I made two incorrect statements in my last post on Windows XP. One is that I said it was my last warning on its demise, and obviously here is another one. The other is that I said I’d write about how to live with Windows XP after support ends on April 8th, and I haven’t. That’s the result of this blog being purely a hobby and having lost interest in the topic for a couple of months. So this is an update on the Windows XP situation with one month to go before Microsoft ends support.
First a little story. A couple of weeks ago I walked into the office of a new consulting client and staring me in the face was a Windows XP system. I mentioned the coming end of support to the COO and a look of concern crossed her face. She asked that I mention it to the VP of Administration, who owns IT, which I did. She had the situation well in hand, with only 3 or 4 of their machines not yet moved off XP. And they likely will be by next month. So yes, a lot of people may have their head in the sand and be surprised when Windows XP support ends. But it may be far fewer than most of us have been worried about.
Getting away from the anecdotal evidence let’s look at some numbers. The panic-level numbers that have been in the press lately are global numbers from Netapplication. As I’ve pointed out before, I can’t drill into those without paying so I’m going to use Statcounter numbers instead. Statcounter paints a little rosier picture than Netapplication, with Windows XP continuing to be used by 18.6% of desktop computers on a worldwide basis as of February 2014. Sounds a lot better than the 29% that has been in the press, right? It is still too high though. And the methodology of both organizations have their flaws, but they both provide data that is useful. So let us drill in.
The truth about Windows XP usage is that looking at the situation globally gives a very distorted picture. Why? Well in China, where piracy was (and is) rampant Windows XP remains the leading operating system with 48.26% of the desktop OS market! This has a number of implications which I’ll get to in a moment, but the first is that Chinese usage of Windows XP is really distorting the global number.
Here in the United States Windows XP usage is reported as 10.93% by Statcounter. To put that in perspective, they report Mac OS X (all versions) usage as 18.07%. Since malware authors target large populations, and historically OS X has been targeted less because of relatively low usage compared to Windows, this suggests malware authors may actually start losing interest in Windows XP!
It may not happen immediately, but if Windows XP share continues to drift down over the year after support ends then not a lot of economically-driven hackers aren’t going to be wasting their time searching for new XP-specific vulnerabilities. Android, for example, has become a much juicier target. The exception will be those in the “Advanced Persistent Threat” world, where you might be looking to launch a targeted attack against an entity you know is still running XP. Think a Stuxnet-type attack. This is something the corporate and government worlds need to take very seriously, and continue to push to eliminate XP from their operations.
In any case, 10.69% is a lot better than the 29% headline number. In Australia XP usage is already down to 7.62%, and I imagine the U.S. will be there within a year. This starts to get us down into the noise range, at which point you basically declare mission accomplished. Europe is at 16.48%, which is surprisingly high. But individual countries are all over the map. The United Kingdom is at 8.53% while Poland is at 25%. As a general rule North and South America, Europe, and Oceana are below average while Asia and Africa are above average.
Now there are probably some people who are happy with half of computers in China still running Windows XP. The NSA is one of them. But on an overall basis this is a very disturbing situation. Western companies do a lot of business with China, and will now be sharing confidential information with entities running vulnerable systems. It also blunts my argument about economically focused hackers losing interest in XP. So with China, as well as other lingering high-usage countries, Microsoft and its ecosystem must retain their focus on migrating users off Windows XP.
Why is the situation in China so bad? I can think of two reasons. One of those is the high degree of software piracy in that country and the difficulties in engaging with owners of pirated software. Second may be the economic reality of a much higher percentage of systems not being capable of running Windows 7 and later combined with an inability to afford a replacement system. Similar factors may be impacting India (28.97%) and a number of other countries.
So what does all this mean? I’m not sure. In countries where Windows XP usage has dropped below 10% the situation moves from apocalyptic to problematic. But on a worldwide basis, with a global connected economy, the problem is as bad as ever. And it seems like no amount of effort by Microsoft, or other organizations, may drive down XP usage in places like China. Not even the end of support.