Most Firms Face Security 'Red Alert' as XP SP2's Retirement Looms
Three out of four companies will soon face more security risks because they continue to run the soon-to-be-retired Windows XP Service Pack 2 (SP2), a report published today claimed.
According to Toronto, Canada-based technology provider Softchoice, 77% of the organizations it surveyed are running Windows XP SP2 on 10% or more of their PCs. Nearly 46% of the 280,000 business computers Softchoice analyzed rely on the aged operating system.
"This is a red alert," said Dean Williams, the services development manager for Softchoice. "This isn't something you can safely ignore, like you might have before."
Williams was referring to the impending end-of-support deadline that Microsoft has set for Windows XP SP2, a service pack that debuted in the fall of 2004. After July 13, Microsoft will stop issuing security updates for SP2, a move that has users scrambling to update to Windows XP SP3, which will be supported until April 2014.
"Windows XP SP2 is deployed in 100% of the companies [surveyed] to some extent," said Williams. "But that doesn't tell the whole story. On average, 36% of the PCs in every organization run SP2."
Softchoice obtained its data from customers of its IT assessment services, which include asset, hardware lifecycle and licensing management. It analyzed 278,000 PCs in 117 U.S. and Canadian organizations in education and the financial, health care and manufacturing industries. The firm weighted the number of XP SP2 systems in each polled organization to arrive at the average usage mark of 36%.
But most companies have work to do, Williams said, citing the 10% threshold of Windows XP SP2 systems. "It's unrealistic to expect them to execute a deployment of Windows 7 in the next three weeks," he said. "But they should determine who is affected and get them updated to Windows XP SP3 immediately."
Windows XP SP3, which Microsoft released in May 2008 , is available as a free upgrade to all Windows XP users. Microsoft has promised to support XP SP3 with security updates until April 8, 2014.
Softchoice's data is similar to numbers produced last month by Qualys, which said that approximately half of all enterprise PCs running some version of XP were using SP2.
According to Web metrics company Net Applications, 62.5% of all personal computers worldwide ran Windows XP in May. Net Applications has tracked an 11-point drop in XP's usage share in the last 12 months.
Williams expects that number to fall even faster with Windows XP SP2's retirement. "This represents the death knell of XP," he said. "[Windows XP SP3] is only a stay of execution."
Williams urged users and companies still running XP SP2 to update immediately, and said there's little risk in doing so. While enterprises may have put off deploying XP SP2 shortly after it launched in 2004 -- in large part because it was a major overhaul of the operating system -- XP SP3 is essentially just a collection of already-released fixes and patches.
"There's no compelling reason to delay the move to SP3," Williams said.
Microsoft has been beating the same drum, reminding users each month's Patch Tuesday of the looming retirement. In April, the company also made minor concessions on Windows XP SP2 support, announcing that it would take calls from customers running outdated service packs, such as SP2. Previously, it turned those people away.
Windows XP SP3 can be downloaded from the Microsoft site, or obtained from XP SP2 PCs via the Windows Update service.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com .
Read more about windows in Computerworld's Windows Topic Center.