"Windows XP SP3 was released in April 2008, which started the two year wind-down phase for SP2", Kandek said in a security blog posting.
"A large number of machines in enterprise networks are still running under Windows XP SP2", he added, noting that only half of all Windows XP installations have been upgraded to SP3 since its release.
"Even with a significant increase in the upgrade ratio, up from the 20% and 30% achieved in 2008 and 2009 respectively, we are still over a year away from having all machines migrated, threatening to leave many machines exposed to exploits for the vulnerabilities that we expect in the second half of 2010", he explained.
According to Kandek, most home users of Windows XP should be okay, as the automated update to SP3 has been pushed out by Microsoft. "On the enterprise side, however, it seems that two years of burn-in time is not enough, and it would be helpful if Microsoft could extend support for one more year", he said.
The Qualys CTO went on to say that January 2011 is the next major security milestone for Windows XP, when technical support for Windows Embedded XP SP2 – an operating system quite frequently used for ATMs and point of sale systems – is being withdrawn.
"Frequently these embedded systems represent an even bigger challenge to keep up to date; they are often managed by a third party and sometimes not even properly recognized as Windows computer systems", he said.