Gee thanks for nothing Google. Your latest decision regarding Chrome could put many of us at risk on the internet.
After April 8, 2014, Microsoft will no longer support Windows XP. That means your XP computers will no longer receive security updates to protect your from the latest security vulnerabilities exploited by malicious hackers.
No more Patch Tuesday security updates for Windows XP users. But malicious hackers *will* be able to read about what security holes have been found in newer versions of Windows, and there’s a good chance that some of them can be exploited on now unprotected XP systems.
Microsoft warned about this issue in a blog post they published in August:
The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities. If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP. Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a “zero day” vulnerability forever.
In short, if you use Windows XP you really need to switch to a more modern operating system (XP first appeared in late 2001) – or you are putting your data, identity and other internet users at risk by connecting to the internet.
But who is this galloping to the rescue? Google has announced that it will extend Chrome’s support for Windows XP users until April 2015.
We recognize that hundreds of millions of users, including a good chunk of current Chrome users, still rely on XP. Moreover, many organizations still run dozens or even hundreds of applications on XP and may have trouble migrating. Our goal is to support Chrome for XP users during this transition process. Most importantly, Chrome on XP will still be automatically updated with the latest security fixes to protect against malware and phishing attacks.
What a shame.
Yes, maybe Google can keep a handle on bugs and security holes in Chrome, running on Windows XP. But Google is powerless to fix and patch vulnerabilities in Windows XP itself.
By allowing its browser to support an operating system that has already had his life unnaturally prolonged, Google is actually facilitating unsafe internet use.
A strong message needs to get out there to Windows XP users that, after April 8, 2014, it is simply no longer safe to use the operating system. Imagine how that message could have been sent out even more loudly if the Chrome browser simply refused to run after that date, and told users to upgrade their OS instead?
Of course, I recognise that there will be companies out there who are running legacy systems that rely upon Windows XP, and may be finding it hard to migrate, but seriously… it’s not like you haven’t known this was coming for *years*.
Anyone connecting a Windows XP computer to the internet after Microsoft drops its support in April 2014 is not only putting themselves at risk, but also endangering all of us on the internet – as their computers may be hijacked into botnets and used to spread malware and spam attacks.
And Google, I’m afraid to say, is encouraging that reckless behaviour by allowing Chrome to keep on running on Windows XP.
It may seem drastic, but I would like to see all browsers drop support for Windows XP on April 8 2014 – or at least display a big fat irritating warning message, telling users that if they connect to the net, they are taking a big risk.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
8 comments on “Google Chrome to help unsafe, insecure XP users surf the net… putting the rest of us at risk”
So who has not upgraded? – Those running old hardware
incapable of newer versions of Windows. Majority probably not in
the US or EU? – Those unable to upgrade for business reasons. The
techies know this, and *have* "seen it coming for
years", but is IMO a side-effect of security spending
being way down the list of prios for most companies as you know, or
tied in to legacy intranet systems etc. – Those home users who run
a machine capable of running a more modern OS, are paradoxically
still using XP, and have not "got around to it"
despite being able to afford it. I'm willing to bet use
cases 1 & 2 far outnumber 3. A lot of users (not
necessarily direct customers of MS) are going to be abandoned
through no fault of their own. And because of Microsoft's
pricing model & the economic climate many business users
will not upgrade, or they would have done so by now. So for one
reason or another I am willing to bet a significant number of users
cannot upgrade and Google is helping these users. Why? Because
there is enough of them to make it cost-effective for Google, ergo
this a significant problem. Microsoft cannot "do an
Apple" and just cut these users off because unlike Apple
they have to support random legacy hardware knocked out decades
ago. But perhaps they should be more bold in future in this regard?
Perhaps Microsoft themselves should help further by say reducing
the upgrade price for those users. Microsoft are facilitating
unsafe internet use far more than Google here. I take your point,
but I suspect more users will be locked-in to XP than would ever be
enticed away by Chrome not supporting them. Google offering Chrome
to these users (who cannot run modern IE's AFAIK) does a
great job in defeating a major attack vector — the web — for
these abandoned users. And as you suggest, there's nothing
stopping Chrome surfacing a "nag bar" as well as
offering a more secure browsing experience ;)
Graham is right on about what a false sense of security the
Google's Blog could give the general audience and at the
same time insult the technically savvy. Google is aware that
Microsoft does indeed drop support for the OS’s browser when they
drop support the OS. Internet Explorer 8 is the last Microsoft
browser to be written for XP and Windows Server 2003. However,
Microsoft has decided to extend support for Windows Server 2003
until a year after support has dropped for Windows XP. So, for
those Windows Server 2003 user, which are probably still in the
millions, which many may be chrome users on those servers, then
Google could not afford to abandon those customers. And, since
Window XP and Windows Server 2003 are nearly identical in code
then, sure, it’s easy for Google to continue support for XP without
much extra expense. Microsoft could continue to support IE 8 in
Windows XP also just as easily since they will be supporting it in
Server 2003 anyways. Microsoft simply doesn’t want to forlong the
weaning of the population from Windows XP and rightfully so
because…well, it’s just time to move on. I don’t know who wrote the
original Google blog but, they are again trying to paint Google as
the savior from Microsoft’s abuses.
I'm afraid I don't see it that way
Graham. There are many reasons people will be forced to run Windows
XP and lots of them require a browser. We know Internet Explorer,
by definition of not receiving updates, will be the single most
targeted application after XP's sunset. Hopefully very few
of these computers will be surfing the internet, but are you
suggesting the banks through away billions of dollars in capital
expedentiure in cash machines because they can only run XP? Should
the university mechanical engineering department investest $15
million in public money to replace Windows XP based controllers?
Unfortunately there will be a need for XP for at least another 10
years in specialized areas and I would prefer that if those
machines need to venture out onto the net on occasion they use a
tool that has the most exposed attack surface patched. If this move
simply allows home users or corporate desktops to avoid moving on
from XP, that would be unwise, but I think it is a more complicated
picture than you paint here.
While it was a real improvement over its predecessors XP has really aged. I'd argue that the problem is with the companies that insist on using aged machines and software, because it looks like they assumed it was a "buy-once-use-always" deal, which is not realistic at all.
Software and technology change at a rapid pace because the industry and technology are still developing. There are really good arguments for keeping old machines running, but I do think that if you invest in this newer technology, you run the risk of becoming outdated.
Besides, older technology is perfectly usable. It should be safe as long as you keep those systems isolated from the internet.
So you have to plug in your xp computer and upgrade BEFORE 2014!
I'll never be able to play Humbug again…..
This author seems to be really upset over nothing. Some some pot.
So I hope we now equally condemn Microsoft for extending MSE support until July 2015 and thus facilitating use of unsafe XP until then?
I am confused about how an operating system that has been around for 13 years, has had 3 service packs and 1000's of patches and updates will become one of the most insecure after April 8? After a lot of research I have not had anyone address this and wonder if the MS fear mongering PR is at work to increase their hip pocket. Certainly continuing to support a 13 year operating system that MS no longer make a singe cent out of makes little commercial sense so personally I see it as more of a cost cutting endeavour by MS than anything else and just about every IT pro out there has a vested interested in upgrading all the old outdated and "insecure" Windows XP client machines as it is cash in their hip pocket. Doesn't anyone remember the fear campaign in 1999? Also many antivirus anti spam and anti malware products run happily on Windows XP machines … let me think avast, malwarebytes, spybot anyone? Granted the embedded IE on Windows XP is old but with many other browsers to choose from + a decent AV + malware solution I don't understand why Windows XP could not still be used for many more years to come?