I made two incorrect statements in my last post on Windows XP. One is that I said it was my last warning on its demise, and obviously here is another one. The other is that I said I’d write about how to live with Windows XP after support ends on April 8th, and I haven’t. That’s the result of this blog being purely a hobby and having lost interest in the topic for a couple of months. So this is an update on the Windows XP situation with one month to go before Microsoft ends support.
First a little story. A couple of weeks ago I walked into the office of a new consulting client and staring me in the face was a Windows XP system. I mentioned the coming end of support to the COO and a look of concern crossed her face. She asked that I mention it to the VP of Administration, who owns IT, which I did. She had the situation well in hand, with only 3 or 4 of their machines not yet moved off XP. And they likely will be by next month. So yes, a lot of people may have their head in the sand and be surprised when Windows XP support ends. But it may be far fewer than most of us have been worried about.
Getting away from the anecdotal evidence let’s look at some numbers. The panic-level numbers that have been in the press lately are global numbers from Netapplication. As I’ve pointed out before, I can’t drill into those without paying so I’m going to use Statcounter numbers instead. Statcounter paints a little rosier picture than Netapplication, with Windows XP continuing to be used by 18.6% of desktop computers on a worldwide basis as of February 2014. Sounds a lot better than the 29% that has been in the press, right? It is still too high though. And the methodology of both organizations have their flaws, but they both provide data that is useful. So let us drill in.
The truth about Windows XP usage is that looking at the situation globally gives a very distorted picture. Why? Well in China, where piracy was (and is) rampant Windows XP remains the leading operating system with 48.26% of the desktop OS market! This has a number of implications which I’ll get to in a moment, but the first is that Chinese usage of Windows XP is really distorting the global number.
Here in the United States Windows XP usage is reported as 10.93% by Statcounter. To put that in perspective, they report Mac OS X (all versions) usage as 18.07%. Since malware authors target large populations, and historically OS X has been targeted less because of relatively low usage compared to Windows, this suggests malware authors may actually start losing interest in Windows XP!
It may not happen immediately, but if Windows XP share continues to drift down over the year after support ends then not a lot of economically-driven hackers aren’t going to be wasting their time searching for new XP-specific vulnerabilities. Android, for example, has become a much juicier target. The exception will be those in the “Advanced Persistent Threat” world, where you might be looking to launch a targeted attack against an entity you know is still running XP. Think a Stuxnet-type attack. This is something the corporate and government worlds need to take very seriously, and continue to push to eliminate XP from their operations.
In any case, 10.69% is a lot better than the 29% headline number. In Australia XP usage is already down to 7.62%, and I imagine the U.S. will be there within a year. This starts to get us down into the noise range, at which point you basically declare mission accomplished. Europe is at 16.48%, which is surprisingly high. But individual countries are all over the map. The United Kingdom is at 8.53% while Poland is at 25%. As a general rule North and South America, Europe, and Oceana are below average while Asia and Africa are above average.
Now there are probably some people who are happy with half of computers in China still running Windows XP. The NSA is one of them. But on an overall basis this is a very disturbing situation. Western companies do a lot of business with China, and will now be sharing confidential information with entities running vulnerable systems. It also blunts my argument about economically focused hackers losing interest in XP. So with China, as well as other lingering high-usage countries, Microsoft and its ecosystem must retain their focus on migrating users off Windows XP.
Why is the situation in China so bad? I can think of two reasons. One of those is the high degree of software piracy in that country and the difficulties in engaging with owners of pirated software. Second may be the economic reality of a much higher percentage of systems not being capable of running Windows 7 and later combined with an inability to afford a replacement system. Similar factors may be impacting India (28.97%) and a number of other countries.
So what does all this mean? I’m not sure. In countries where Windows XP usage has dropped below 10% the situation moves from apocalyptic to problematic. But on a worldwide basis, with a global connected economy, the problem is as bad as ever. And it seems like no amount of effort by Microsoft, or other organizations, may drive down XP usage in places like China. Not even the end of support.
Hal's (Im)Perfect Vision 
In many countries, the use of supplier contracts and audits can solve the XP problem, However, I suspect that in countries where the level of XP usage is likely to be a problem after 4/8/14, these solutions will be ineffective.
Pingback: @WinObs Tweeted Links for March 10, 2014 | WindowsObserver.com Wiki
On a recent trip through an international airport I noticed that 100% of the departure gate Dell PCs were running Windows XP. Likewise, on a visit to a top-10 UK university I noticed that all PCs in the main library were running Windows XP. I see a pattern here: When there’s no real owner, i.e. “terminal” type devices, then Windows XP is common. PCs used for dedicated purposes, e.g. airport departure gates, are probably locked-down and never go anywhere near the Internet, so they never get counted. This is both a blessing and a concern, because while it means that we have no idea of the real number of Windows XP PCs out there, a large percentage will be “well managed”. Question is, do we think that a well managed Windows XP PC is safer than an unmanaged Windows 7 PC?
Let’s think about PCs in 3 categories:
1) Locked Down: The user can’t install or run arbitrary apps. They can’t browse the web. They can’t download arbitrary files. They can’t perform system management functions. The PC is basically a smart terminal or kiosk.
2) Managed: IT Controls the PC environment. All software is “forcibly” kept up to date with patches. Anti-Malware is “forcibly” kept up to date. There are restrictions on installation of applications. Strict URL filtering practices are in place. Etc.
3) Unmanaged: Nothing is centrally managed, it is up to the end-user to follow best practices.
In general a Locked Down PC is going to be safer than an Unmanaged PC independent of versions. So it is probably fair to claim that a Locked Down Windows XP PC is safer than an Unmanaged Windows 7 PC. Of course degrees of lockdown vary so this isn’t as black and white as the answer you’d like. Some end-users are very good about not downloading files, installing software, opening attachments in emails, or browsing to long-tail websites. And Windows 7 and later are pretty secure by default. So it certainly is possible for a Locked Down Windows XP PC to be less secure than an Unmanaged Windows 7 PC.
The situation is far more ambiguous on the Managed Windows XP versus Unmanaged Windows 7 comparison. Being “Managed” has a very high degree of variability, from what could approach lock down to policies which do little more than approximate what Windows 7 already does by default for the Unmanaged case. For a lot of organizations “Managed” means little more than keeping patches up to date, running an approved anti-malware software and keeping it updated, having URL filters in place, and the like. They don’t force the user to run in a non-admin account, which is necessary to approach Windows 7 security. Plus, even if they restrict software installation, they are typically running old versions of third-party software (often the reason they haven’t upgraded) that are themselves vulnerable. So I’m skeptical of treating a Managed Windows XP PC as being significantly more secure than an Unmanaged Windows XP PC let alone Windows 7 or 8.x.
Just for completeness, Windows XP Embedded environment are typically Locked Down. They can go further than the typical PC Lock Down because you can remove unnecessary components that you can’t get rid of in the non-embedded version. So the risks are lower, but none-zero. Attacks like the Target breach do not require the system running embedded software (Windows or otherwise) to perform any of the risky behaviors we typically talk about (web browsing, file downloads, email attachments, for example). They just have to be on the same network as a system that is vulnerable to some direct form of attack.
A lot of the Chinese XP machines are locked down. Many (most?) were sold with an unlicensed (or compromised bulk license) copy of XP loaded at point of sale (which is why vendors ship them with Linux, which consumers don’t actually use) and then all the upgrades mechanisms are turned off. This is the pattern I observed in shops (the guy was shocked when I asked for Win 7, he said no-one ever asks for it). The result is a computer so rapidly and thoroughly compromised as to be unrecognizable as the same experience as US users know.
However, 10cent took advantage of this a few years back to invade the PC market. They built their own super virus, a root kit, which consumers knowingly install and which then provides the A/V service (I have no idea how good it is). It has a few interesting side effects of installing its own browser, rerouting the search engine away from Baidu, and popping up adverts for 10cent properties. After they did this Baidu was furious but had no answer.
The Chinese PC market is sad, and what passes for XP there is nothing like what you see in the USA. Everyone is on tablets, phablets, and still a few phones.
Thanks for the insight Tanj!
I think there is an unrelated conclusion to be drawn. Of all the places in the world where Desktop Linux should have been able to take off, in fact where the dynamics almost insist on it being hugely successful, it hasn’t gotten traction in China.
I think “developing countries” was why Win98/ME support was extended until 2006.
Pingback: Show Links Observed Tech PODCAST Episode 123 | WindowsObserver.com Wiki