Millions around the World enjoy their daily cup of coffee.  My wife is one of them.  Her morning Bible reading and her cup (or two or three) of coffee is something she can’t go without.  And while she REALLY enjoys her coffee, I noticed this morning that we have outdated coffee makers both in our home at our Thirtyseven4 office. Both machines are a number of years old; neither carries a brand name like Gevalia, and neither can pass for anything close to one of those fancy Keurig machines.  Being the husband I am, I asked her if she’d like to go shopping sometime and upgrade her brewing vessel for a newer one that promises to brew faster, has more features, and sports a style from this decade.  She quickly said “no”, reassuring me that our coffee maker works fine.

As I was preparing to write this month’s column on Microsoft’s decision to discontinue support for the Windows XP Operating System (and Office 2003), I got to thinking about my wife, our coffee maker and the discussion we had over it.  At the time, I couldn’t figure out why a new kitchen appliance didn’t immediately appeal to her (I am not being sexist: my wife loves to cook).  But the more I thought about it, the more I realized that she was right about the coffee maker: that while old, it was working fine, and there was really no need to spend additional money when she is content with our current one, or to get involved with learning new features when the current one isn’t broke and was working fine for her needs.  But what if her coffeemaker would cease to perk on April 8, 2014? I feel like this situation may be mirrored for many of us (especially churches and K-12 school districts) all too quickly as we approach Microsoft’s self-imposed April 8th deadline.  In fact, a recent study conducted by an independent security research lab showed that nearly one in four computers globally still utilize Windows XP.

According to news reports generated by Microsoft, on April 8th they will immediately discontinue all new security updates, non-security hotfixes, technical support options, and they will cease posts of any further online technical content updates for Windows XP or Office 2003.  Microsoft’s reasoning behind the decision is that the Windows XP and Office 2003 products have completed their ‘Support Lifecycle’.  According to a policy introduced in 2002, Microsoft Business and Developer products, including Windows and Office products, receive a minimum of 10 years of support, at the supported service pack level.

As the business owner of the security software company Thirtyseven4 Antivirus, I can see the logic behind Microsoft’s thinking.  (The operating system is outdated and in the world of technology, it is acceptable to decide Windows XP and Office 2003 should be replaced by a more current version.)  However, as a business owner whose company takes great pride in serving and protecting the educational and church community markets primarily, I can also see complications that this decision will bring:

  1. While not all U.S. churches and school district’s are in a financial crunch, many (and I dare say “most” when talking about K-12 schools) are drawn very tight, and replacing their older computers simply isn’t financially feasible.  From my experience, let me be more blunt: It is not an option.  And while Microsoft may be statistically correct in reporting that the average current price of a computer is considerably less expensive than the cost of an average PC purchased 10 years ago, this fact is nullified in many school-district cases because their machines were donated (and never purchased at all).  I say this because over the years I have dealt with and talked with hundreds of IT directors and volunteers of small to mid-sized churches and schools, and a common thread that runs among them is that most if not all of their functioning computer systems were donated by bigger businesses.  In the corporate environment, many look to upgrade their systems every three to five years.  Because (many times) there was never an initial expenditure of funds for the hardware, the “cost” of computers (and replacing every single one of them in April!) is not built into the budget, and could be an insurmountable task.  I fear that many churches and schools may be left in the (Windows 8.0) dust.
  2. Upgrading the operating system of tens or hundreds or possibly thousands of systems is a huge job in itself: requiring large amounts of resources and possibly outside IT work.  But getting staff and students trained, upgraded and running on the latest Windows 8 operating system seems a daunting task for even the most optimistic of us.
  3. Not to be a party-pooper, but ditching older XP systems in favor of Windows 8 or Windows 8.1 will likely also cause compatibility issues with other installed and managed software.  For example, if your church management software or your security software, etc. are not compatible with Windows 8 because they were purchased prior to the release of Windows 8, a school or church may find themselves needing to purchase more than just the operating system or Office upgrade.

 

So, what happens if users don’t upgrade?

Vulnerabilities and exploits can exist in most software but this is especially true for Microsoft’s Windows Operating Systems.  Because Windows is highly popular it is also the most targeted OS by cybercriminals who look to punch a hole through these vulnerabilities in order to gain access, etc. to your system(s).  There is a term I am sure you have heard of called “Patch Tuesday” and this term was coined in reference to the second Tuesday of every month when Microsoft releases its patches and security updates automatically through its Windows Update service.  The patches and updates are necessary to fix disclosed or undisclosed vulnerabilities in their products.  There is another term called “Exploit Wednesday”, and this term refers to hackers and cyber attackers who analyze and reverse engineer the newly released patches to determine the corrected exploits so that they can in return create malicious code to exploit users who have not yet downloaded and installed the latest security fixes.  Come April 8th, 2014, Microsoft will continue to release patches and fixes for their other operating systems but as I mentioned above there will cease to be updates for Windows XP users, which means that upon successful reverse engineering of the released patches, cyber attackers can turn around and create malware and other threats that will now affect all Windows XP users.  So as predicted in last month’s column covering security predictions for 2014: without security updates, vulnerabilities are wide open on XP for attackers and malware writers to target these loop holes, posing a serious threat.

In reference to Thirtyseven4, our multi layered security features will protect user systems for known and unknown types of malware using our advance Behavior Detection System, but an open door to the operating system would always remain a serious point of concern in remaining fully protected.  Additionally, given the nature of exploits, etc., it is very hard to predict all the future dangers.

A “zero day” exploit or vulnerability is a vulnerability that exists within a product but there is no patch released at the time to correct the problem.  The newer term going around to describe Windows XP systems after April 8th, is “zero day forever” since fixes will no longer be made available to the public.

Okay, I admit, it’s a bit scary.  The “what-if’s” can pack a punch as you consider your network and the vulnerability it will have come April 8. What is the answer?  It’s easy but difficult.  We have to move forward, and that is what we do best in the area of Technology.  Whether we are ready or not, there is always something new on the technological horizon.

The Microsoft Powers-That-Be have made a decision, and it will affect us sooner than later, specifically on April 8, 2014.  As a security professional, I encourage you to err on the side of safety and caution and upgrade.  It will take time, it will involve re-education, but in the long run, you will have a more efficient Operating System and daily services.  Grab a cup of joe, it’s time to migrate over to a Keurig, I mean Windows 8.0 or 8.1.