Too many cyber risks if XP support is shelved

Too many cyber risks if XP support is shelved

A look into the security concerns as a result of the death of Microsoft Windows XP

Also on

With the death knells sounding for Microsoft Windows XP, Stephen Bonner, a partner in KPMG’s Information Protection & Business Resilience team, explains what its end-of-life really means for business. He also highlights concerns over the security implications of pulling the plug on XP. He says:

“Educated estimates suggest that almost 1 in 5 personal computers still run XP. While this figure has dropped from 25 percent last year, it will remain stubbornly high for some time. The picture is even more complex with XP still running on computers embedded in systems that are difficult to upgrade - the likes of ATM machines, kiosk, airline ticketing or military systems. And it’s not just a problem limited to the UK. In China, for example, XP remains even more prevalent, with over 22 percent of computers still running Internet Explorer 6, the default browser parcelled with XP and itself over a decade old."

“So XP will be with us for some time, and in some quite unexpected places. Little wonder banks and governments are paying millions of pound to extend support beyond April 8th.”

Highlighting the potential vulnerabilities of legacy XP system, Bonner adds: “Cyber criminals play the numbers game. They are interested in targeting a large population and will attach far greater value to an opportunity to exploit current operating systems and applications, and ideally cross platform. That doesn’t mean computers running XP will be ignored as they provide a useful population of vulnerable systems to recruit into botnets for spam and potential attacks.”

“There has been speculation about cyber criminals holding back a large store of XP vulnerabilities ready to exploit obsolescent systems. I doubt that will happen - the incentive to exploit early and make money is just too great. However, I suspect some intelligence agencies might have a few zero days still in stock just in case.”

“Many of the legacy systems which represent the XP population are also in difficult to reach places, where the security of the system depends as much on physical security and network segregation as it does on the patching of the operating system itself.”

Unlike those trying to use fear, Bonner takes a more pragmatic view on Windows XP end of support, he said: “It is worth remembering just how much obsolete software resides on our desktops. A survey of Java versions on a million end points last year found many had multiple versions of Java installed. On average organisations ran over 50 different Java versions, and more than half the organisations surveyed had Java software running which was over 5 years old.

“So let’s look beyond XP, but learn some lessons about the importance of managing obsolescence, removing obsolete software, and remembering to secure those out of sight computers.”


- ENDS -


Media enquiries:

Nahidur Rahman, KPMG Press Office

T: 020 7694 8812

M: 0788191 6975


Mike Petrook, KPMG Press Office

T: 020 7311 5271

M: 07917 384 576



KPMG Press Office: +44 (0) 207 694 8773


About KPMG

KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and operates from 22 offices across the UK with approximately 11,500 partners and staff. The UK firm recorded a turnover of £1.8 billion in the year ended September 2013. KPMG is a global network of professional firms providing Audit, Tax, and Advisory services. It operates in 155 countries and has 155,000 professionals working in member firms around the world. The independent member firms of the KPMG network are affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. Each KPMG firm is a legally distinct and separate entity and describes itself as such.


This article represents the views of the author only, and does not necessarily represent the views or professional advice of KPMG in the UK.

Connect with us


Request for proposal



KPMG’s new-look website

KPMG’s new-look website