A Java update coming from Oracle this month could prove another nail in the coffin of the popular but outdated Windows XP platform, as the update may not run on XP systems, according to warnings from security experts.
Concerns about the impending support cut-off for Windows XP reached a crescendo earlier this year as the 8 April deadline for the end of all security updates from Microsoft arrived. However, as many as 20 percent of all PCs are said to be still running XP, according to some sources.
The problem could be about to come to a head, as Oracle is set to issue its next scheduled Critical Patch Updates for the Java platform on July 15th, and while users may be able to install the upgrade on XP systems, the applet does not appear to load following the upgrade, according to Danish IT security firm Heimdal Security.
It appears that Oracle quietly ended official support for the Java 7 platform on XP when Microsoft itself ceased to issue security updates in April. A notice on Oracle’s website informs users that they may still continue to use Java 7 updates on Windows XP at their own risk, but support will only be provided against Windows Vista or later.
Oracle’s newer Java 8 platform, which launched in March this year, has not supported XP from the outset.
As such, Oracle’s move to end support on XP could cause a serious problems, as Heimmdal Security CTO Morten Kjaersgaard explained.
“Windows XP still accounts for approximately 20% of the PC’s in use, according to global market data. Of those XP users some 81,78% also use Oracle Java according to our intelligence,” he said.
“This means that millions of PC users, who still run Microsoft XP, are being left in the dark with a piece of software that is known to be very vulnerable.”
Some XP users have decided to continue running the outdated platform for various reasons, whether this is due to the cost of refreshing newer hardware to run more modern versions of Windows or because of compatibility issues with key applications. Some have also been emboldened by developers such as Mozilla which has elected to continue to support XP with its Firefox browser.
However, the Java support issue could prove pivotal because Java is a key component of many applications and websites, and has also proven to be a popular target for malware creators. If XP users cannot update Java, they are increasingly putting themselves at risk, according to Amar Singh, chair of the ISACA Security Advisory Group.
“This is certainly a reason for those using XP to move on to more supported systems. Java is deeply insecure and remains one of the most relevant attack vectors for compromising user and device security,” he said.
The alternative for the real die-hard XP users is to uninstall Java and avoid all applications and sites that rely on the platform.
“I wonder if that is even possible for most users,” he added.
Mark Nunnikhoven, vice president for Cloud & Emerging Technologies at security firm Trend Micro, warned that the situation is only likely to get worse, and that XP users should take heed, as more and more vendors will be dropping support for XP as time goes by.
“For the end user, Oracle and others dropping support is frustrating and it means a lot of work to upgrade to a new operating system. From a security perspective, this just might be the motivation needed to move past an archaic platform and towards a more secure environment,” he said.
Kjaersgaard from Heimdal agreed: “Personally, I enjoyed using Microsoft Windows XP when it came out, but the days of Windows XP are over.
“The operating system is inadequate to cope with today’s security issues and I wouldn’t call it safe to connect and use a Windows XP based machine on the Internet. With 3rd party software vendors ending their support as well, users who have not yet changed platform, really have to do so now.”,
Whether this message will get through to the many XP users who are still reluctant to upgrade remains to be seen.