If you're still using XP software, stop by April 8

March 08, 2014

Now that Microsoft is ending maintenance for its Windows XP software, UC Davis needs to stop using it too.

Microsoft says it will stop providing security updates and other patches to XP on April 8, 2014. The withdrawal of support makes the 13-year-old operating system (OS) software a major target for hacks, viruses, and other malware.

The risk is significant, both to the faculty, students and staff who use those machines--their data could be exploited or stolen--and to the campus, because damage that starts on an unprotected XP machine could easily spread across the UC Davis network.

No one knows how many machines that connect to the campus network still use XP. There are probably at least 1,200, according to an estimate from the security group in Information and Educational Technology (IET). They range from largely forgotten computers tucked away in offices and homes, to research machines with hard-to-upgrade software.

Nevertheless, UC Davis security standards prohibit computers from connecting to the campus network if those machines use unmaintained OS or application software.

What you need to do

Faculty, students, staff and departments still using XP need to take action by April 8. The best solution by far is to upgrade to modern software. Buy a new computer if necessary.

Many departments began working on the problem last year. According to the minutes of the Jan. 29 meeting of the campus Technology Infrastructure Forum, "It'll be more cost effective to pay for operating system upgrades now than [to] deal with the consequences of an attack on those systems."

"In almost all cases, these upgrades are a good opportunity to 'clean house' by updating to current application versions, removing old and unused user accounts, and generally cleaning out the junk that accumulates on a computer, slows it down, and causes error s," says a notice from the Division of Social Sciences IT Service Center. "Many of you will find that this process results in a significant performance boost for your older computers."

If an upgrade is not possible, a machine that uses XP can be physically isolated from the network, or placed behind a hardware firewall (this last remedy would still require an exception to policy). Exceptions to the security policy can be obtained in rare instances, if no alternative exists. The exceptions are conditional and expire after one year.

To learn more

IET has created a website with information about the end of XP, links to resources, and contact information if people have questions or need help from IET to address the risks caused by the end of XP.

IT consultants believe hackers will start moving in on XP as soon as Microsoft pulls back (one expert in Michigan thinks hackers will pounce within 10 minutes of the official end of support).

"Using XP beyond its end of life is risky, and the risk will only grow," said Chief Information Security Officer Cheryl Washington. "People need to stop using it. I can't emphasize that enough."