Here Comes the Fallout From Microsoft Corporation's Windows XP Fumble

Microsoft has been to this exact dance before, and handled it gracefully in 2004. Ten years later, there's a dangerous long-term fumble coming.

Anders Bylund
Anders Bylund
Apr 28, 2014 at 2:03PM

And so it begins. When Microsoft (NASDAQ:MSFT) drew close to letting security support for the Windows XP operating system expire, it was obvious that the event would unleash some mighty dangerous hacking exploits. The first such cyberattack is now a reality, posing a serious threat to millions of XP users. In turn, this unanswered menace is poised to erode consumers' and information technology managers' trust in Microsoft products.

The long-term damage this hacking wave might unleash is easy to overlook right now. Microsoft has outperformed its Dow Jones (DJINDICES:^DJI) peers over the last three months, buoyed by choosing a hands-on manager with a clear vision in new CEO Satya Nadella. Even today, amid news of this emerging attack vector, Microsoft is rising much faster than the Dow -- the Supreme Court just declined to try an antitrust allegation against the company, after all.

MSFT Chart

MSFT data by YCharts.

But long-term investors should pay attention to Microsoft's Windows XP security issues. The platform hasn't been a revenue driver for years, as Microsoft introduced one successor after another. But old installations still account for a large chunk of real-world users, and the fallout from XP's unpatched security flaws will be equally large.

And this first large flaw in the unsupported XP era is a doozy.

Microsoft just reported vulnerability CVE-2014-1776, which is a security hole that lets attackers execute programs of their choosing when you view a Web page via affected versions of the Internet Explorer browser.

There's currently no patch for this Explorer flaw, not even for supported platforms such as Windows 8.1 or Windows Server 2012. It affects browser versions stretching all the way back to IE6, which shipped with original Windows XP installations in 2001 -- and looms over even the latest and greatest IE11, which comes with Windows 8.1 installations.

While supported browser-and-Windows combinations will surely get a security patch in due time, XP-based systems may be out of luck. What's the point of ending official support, and then charging millions of dollars for super-extended security updates, if anybody can get important patches like this one for free?

Here's what will happen.

Related Articles

The browser security hole will get a solid patch, which is applied to millions of more modern Windows installations. This takes place via Microsoft's automatic updates, supplemented by centrally managed patch rollouts in enterprise-class IT shops.

For XP systems, there are workarounds (such as not using Internet Explorer in the first place) but no straight-up fixes for this problem. Many XP systems are still under the purview of those centrally managed patch frameworks, and quick-thinking IT managers can come up with their own workarounds.

But others are in the hands of consumers. And if you're still using an XP system at home, you're not terribly likely to have the technical sophistication to work around this problem. And slowly but surely, these XP systems will start to get infected by viruses and malware that exploit the CVE-2014-1776 security hole.

In time, this will lead to stolen credit cards and identities. It may turn your old XP box into a spam-slinging email server. Many infected XP systems will record every keystroke and send full reports to high-tech criminals -- complete with user names and passwords for online banks and stockbrokers.

And then the real damage begins
The infections will be sneaky and obscure at first. But then the stolen credentials get sold on the black market and used in the real world. Eventually, that old XP box becomes the only reasonable explanation for fraudulent card charges, unauthorized bank transfers, and more.

Some of the victims will blame themselves for not having kept up with the times. Others will point an accusing finger right at Microsoft for abandoning millions of its most vulnerable users. And who's to say that the company won't do it again?

This scenario won't hurt Microsoft shares directly for a while. It could take years. But this single attack is just the first of many. Microsoft is staring down a huge amount of negative publicity and lost sales in the long term, all triggered by the clumsy handling of Windows XP's expiring support.

Yes, there were alternatives. For example, Windows 98 once had the dominant market position that Windows XP inherited, and it still enjoyed a 27% market share when official support was slated to expire in 2004. You know, just like XP's 27% market share today.

But Microsoft stayed Windows 98's execution for another two years. By then, the platform had diminished to a tiny 2.7% market share and there was no massive fallout from ending support.

Microsoft is doing a lot of things right under Nadella, but this holdover from the end of the Steve Ballmer regime is not one of them.

Sure, Windows XP already spanned a much longer era than Windows 98 ever did. There's a world of difference between a six-year reign and a 13-year dynasty. That said, Microsoft should have given XP just a couple more years under the cozy umbrella of official security updates. Now, Microsoft and its shareholders will suffer the consequences of not listening to what users actually need.