Google Chrome to help unsafe, insecure XP users surf the net… putting the rest of us at risk

Graham Cluley
Graham Cluley
@[email protected]

Windows XP / ChromeGee thanks for nothing Google. Your latest decision regarding Chrome could put many of us at risk on the internet.

After April 8, 2014, Microsoft will no longer support Windows XP. That means your XP computers will no longer receive security updates to protect your from the latest security vulnerabilities exploited by malicious hackers.

No more Patch Tuesday security updates for Windows XP users. But malicious hackers *will* be able to read about what security holes have been found in newer versions of Windows, and there’s a good chance that some of them can be exploited on now unprotected XP systems.

Microsoft warned about this issue in a blog post they published in August:

Sign up to our free newsletter.
Security news, advice, and tips.

Microsoft blog

The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities. If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP. Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a “zero day” vulnerability forever.

In short, if you use Windows XP you really need to switch to a more modern operating system (XP first appeared in late 2001) – or you are putting your data, identity and other internet users at risk by connecting to the internet.

But who is this galloping to the rescue? Google has announced that it will extend Chrome’s support for Windows XP users until April 2015.

Chrome blog post

We recognize that hundreds of millions of users, including a good chunk of current Chrome users, still rely on XP. Moreover, many organizations still run dozens or even hundreds of applications on XP and may have trouble migrating. Our goal is to support Chrome for XP users during this transition process. Most importantly, Chrome on XP will still be automatically updated with the latest security fixes to protect against malware and phishing attacks.

What a shame.

Yes, maybe Google can keep a handle on bugs and security holes in Chrome, running on Windows XP. But Google is powerless to fix and patch vulnerabilities in Windows XP itself.

By allowing its browser to support an operating system that has already had his life unnaturally prolonged, Google is actually facilitating unsafe internet use.

A strong message needs to get out there to Windows XP users that, after April 8, 2014, it is simply no longer safe to use the operating system. Imagine how that message could have been sent out even more loudly if the Chrome browser simply refused to run after that date, and told users to upgrade their OS instead?

Of course, I recognise that there will be companies out there who are running legacy systems that rely upon Windows XP, and may be finding it hard to migrate, but seriously… it’s not like you haven’t known this was coming for *years*.

Anyone connecting a Windows XP computer to the internet after Microsoft drops its support in April 2014 is not only putting themselves at risk, but also endangering all of us on the internet – as their computers may be hijacked into botnets and used to spread malware and spam attacks.

And Google, I’m afraid to say, is encouraging that reckless behaviour by allowing Chrome to keep on running on Windows XP.

It may seem drastic, but I would like to see all browsers drop support for Windows XP on April 8 2014 – or at least display a big fat irritating warning message, telling users that if they connect to the net, they are taking a big risk.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

8 comments on “Google Chrome to help unsafe, insecure XP users surf the net… putting the rest of us at risk”

  1. Jon Whitlock

    So who has not upgraded? – Those running old hardware
    incapable of newer versions of Windows. Majority probably not in
    the US or EU? – Those unable to upgrade for business reasons. The
    techies know this, and *have* "seen it coming for
    years", but is IMO a side-effect of security spending
    being way down the list of prios for most companies as you know, or
    tied in to legacy intranet systems etc. – Those home users who run
    a machine capable of running a more modern OS, are paradoxically
    still using XP, and have not "got around to it"
    despite being able to afford it. I'm willing to bet use
    cases 1 & 2 far outnumber 3. A lot of users (not
    necessarily direct customers of MS) are going to be abandoned
    through no fault of their own. And because of Microsoft's
    pricing model & the economic climate many business users
    will not upgrade, or they would have done so by now. So for one
    reason or another I am willing to bet a significant number of users
    cannot upgrade and Google is helping these users. Why? Because
    there is enough of them to make it cost-effective for Google, ergo
    this a significant problem. Microsoft cannot "do an
    Apple" and just cut these users off because unlike Apple
    they have to support random legacy hardware knocked out decades
    ago. But perhaps they should be more bold in future in this regard?
    Perhaps Microsoft themselves should help further by say reducing
    the upgrade price for those users. Microsoft are facilitating
    unsafe internet use far more than Google here. I take your point,
    but I suspect more users will be locked-in to XP than would ever be
    enticed away by Chrome not supporting them. Google offering Chrome
    to these users (who cannot run modern IE's AFAIK) does a
    great job in defeating a major attack vector — the web — for
    these abandoned users. And as you suggest, there's nothing
    stopping Chrome surfacing a "nag bar" as well as
    offering a more secure browsing experience ;)

  2. Graham is right on about what a false sense of security the
    Google's Blog could give the general audience and at the
    same time insult the technically savvy. Google is aware that
    Microsoft does indeed drop support for the OS’s browser when they
    drop support the OS. Internet Explorer 8 is the last Microsoft
    browser to be written for XP and Windows Server 2003. However,
    Microsoft has decided to extend support for Windows Server 2003
    until a year after support has dropped for Windows XP. So, for
    those Windows Server 2003 user, which are probably still in the
    millions, which many may be chrome users on those servers, then
    Google could not afford to abandon those customers. And, since
    Window XP and Windows Server 2003 are nearly identical in code
    then, sure, it’s easy for Google to continue support for XP without
    much extra expense. Microsoft could continue to support IE 8 in
    Windows XP also just as easily since they will be supporting it in
    Server 2003 anyways. Microsoft simply doesn’t want to forlong the
    weaning of the population from Windows XP and rightfully so
    because…well, it’s just time to move on. I don’t know who wrote the
    original Google blog but, they are again trying to paint Google as
    the savior from Microsoft’s abuses.

  3. Chester Wisniewski

    I'm afraid I don't see it that way
    Graham. There are many reasons people will be forced to run Windows
    XP and lots of them require a browser. We know Internet Explorer,
    by definition of not receiving updates, will be the single most
    targeted application after XP's sunset. Hopefully very few
    of these computers will be surfing the internet, but are you
    suggesting the banks through away billions of dollars in capital
    expedentiure in cash machines because they can only run XP? Should
    the university mechanical engineering department investest $15
    million in public money to replace Windows XP based controllers?
    Unfortunately there will be a need for XP for at least another 10
    years in specialized areas and I would prefer that if those
    machines need to venture out onto the net on occasion they use a
    tool that has the most exposed attack surface patched. If this move
    simply allows home users or corporate desktops to avoid moving on
    from XP, that would be unwise, but I think it is a more complicated
    picture than you paint here.

    1. EwoudCP · in reply to Chester Wisniewski

      While it was a real improvement over its predecessors XP has really aged. I'd argue that the problem is with the companies that insist on using aged machines and software, because it looks like they assumed it was a "buy-once-use-always" deal, which is not realistic at all.

      Software and technology change at a rapid pace because the industry and technology are still developing. There are really good arguments for keeping old machines running, but I do think that if you invest in this newer technology, you run the risk of becoming outdated.

      Besides, older technology is perfectly usable. It should be safe as long as you keep those systems isolated from the internet.

  4. richard jenkins (@dreamofthought)

    So you have to plug in your xp computer and upgrade BEFORE 2014!
    I'll never be able to play Humbug again…..

  5. This author seems to be really upset over nothing. Some some pot.

  6. So I hope we now equally condemn Microsoft for extending MSE support until July 2015 and thus facilitating use of unsafe XP until then?

  7. confused

    I am confused about how an operating system that has been around for 13 years, has had 3 service packs and 1000's of patches and updates will become one of the most insecure after April 8? After a lot of research I have not had anyone address this and wonder if the MS fear mongering PR is at work to increase their hip pocket. Certainly continuing to support a 13 year operating system that MS no longer make a singe cent out of makes little commercial sense so personally I see it as more of a cost cutting endeavour by MS than anything else and just about every IT pro out there has a vested interested in upgrading all the old outdated and "insecure" Windows XP client machines as it is cash in their hip pocket. Doesn't anyone remember the fear campaign in 1999? Also many antivirus anti spam and anti malware products run happily on Windows XP machines … let me think avast, malwarebytes, spybot anyone? Granted the embedded IE on Windows XP is old but with many other browsers to choose from + a decent AV + malware solution I don't understand why Windows XP could not still be used for many more years to come?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.