A decade ago, Microsoft kicked off SDL, or Security Development Lifecycle, a now-widely-adopted process designed to bake security into software, and began building what has become an unmatched reputation in how a vendor writes more secure code, keeps customers informed about security issues, and backs that up with regular patches.
But the Redmond, Wash. company, which just touted SDL's 10-year history with a flashy, anecdote-filled online presentation, seems willing to risk torching that hard-won reputation by pulling the plug on Windows XP.
Microsoft plans to ship the final public patches for Windows XP on April 8. After that, it will not deliver fixes for security vulnerabilities it and others find in the 13-year-old operating system.
The result, even Microsoft has said, could be devastating. Last October, the company said that after April 8, Windows XP would face a future where machines are infected at a rate 66% higher than before patches stopped.
"After April , when we release monthly security updates for supported versions of Windows, attackers will try and reverse engineer them to identify any vulnerabilities that also exist in Windows XP," said Tim Rains, director of Microsoft's Trustworthy Computing group. "If they succeed, attackers will have the capability to develop exploit code to take advantage of them."
Microsoft has justified its stoppage of Windows XP patches by reminding everyone that it has supported the OS longer than any others, which is true: Its normal practice is to patch an operating system for 10 years. And it has argued that Windows XP is old, outdated software that is less secure than its newer operating systems: Windows 7, Windows 8 and Windows 8.1.
The problem that Microsoft has only occasionally touched on is that Windows XP powers a massive number of personal computers around the world. According to Internet measurement company Net Applications, 29.5% of the globe's PCs ran XP in February. Using estimates of the number of Windows PCs now in operation, that "user share" translates into approximately 488 million systems.
Four hundred and eighty-eight million.
If every PC sold in the next 12 months was one destined to replace an existing Windows XP system, it would take more than a year and a half — about 20 months — to eradicate XP. Windows XP isn't going anywhere.
Even if one discounts the 70% of the approximately 300 million XP machines in China that are not regularly updated with existing patches — the 70% statistic comes from Microsoft — that still leaves 278 million machines.
Microsoft has never faced this situation before, with a soon-to-be-retired OS running a third of all the Windows PCs worldwide. So on one hand it's not surprising that it has stuck to its guns, and is pushing XP into the sunset and forgetting it.
Sign up for Computerworld eNewsletters.