Week 9 Post – The Risk of Using Old Software

Many organizations held on tight to their old Windows XP computers.  Some are still using it despite the risks and warnings.  Windows Server 2003 falls into this risk category as well.  Microsoft ended support for Windows XP on April 8th, 2014. Microsoft Windows Server 2003 extended support ended on July 14th, 2015.

What that means to most people is that Microsoft no longer provides security updates after that date.

On its face value, that might not seem like an important event, since Windows XP or Server 2003 installed on a computer will still function as it had before.  The issue is that security vulnerabilities are continually being discovered throughout the lifecycle of an OS and beyond.

Microsoft stated that “without critical Windows XP security updates, your PC may become vulnerable to harmful viruses, spyware, and other malicious software which can steal or damage your business data and information. Anti-virus software will also not be able to fully protect you once Windows XP itself is unsupported.”

The issue for an organization is not just the vulnerability risk, but also a compliance risk.  Microsoft stated that businesses that are “governed by regulatory obligations such as HIPAA may find that they are no longer able to satisfy compliance requirements.”  Organizations with HIPAA compliance requirements who are still using Windows XP or Server 2003 may find that in case of a violation or data breach on those systems, that they are no longer just a victim, but that they are now considered willfully negligent.

Once a vulnerability issue becomes known, the manufacturer then addresses the issue with a security “fix” or “patch.”  Once support has ended, any new vulnerabilities discovered will remain vulnerable to attack, with no action by a manufacturer to correct them.  Microsoft’s recommendation was to “terminate” use of Windows XP by upgrading to a newer, supported OS, which most organizations did.

There is also usability of the Operating System or the applications that run on top of it.  People using older web browsers that aren’t capable of newer SSL/TLS standards will find that they aren’t capable of visiting or using many of the ecommerce websites or other websites that require an SSL/TLS encryption.  This is pretty much any website that begins with https: on your web browser as opposed to the unencrypted http.

Google announced in April, 2016 that their new version 50 Chrome browser will not be supported on a wide range of operating systems . Windows XP, Windows Vista, Apple Mac OS X 10.6, OS X 10.7, and OS X 10.8 are no longer supported.

Cyber protocols are subject to change over time and the once secure SSL protocol is no longer considered secure.  Most modern encrypted connections to web sites and other servers are now using TLS version 1.2.


Support for Windows XP ended April 8th, 2014. (n.d.). Retrieved May 12, 2016, from https://www.microsoft.com/en-us/WindowsForBusiness/end-of-xp-support

Whitman, M. E., & Mattord, H. J. (2014). Management of Information Security (4th ed.)(ch. 8). Stamford, CT: Cengage Learning.