March 26, 2014, 12:06 PM — Microsoft yesterday pulled out the big guns -- a fear-of-God approach -- to scare users into dumping Windows XP, telling them that the most popular tasks done on a PC will put them in the crosshairs of cyber criminals.
While the advice wasn't this specific, it amounted to telling customers to switch off their older PCs and never turn them back on.
The Tuesday post by Tim Rains, director of Microsoft's Trustworthy Computing group, was similar in theme but more urgent in tone than one he wrote last October when he said that after April 8, the chance that malware will infect XP PCs could jump by two-thirds.
"I want to share some of the specific threats to Windows XP-based systems that attackers may attempt after support ends, so that these customers can understand the risks and hopefully decide to immediately upgrade to a more secure version of Windows, or accelerate existing plans to do so," Rains wrote.
Microsoft will issue the final public security updates for Windows XP on April 8, marking the official retirement of the 13-year-old operating system. XP-powered PCs will continue to run, but any vulnerabilities uncovered by researchers -- whether white hat, gray hat or black hat -- will not be patched.
The assumption by Microsoft and virtually every security expert is that hackers will then begin targeting XP machines more aggressively because of the aged OS's prominence. According to Web measurement vendor Net Applications, nearly a third of all Windows systems still run XP.
Citing statistics that Microsoft compiles from its antivirus software and its regularly-updated malware cleaning tool, Rains said that the top two risks for XP users after April 8 are browsing the Web and opening email.
"Since browsing the Internet is a risky proposition if running on out-of- support systems like Windows XP after April, small businesses and consumers should limit where they go to on the Internet to help manage the risk," Rains advised. He also said opening email or using an instant messaging (IM) client would be a bad idea, as exploits could be "integrated into phishing attacks, malicious emails and IMs."
Rains contended that switching browsers would not help. "Changing browsers won't mitigate this risk as most of the exploits used in such attacks aren't related to browsers," Rains said when he warned XP users to be careful on the Web.
While that's true -- most attacks don't rely on browser vulnerabilities -- Rain's advice was also disingenuous: Microsoft will stop serving security updates to Internet Explorer (IE), no matter what version, if the browser is on an XP system. Even IE8, which most XP users are now running, will not be patched even though it will be repaired on other editions, such as Vista and Windows 7, until 2017 and 2020, respectively.
Other browser makers, including Google (Chrome), Mozilla (Firefox) and Opera Software (Opera) will, however, continue to patch their applications. Numerous security professionals have recommended that XP users drop IE and run a rival browser to, if nothing else, eliminate the possibility of IE-based drive-by attacks.
Rains' top five risks to XP users also include using removable drives such as USB thumb drives; worms, such as Conficker, the 2008 malware that was one of the most recent to infiltrate large numbers of Windows PCs; and "ransomware," the term for attacks that encrypt the hard disk drive or a subset of files on it, then demand payment for the decryption key.
But by naming browsing and email, Rains essentially told users to put down their XP PCs, step back carefully, and walk away: Those two activities have long topped every chart of the most common uses of a personal computer, with the pair swapping the lead depending on the survey or source.
Rains' advice in each case was classic best-practice security recommendations long given to consumers, but also long-ignored, such as to not click on email attachments and regularly back up the hard disk drive.
Although the scare tactics may be effective -- Microsoft must think so, since the company has regularly used them -- they could also prove a double-edged sword. By letting XP slide into retirement while it still powers so many PCs, Microsoft risks tainting the Windows brand as insecure and the Windows ecosystem as infection-prone if, in fact, Windows XP becomes a reservoir of compromised machines that make all Windows systems less safe.
In fact, Rains himself predicted that "more Windows XP-based systems will get compromised" in 2014 because of the support stoppage, an easy call since it was a self-fulfilling prophecy, with Microsoft itself deciding to hew to its prior plans of ending patches on April 8.
Yesterday, Rains also stuck to the company's recommendation that users should upgrade to Windows 8.1 or buy a new device with that edition, but unlike other such calls of late, he at least mentioned Windows 7 as an option, even though Microsoft no longer sells that OS to end users as an upgrade.
When others at Microsoft last month appealed to technically-astute customers, asking for their help in migrating friends' and family members' PCs to Windows 8.1, customers hooted the advice down, saying that they weren't about to inflict the radically-different OS on people they knew.
Microsoft has created a website, AmIRunningXP.com that users can browse to with their PC if they are unsure which edition they're running.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is firstname.lastname@example.org.
Read more about windows in Computerworld's Windows Topic Center.