recent years by the Defense, Labor and Home Security departments to upgrade from XP.
But while everyone else scrambles to upgrade — banks are scrambling to tear apart their ATMs and replace them — most small business owners don’t know that Windows XP has lost support. And some don’t even know whether their machines use XP.
To them, it might not seem like a good idea to spend a few hundred bucks to upgrade each credit card swiping terminal — or spend thousands of dollars replacing them all. But the “if it ain’t broke don’t fix it” mentality won’t do this time around, said Trustwave director Christopher Pogue.
“The majority of folks in these industries aren’t technical. They want to serve food, sell widgets and keep doors open,” he said. “But you’re giving the attackers something else to use in their arsenal. If there are vulnerabilities identified, there’s going to be no defending against it.”