XP still used by one in four PC users

Despite going end-of-life back in April, new figures reveal that Windows XP is still being used a quarter of PC users.

IE zero-day flaw unpatched on XP
IE zero-day flaw unpatched on XP

Data from NetApplications - analysed by the Business Insider newswire - reveals that very few Windows XP users have actually upgraded their operating systems, despite WinXP going end-of-life in April.

As widely reported at the time, 8 April marked the official end of Microsoft offering security updates for the veteran desktop operating system, despite an estimated 27.7 percent  of PCs still using the platform in March (falling to 25.3 percent in May).

One of the most revealing take-outs from NetApplication's real-time data is that only 12.5 percent of users have installed Windows 8.x, as compared to 50 percent of users having installed Windows 7.x as at the end of May this year.

Peter Wood, CEO of pen-testing specialist First Base Technology, said that Microsoft needs to take a leaf from Apple's book when it comes to upgrading operating systems, noting that OS-X Mavericks - released last October - has been offered free of charge to all users.

"Maybe it's about time that Microsoft stepped up to the plate and offered some pro bono real support for users migrating away from Windows XP," he said, adding that there is still an increasing reluctance amongst users - especially small businesses - to upgrade.

"Microsoft is well placed to continue support for Windows XP," he said, noting that commercial users are continuing to receive critical security updates at a reported rate of around £180 per machine.

Andrew Mason, co-founder and technical director with open source security specialist RandomStorm, said that, as a QSA, he thinks this is quite a worrying finding.

"While these figures could be dismissed as being made up of smaller companies, if we look at the Target breach, the cybercriminals went after a third party supplier to piece together the attack," he explained.

Mason says that the Payment Card Industry Data Security Council has stated that any merchant that is still operating Windows XP is automatically non-compliant and is seeking to ensure that most companies accepting online card payments - regardless of their size - update to Windows 7 or 8.

Shane Colombo, director of projects with affini, a systems integrator, said that many organisations are finding it difficult to migrate because custom applications have been built on top of XP to run business-critical processes.

"Whenever hardware or software are upgraded, these organisations are forced to redevelop their bespoke applications, in order to preserve vital business functions such as ERP, payroll, CRM and financial transaction processing," he explained.

Tim Erlin, director of security and risk at Tripwire, warned that users remaining on WinXP are clearly putting their data at risk, despite very clear warnings from both Microsoft and the information security industry.

"This data shouldn't surprise anyone because the users who were still on XP by the time the End of Support deadline passed were already those who either can't or can't be bothered to upgrade. The XP holdouts have already demonstrated their ability to stick with the aging platform, so we can likely expect this population to dwindle only through hardware failure, lack of software compatibility and compromise," he said.

Tim Keanini, Lancope's CTO, said that a vulnerable instance of WinXP on the Internet is everyone's problem.

"We all have to do our job in helping these folks migrate to safer operating systems - or just to get the heck off the Internet until they can behave appropriately," he said, adding that these users are likely to continue to be a problem over time because they are fundamentally against change.