Microsoft drops support for SP2 – Wolfgang Kandek, CTO of Qualys, explains the problem
Microsoft supports a service pack for two years beyond the release of its successor (“Microsoft will offer Mainstream Support for either a minimum of 5 years from the date of a product’s general availability, or for 2 years after the successor product (N+1) is released, whichever is longer”: Microsoft Support Lifecycle). Since XP Service Pack 3 was released on July 13, 2008, the demise of support for XP SP2 is now imminent. The problem is, there are a lot of SP2s still out there.
“It’s not so much home computers as company networks,” explains Wolfgang Kandek, CTO at Qualys, possibly the world’s leading vulnerability management company. “Home computers are usually pre-configured to accept automatic updates so remaining XP installations tend to be SP3. But our company scans show us that there are many SP2s still out there.”
Wolfgang suspects a reluctance to fix what isn’t broken. “SP2 works, we’re used to it, why change it?” And possibly the way Microsoft announced SP3 was no help. According to Microsoft at the time:
Windows XP Service Pack 3 (SP3) includes all previously released updates for the operating system. This update also includes a small number of new functionalities, which do not significantly change customers’ experience with the operating system.
So SP2 users who had religiously updated and patched the OS could be forgiven for thinking that the hassle of a major upgrade wasn’t worth it for the sake “a small number of new functionalities, which do not significantly change customers’ experience”.
“But we’re also seeing a little bit of the problem that Vista brought as well. If Vista had been a successful operating system, like Windows 7 seems to be, then more people would have migrated off XP. Vista just didn’t give people a good reason to leave XP,” adds Wolfgang.
So what’s the problem? If it works and it ain’t broken, why fix it? “Because it will be broken,” says Wolfgang. “Within 60 to 90 days of the end of support, the hacking community will have found major new vulnerabilities, and there will be no defence, and no chance of a patch. Today, SP2 is a Level Four vulnerability in our rankings. Five is the most critical vulnerability level. Level Four is, shall we say, fairly serious. Three is what we would call ‘moderate’, and Two and One are more informational. SP2 is currently Four; but we will elevate it to the most critical level Five as soon as exploits appear that cannot be patched. By September I suspect that just using SP2 will be a Level Five vulnerability.”
That makes SP2 a ticking timebomb getting close to explosion. And it’s not just for SP2 users. If they don’t upgrade, then come September there will be many more bots out there attacking all of us.
So there you have it. It’s decision time. Run WinVer to see what version you have. If it’s SP2, you have to upgrade. Sooner or later you’ll have to leave XP altogether: so the difficult choice now is whether to go straight to Windows 7 or delay the cost by just upgrading to SP3.
Or you could bite the bullet and really upgrade to Mac or Linux, of course.