Windows XP support ends one year from today. Will your CIO sign-off on zero day risks beyond that?

April 8, 2014 is the final, we-mean-it-this-time, no extensions end of support for Microsoft Windows XP.

April 8, 2014 is the final, we-mean-it-this-time, no extensions end of support for Microsoft Windows XP. (Well, unless you're a really big customer who can leverage Microsoft into providing longer support. Don't tell anyone!) But for most of us, we have a year from today to move off of Windows XP. Will you be ready for that? Or do you even care? What "support" do you really need from Microsoft that 15 years of forum postings and security reviews hasn't addressed?

Gabe wrote about this last October, explaining that running Windows XP in a world where Microsoft wouldn't fix any vulnerability would be a liability. He also conducted a survey that found that about 50% of respondents' desktops were still running Windows XP, and that 14% believed that they'd have some Windows XP beyond the expiration date. Browsium's Gary Schare blogged that 39% of PCs are still running Windows XP today (six months after Gabe's survey).

In response to those survey results, AppDetective posted a comment with a few questions aimed at those who were still on Windows XP:

  • Does your CIO know the date?
  • Who signs off on the risk of doing nothing when the April 9th 2014 zero day is exploited?
  • Will Microsoft for a fee provide extended security support? If not it's irresponsible to do nothing.

So what's going on in your company. Is this a big deal? A problem you solved already? Something you're not worrying about? And what about AppD's question. If you're going to continue to have Windows XP past April 8, 2014, has someone signed off on the risk of the zero day exploit?

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

If I were the type of person who could, or wished to, create an exploit, I'd be damn well waiting till after April 2014 to use it as I'd know it would work FOREVER instead of for a limited time if I just waited a little longer.

If people think there isn't going to be a flood of zero day exploits on the 9th of April 2014 they are kidding themselves.


Actually, after April 9th 2014 there won't be zero-day exploits for XP anymore. There will just be exploits. Because they'll work on day 1, 2, 3, ... just as well as they did on day zero.


Well said, Dan! I wrote about this a while back, calling April 9, 2014 the REAL red-letter day in the history of Windows XP.

I'm working on a piece detailing extended support costs. For those that have ridiculous amounts of money, there will still be "zero-day" exploits, but they'll be "zero-day, plus $50k, plus whatever you pay to get into the paid-support program" exploits.

There's some information on this in an article I wrote over on For one company I spoke to with 8000 desktops, they would have to pay $1.6 million for the first year of support, plus $50k per hotfix.

That $50k could add up quickly if we're correct in our assumption that there will be an onslaught of exploits.



I disagree. I don't think there'll be a raft of exploits. There'll be a threat of exploits but the threat of the sky darkening are four horsemen rocking up is over eggging. There is too much precedent - I've visited customers running win95, backend servers on winframe. XP pre SP3. To an extent this is a reason for lethargy, the OS will not cease to be on the 9th of April.

I've worked with a number of organisations who have approached Microsoft to understand what the support terms are post 2014. For many organisations, migration to Windows 7 from XP will be 8-12 months. If you've not started yet, be thinking about contingency.

There is a cost, on a sliding scale (based on devices) for continuing support for Microsoft XP. The "support ends" is indeed not true. There is a cost for joining that program (which is significant even for <2500 devices). There is a requirement to have a valid enterprise license agreement. The cost for being in the club gets more eye watering each year.

And this just gets you into the club, the drinks are expensive.

The $50k hotfix fee covers a hotfix i.e. fixes to code because you have a problem with the OS.. Your big ticket fee does get security patches thrown in. Taking a step back, it is unlikely that you'll be needing a hotfix. Mind, fixes are limited to the OS only. What are you doing about your apps? Who will be supporting your AV.. when did that go EoL?  

What you don't get is an SLA on the delivery of those hotfixes, or on the timescale for delivery of that patch.

Lets gloss over the fact that almost all large scale  environments will have judged this advance, and will be considering this as contingency: the main likelihood being that they are running a managed environment.    

We're also glossing over the fact that most of your physical devices will by then also be well out of date, very likely already have components that don't have reliable drivers and/or you are struggling to replace old devices with devices that support XP. Application support (as Gartner predicted) is often failing, as is browser support, especially IE. Not to mention the reputational cost of being seen to be not capable to get your act together to roll out a viable and supported operating environment.

So there is value in not spunking the cash on extended support beyond April 2014 and actually doing the migration now that is beyond "avoiding exploits". You'll likely hit 70-80% of your users for the money you're going to spend anyways. There will be cliques of apps, users who can't migrate - then its about mitigation. You could stick those XP instances in a VDI environment and ring fence it. If an exploit gets though everything else stop, rebuild restart.

I don't think its about whether there will be an attack - because the answer to that is "there might not be". But, can you as a business operate without devices (because you can't replace them), can you as a business interact and collaborate with other businesses and services if your browser is out of date, can you as a business comply with your industry regulatory requirements if you're not running supported OSes and applications. And then the flip side, for the environments that can't move what alternatives do you have?      


Should have had a BriForum session on this: "Jim, Dan, Andy, and Gabe Spread FUD about the end of XP"

Actually...we don't need a session. We can hold court at a pub.

Thanks for the info...good to know the paid support includes security fixes.


Maybe there is a niche play here for security vendors?


@Gabe, name a pub in Chicago and I'll be there!

Cancel a pub in Chicago and take a laptop with Skype on it.. - however London has many fine pubs - unless you guys are cancelling too?

Let me see what I can extract from the documents: the other thing to bear in mind is - those "extend support" agreements are at account managers discretion they're a privilege not a right (where privilege is used in its really, really loose sense)


You cannot compare Windows 95 EOL to anything else. Windows XP is in fact Windows NT. Windows XP in the code was designed to be a server as well as a client.

WinFrame is altogether different WinFrame was compiled by Citrix not Microsoft. WinFrame is not a MS operating system.

WinFrame or other systems out there could have been hardened and most of the ones that have been up for years with no reboot are hardened.

I do see doomsday here actually. It already happens all the time when a system that has not gotten SP3 yet gets a virus. But any company that is going to not get off of Windows XP SP3, or for that matter any company that has a bad patching policy let the hacker community know.

Okay here we go - let's see how active this thread gets.

As a former Escalation Engineer for MS and for that matter Citrix I know the thought process behind this very well. The fact is that there are already tons of exploits out there that have never been patched. The risk level on the exploit just has never been deemed good enough to release a patch for.

Microsoft is not and has never made any attempt to fix ALL security bugs. The bug has to be justified.

It's almost funny to me when a customer thinks they can continue on a completely unsupported OS or software for that matter.

Also how do you know if your system is hacked or exploited? If the exploit is really good it will clean up behind itself and perhaps just collect data or do a task or two then delete itself.

There is a good reason why Bill Gates put a halt to development to deal with security.

I'm going to stop now before I really go off.


Greg Lirette: OT, but do you know when exactly MS ended hotfix support for NT *3.51*? I know it is somewhere in the year 2000, but want to know the exact date, which seems to be hard to find. Also I wonder why MS offered technical support on NT Server 3.51 through the year 2002.


Andy Wood: And non-security hotfixes are already not included for free during the extended support phase. Anyone know what an EHSA for XP costs for those without Software Assurance? and is the per hotfix fee the same or not?


Does think help? This suppose to be the official docs on this..


This is about Windows 2000, not NT 3.51.


Newest NT 3.51 hotfix I can find is this:


Sorry I am not sure why I gave you the 2000 link, my bad. No I don't know where the info is for 3.51 I was able to find Workstation for 3.51 using the link I provided. I don't know why MS would have offered support for so long probably Walmart or just the install base. Really NT 3.51 worked fine for most companies that wanted NT server. Man that is old! I remember the day that Windows NT 3.51 support ended and when SE's, TL's would come to me and ask 3.51 questions all I would say was "not supported" happy day for me ;-)


Yea, I know that all support for NT Workstation 3.51 ended a year earlier, they set this for Win95 and most other versions before 98 and NT4 back in April 2001. What I am asking is the date for end of *hotfix* support for NT 3.51.


And this says NT Server 3.51 support ended at the end of 2002:

While this says 9/30/2002:

I wonder why?