“There are multiple reasons why we still see XP in use today: the cost of upgrading can be daunting and machines may run critical legacy apps dependent on XP,” said Wolfgang Kandek, CTO at Qualys, in a blog. “There is also a lack of awareness of the size and state of the XP device population. Lastly, there are governments and other large organizations who have chosen to buy extended support for the OS from Microsoft.”
In 2013, more than 70% of Microsoft’s security patches affected Windows XP, and after today, Kandek expects this trend will continue even though Microsoft will not explicitly state this. XP use is dropping quickly, but Qualys is still seeing 14% usage across enterprises.
According to international data collected from over 100,000 monthly vulnerability scans of Windows PCs from Qualys’ BrowserCheck tool, levels of exposure across four major countries – the UK, the US, France and Germany – have dropped steadily, with the UK making more progress than others. UK businesses have cut exposure to XP by more than half since the first quarter of 2013, down from 18% to 8%, taking it to a level on par with the US.
While exposure has dropped across the board, France remains the country examined that is most at risk, with 13% of scans still identifying XP in first quarter of 2014, significantly higher than the other nations tracked. In Germany, exposure was low to begin with (12%), but has also been declining more slowly, so that as of Q1 2013 only 7% of machines scanned were still running XP.
In a separate analysis that examines industry exposure globally using QualysGuard data from scans at 6,700 companies, substantial differences were found by sector. For instance, the finance industry has made progress in eradicating Windows XP over the past 12 months, but levels of use remain high, particularly for an industry dealing with such sensitive data. With 21% of scans showing machines operating Windows XP, the finance industry is more vulnerable than industries such as services (7%), healthcare (3%), transport (14%) and retail (14%).
Meannwhile, transport companies have contributed to the sharpest observed drop in exposure to XP, with the percentage of scans identifying XP falling from 55% to 14% within the last twelve months.
“We have seen a linear decline in use of XP over the past twelve months, but at current rates businesses will still be at risk for quite some timem” said Kandek, in a statement. “We must remember that no matter how well a business does in reducing the percentage of machines using XP, just one machine is enough to leave a company vulnerable to attack.”