Windows XP was released on 2001 replaced by Windows Vista (ugh) in 2006, and Windows 7 in 2009. Official support from Microsoft, including security updates, ended in 2014. It is now 16 years old. Yet 7% of PCs worldwide are still running Windows XP. Considering there are about 3 billion PC in use, that’s a whopping 210 million computers. It is easy to assume that most of these computers are located in Africa, Asia, and other third world locations, and running on pirated software. That assumption is not entirely true.
Windows XP systems pop up in unexpected places in the United States and other technologically advanced nations. A recent study found that 52% of US businesses are still using Windows XP somewhere on their network. And 9% are running Windows Vista! (ugh) And 53% of businesses are running at least one Windows 2003 server. These operating systems are way past their prime and either out of support, or due to expire soon, in the case of Vista.
And where are these dusty old chestnuts to be found? How about in US and British hospital medical imaging systems such as X-ray, MRI and CAT scanners? Or medical office patient records and billing systems? Or old out-dated point-of-sale systems in retailers both large and small? Or supporting line-of-business applications that can no longer be updated, or should of been updated but weren’t due to budget constraints? Or Grandma’s house? Want to help some cyber-criminal steal your inheritance? Leave Grandma on that old Win XP computer!
In researching this story on Google, I found the following ad. Yes that’s right, you can still buy brand new Windows XP systems with a two year warranty!
Why are business owners still running XP systems? The answer is “legacy applications.” This is technical talk for “old crap.” Most of the time it is related to the expense of upgrading not just the computer or server, but the old business application that is running on it. Line-of-business software developers charge hefty fees to get you into their software package, and then more large fees every time the Windows operating system changes. Sometimes it is a home-brewed application that no one knows how to update. The way the business gets around this expense is to delay the upgrade.
My personal favorites from my own private practice are:
- A patient records and billing system in an optical office that was running on pre-XP Windows 2000! The hardware was nearly 15 years old and on its last legs. They were avoiding the expense of an upgrade, at the risk of losing their entire patient records and billing history and capability.
- An employee time keeping and time billing application running on Windows XP. Someone previously employed at this company had designed this application using a Microsoft Access database program that was similarly ancient. Nobody knew how to update it. We identified this vulnerable system in a security assessment, but they decided to keep it anyway. Later on it was found to be running a phishing email campaign as a mail server, and also storing email address lists and stolen identity documents.
- Finding Windows XP on a point-of-sale system while engaged to perform a PCI compliance audit. This has happened more than once, and I expect to run into this again.
Windows XP has not had a security update since April 2014, with the exception of the special update Microsoft pushed out last year to close the WannaCry vulnerability. Some companies are paying significant sums to Microsoft in order to get “extended support,” but in my experience most small businesses are not. It’s just too expensive. They are just taking their chances. And these old systems are getting breached more frequently.
The solution is painful – get off the schneid and buy new hardware running Windows 10 or Windows Server 2016 and buy the new LOB software package. I understand that this can cost $12,000 or more but you can easily lose that in an email account hijacking and wire transfer exploit that starts when your old XP computer is hijacked and used as a pivot point on your network. Sometimes these old systems are chugging away in a closet somewhere and can be hard to identify and locate, but it can be done as part of a software based vulnerability scan and assessment. Doing so could save your business from an expensive breach.