Windows XP Embedded Supported for Two or More Years
Not all Windows XP operating systems will become security risks after April 8.
It turns out that most of the embedded versions of Windows XP will live on for a few more years, even as the Windows XP desktop OS loses "extended" product support in less than two months. The loss of extended support means that no more security patches will be issued by Microsoft for the OS, leaving PC systems potentially vulnerable to attack.
Of the Windows XP Embedded OSes, only the Windows XP Professional for Embedded Systems product faces the same looming April 8 date. That's because the Pro version is basically the same product as Windows XP for desktop computers, explained Dave Massy, a senior program manager on the Windows Embedded team, in a blog post this week.
Two Windows XP Embedded products will lose extended support in 2016, while two others face 2019 end-of-life dates, according to the post:
- "Windows XP Embedded Service Pack 3 (SP3). This is the original toolkit and componentized version of Windows XP. It was originally released in 2002, and Extended Support will end on Jan. 12, 2016."
- "Windows Embedded for Point of Service SP3. This product is for use in Point of Sale devices. It's built from Windows XP Embedded. It was originally released in 2005, and Extended Support will end on April 12, 2016."
- "Windows Embedded Standard 2009. This product is an updated release of the toolkit and componentized version of Windows XP. It was originally released in 2008; and Extended Support will end on Jan. 8, 2019."
- "Windows Embedded POSReady 2009. This product for point-of-sale devices reflects the updates available in Windows Embedded Standard 2009. It was originally released in 2009, and extended support will end on April 9, 2019."
The "componentized" aspect of some embedded OSes indicates that independent software vendors have the option to reduce the footprint of the OS by excluding some of Windows XP's functions that don't fit the design criteria of a particular device. Reducing the footprint can aid security by enabling fewer avenues of attack. The embedded OSes also lack the Windows Update component, according to a Microsoft white paper (PDF), so the embedded OSes aren't subject to change as much as their desktop cousins.
Windows Embedded OSes typically get used for special-purpose devices or kiosks, including point-of-sale devices or inventory devices. They might not represent a typical attack object, although both Neiman Marcus and Target recently had point-of-sale device malware breaches. Possibly, the Target stores used Windows XP Embedded or Windows Embedded for Point of Service OSes, according to a Krebs on Security post. Many ATM machines used by banks also may be using Windows Embedded OSes.
In the meantime, the April 8 loss of extended support for Windows XP desktop computers is expected to be a major potential security problem for organizations. Microsoft has warned that using it after that date could subject organizations to perpetual zero-day vulnerabilities.
Windows XP for desktops still is widely used. The OS had a 29 percent market share measured back in January, according to Net Applications' data.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.