Windows XP owners can expect most antivirus vendors to continue providing them with up-to-date signatures long after Microsoft pulls its patch plug in April, but that won't keep their machines safe, an expert said today.
Microsoft will deliver its final public patches for Windows XP on April 8, less than three months from now, finally retiring the 13-year-old operating system, the most successful ever for the Redmond, Wash. developer.
That will leave users still running XP -- and there are hundreds of millions worldwide -- without a way to fix vulnerabilities that hackers can exploit with impunity.
"Antivirus cannot patch the underlying vulnerability," said Andreas Marx, CEO of AV-Test, a German company that regularly evaluates antivirus (AV) products for Windows. "There's nothing that AV can do to close those vulnerabilities, it can only limit malware spreading from one machine to another."
Although he urged XP users to upgrade to a newer and still-supported operating system -- whether Windows 7, 8 or 8.1 from Microsoft, OS X from Apple or Linux from the numerous distributors of the open-source OS -- Marx acknowledged that's not possible for everyone, much less in the limited time left before Microsoft calls it quits.
But by taking steps, XP owners can make their PCs, if not secure, at least safer to use.
"Internet Explorer [IE] and Outlook Express [an obsolete email client distributed with XP] will also no longer receive security fixes, so it will be very dangerous to continue using that browser and email client," said Marx.
Instead, people should switch to alternate browsers and email programs that will be patched after April, such as Google's Chrome, Mozilla's Firefox and Opera Software's Opera browsers. Google has promised to continue supporting Chrome on XP until at least April 2015, for example.
And while an AV program can't keep all threats at bay, Marx urged users to invest in one if they plan on running the older OS through 2014 and beyond.
"AV products will lose these battles [with malware makers] on XP sooner or later," said Marx. "XP will be like Swiss cheese. But you can still do things to protect the system."
Marx contacted more than 20 AV companies to find out whether they will continue to support XP with updated anti-malware signatures, and if so, for how long. Today Marx published that list on his AV-Test website, along with a call for other vendors to submit information so he can keep the count up to date.
Microsoft, for one, announced last year that it would stop serving signatures to XP users of Security Essentials, the free AV program that launched in 2008. More recently, Microsoft said it would discontinue downloads of Security Essentials for Windows XP on the same last-patch date of April 8.
But most third-party AV makers will keep churning out signatures for months, even years, Marx found.
Kaspersky, BitDefender and Avira, for example, which placed 1-2-3 in AV-Test's September-October 2013 examination of AV products for Windows XP, have pledged to support consumers until 2018, January 2016 and April 2015, respectively. On the business side, Kaspersky, Symantec and Trend Micro products topped the list; Kaspersky will support its end-point AV software on XP until the second half of 2016, Trend Micro until Jan. 30, 2017. Symantec has not set an end date.
Even though many of the major AV companies will keep shipping signatures to XP customers, Marx cautioned against trusting that will be enough to keep old PCs secure.
"They may still be releasing signatures for the [antivirus] engine, but most of these companies will not update the product and the underlying technology [for XP]," said Marx. "Signatures are only one part of the AV story. AV includes a lot of different technologies, including behavior-based detection technologies, that may not be kept up to date."
But, he said, safeguarding an XP system with an updated AV title is better than doing nothing. "It's definitely very important to have AV, but people shouldn't expect too much from it," Marx said.
Microsoft has been sharpening its anti-XP knife for years as it has tried to convince customers to replace Windows XP with first Windows 7, then argued that they should just buy a new machine with Windows 8 or 8.1. When Windows 9 ships, they will probably switch to beating that drum.
According to metrics company Net Applications, Windows XP's user share -- the percentage of the world's personal computer owners who went online with that OS last month -- stands at 29%, a new low. But even though XP is on the decline, Computerworld has forecast that 25%-26% of all systems will be running the operating system at the end of April, and about 20% at the end of 2014.
Those percentages translate into hundreds of millions of PCs.
Most of those are in China by Net Applications' tracking, which Marx corroborated today. "Qihoo and Tencent said that two-thirds of their customer bases now use XP, and that it's impossible for their [combined] 300 million XP users to switch to Windows 7 or 8 anytime soon," said Marx.
Qihoo and Tencent are China's two largest AV providers.
Much ink has been spilled about whether Microsoft should extend XP's life by continuing to patch its vulnerabilities. Some believe that Microsoft owes security to those customers, even has a stake in keeping them safe since millions of infected Windows XP machines pose not only a public relations threat to Microsoft but to other Windows systems too. Others think XP is far too old to maintain, and should have been retired years ago.
Marx was in both camps.
"Microsoft has done a very good job here if you look at other market players," said Marx of Microsoft's 12-years-and-counting patching of XP. "I wouldn't blame Microsoft [for halting patches] but when no further updates for XP are available, think about what happens to the entire Windows ecosystem. It's going to be a real target for hackers and botnets. It will be a dangerous situation."
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is email@example.com.
Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.