Colorado State University

As you may be aware, support for Windows XP (and Office 2003) will end on April 8, 2014 (more info here).  This carries significant risks to CSU due to the potential of having a non-supported operating system in the environment and additional risks of which your Microsoft team feels compelled to make you aware, including:

• Security and compliance risk of running an unsupported OS (no more security patches)
• No support in the event of critical XP support issues
• Inability to run latest versions of Microsoft Office as well as 3rd party applications
• Potential for license compliance risks related to downgrade rights
• Potential security breaches of student information

What does End of Support mean to customers?

After April 8, 2014, there will be no new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates for Windows XP or Office 2003.

Running Windows XP SP3 or Office 2003 in your environment after their end of support date may expose your company to potential risks. You can find additional information about the risks of staying on Windows XP below, but I’d like to call out some alarming data points:

Cybercriminals “saving up” wave of Windows XP attacks for when Microsoft stops support”

According to this article, many security experts are reporting that “Cybercriminals will unleash a wave of ‘zero-day’ vulnerabilities to attack Windows XP machines after April 8, 2014….Criminals will ‘sit on’ such vulnerabilities until that date to make more money from their exploits.”

The Risk of Running Windows XP After Support Ends April 2014:

This recently Published Microsoft’s Security Blog outlines the reasons that Windows XP will become significantly more vulnerable after April 8^th 2014:

“The very first month that Microsoft releases security updates for supported versions of Windows [After April 8, 2014], attackers will reverse engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities.  If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP.  Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a “zero day” vulnerability forever.  How often could this scenario occur?  Between July 2012 and July 2013 Windows XP was an affected product in 45 Microsoft security bulletins, of which 30 also affected Windows 7 and Windows 8.

Additional risks of Running Windows XP beyond April 8^th 2014:

• Security & Compliance Risks: Unsupported and unpatched environments are vulnerable to security risks. This may result in an officially recognized control failure by an internal or external audit body, leading to suspension of certifications, and/or public notification of the organization’s inability to maintain its systems and customer information.
  The Microsoft Payment Card Industry Data Security Standard Compliance Planning Guide is designed to help organizations address the requirements of version 1.2 of this standard using Microsoft products and technologies. This guide is intended to extend the IT Compliance Management Guide, which introduces a framework–based approach to creating IT controls as part of your organization’s efforts to comply with multiple regulations and standards.
• Lack of Independent Software Vendor (ISV) & Hardware Manufacturers support: A recent industry report from Gartner Research suggests “many independent software vendors (ISVs) are unlikely to support new versions of applications on Windows XP in 2011; in 2012, it will become common.” And it may stifle access to hardware innovation: Gartner Research further notes that in 2012, most PC hardware manufacturers will stop supporting Windows XP on the majority of their new PC models.
• Windows XP not supported for Office 2013:  If your organization is planning to use Office 365 or Office 2013, please note that those both require that the client OS be Windows 7 or later. So having a large number of Windows XP devices could impact your ability to leverage the latest software and tools which would otherwise be beneficial to your organization.
• Limited Ability to Downgrade OS on new PCs:  For Windows licenses acquired on a new PC though an OEM, you may downgrade to the two prior versions (N-2) of the licensed Windows edition. This means that as long as the OEM PCs are shipping with Windows 7 you have the option to downgrade those PCs to Windows XP, but current PCs purchased with Windows 8, you will only be able to downgrade them to Windows Vista or Windows 7, not XP.

Additional business justification for upgrading from Windows XP to a supported OS:

• IDC whitepaper: Mitigating Risk: Why Sticking with Windows XP is a Bad Idea
  “IDC’s analysis shows that supporting older Windows XP installations, compared with a modern Windows 7-based solution, saddles organizations with a dramatically higher cost.  Annual cost per PC per year for Windows XP is $870, while a comparable Windows 7 installation costs $168 per PC per year.  That is an incremental $701 per PC per year for IT and end-user labor costs.”

“The conclusion is simple:  Organizations that continue to retain a Windows XP environment not only are leaving themselves exposed to security risks and support challenges but also are wasting budget dollars that would be better used in modernizing their IT investments.”

• Forrester whitepaper: Total Economic Impact of Windows 7