How to keep Windows XP SP2 safer after Microsoft stops patching

Patches for the venerable service pack end Tuesday, but there are ways you can help protect your PC until you get SP3

Maybe you didn't get the memo: Tomorrow marks the end of patches for Windows XP Service Pack 2 (SP2).

And you're still running the nearly-six-year-old edition.

[ Get all the details you need on deploying and using Windows 7 in the InfoWorld editors' 21-page Windows 7 Deep Dive PDF special report. | Stay up with Windows news and analysis with our Technology: Windows newsletter. ]

But XP SP2 won't shudder to a stop. Although Tuesday marks the support retirement of the service pack -- a date that some have called a "red alert" for people running SP2 -- that doesn't mean your copy of Windows will suddenly refuse to run.

It does mean that, after tomorrow, Microsoft will not offer any security patches, no matter how severe the vulnerability, no matter what part of Windows or associated component is involved. No more Windows patches -- and no more patches for Internet Explorer (IE), no patches for Windows Media Player, no patches for Outlook Express.

You can, of course, sidestep the whole problem by upgrading to Windows XP SP3, which will be supported until April 2014: Microsoft has posted a page that explains how to do that here. (Note: Because there is no SP3 for the 64-bit version of Windows XP, you'll continue to receive security updates if you're running SP2 of that edition.)

Among your options: Download and install SP3 via Windows Update, download a disk image for upgrading multiple machines or order a SP3 CD for $3.99.

In fact, you actually have four weeks to upgrade to SP3 before Microsoft releases the next likely XP patch on Aug. 10. There's little chance that Microsoft will issue an "out-of-band" emergency update before then.

But if you're committed to SP2, for whatever reason, and have no intention of upgrading anytime soon, there are steps you can take to make your PC more secure and your time on the Internet safer.

Dump Internet Explorer. After Tuesday, Microsoft won't be providing IE patches of any kind, for any version -- IE6, IE7, or even 2009's IE8 -- to people running Windows XP SP2.

But other browser makers aren't halting updates for their wares. Mozilla, Google, Apple, and Opera will be shipping fixes for Windows XP versions of their Firefox, Chrome, Safari and Opera browsers for the foreseeable future.

More than a year ago, Mozilla debated whether to drop support for older editions of Windows , including Windows 2000 and Windows XP SP2. But the company decided against the move.

According to the system requirements for Firefox 4 Beta 1, the preview Mozilla released last week, the browser runs not only on Windows XP, but also Windows 2000. (Mozilla's systems requirement link for Firefox 4 currently takes you to the page for version 3.6.6, leading us to believe that the requirements will remain the same for Firefox 4, which is slated to ship in November 2010.)

And because Mozilla's policy is to continue supporting a browser with security updates for at least six months after the launch of its successor, moving to Firefox 4 down the road means that if the company ships Firefox 5, or whatever the next edition is called, a year later -- in November 2011 -- patches for it will be produced through May 2012 or later.

It's important to keep a browser up-to-date on patches because hackers continue to exploit browser vulnerabilities, particularly those in IE. They focus on IE bugs for a simple reason: Every Windows machine has it, and Microsoft's browser continues to be used by more people than any other.

Ironically, you may actual improve the security of your Windows XP SP2 machine if you dump IE.

Patch third-party programs, especially browser plug-ins. According to most vulnerability experts, it's not your operating system that today's attackers target: It's non-Microsoft software, particularly browser plug-ins.

Antivirus vendors McAfee and Symantec have both reported huge surges in attacks exploiting bugs in Adobe's Reader, one of the most widely-installed plug-ins. McAfee, for example, said that exploits of Reader jumped 65% in the first quarter of 2010 compared to 2009's total.

Those kind of numbers mean you should be spending more time patching third-party products, less time worrying about the inevitable vulnerabilities in Windows XP SP2 that Microsoft will no longer fix.

But that's tough: Most non-Microsoft software lacks automatic updating. Adobe, for instance, only instituted auto-updating for its regularly-exploited Reader and Acrobat in April -- and requires users to manually switch it on -- but it still hasn't offered the same functionality for its just-as-often-attacked Flash Player plug-in.

Stay safer. Without patches for the operating system, it's even more important than ever to practice safe computing.

  • Install antivirus software or a multi-component security suite if you don't have one on the PC already. If you do, keep it up to date by regularly downloading new signatures. Several AV programs, including Microsoft's own Security Essentials, are free.
  • Also, keep the firewall turned on -- easily done since Windows XP SP2 was the first Microsoft OS that not only included a firewall, but enabled it by default.
  • And remember the wisest advice: Don't steer to sites you're not sure can be trusted, don't open e-mails and attachments you didn't expect to receive, and don't download software from questionable sources.

We know, we know..., the same advice you've heard a hundred times.

Keep reading Microsoft's security bulletins. Just because your copy of Windows XP SP2 won't receive any more updates doesn't mean you should stop looking at the bulletins Microsoft publishes each Patch Tuesday.

Those bulletins may not strictly apply to XP SP2, but Microsoft often includes steps users can take to protect themselves if they're not able to deploy a patch. In the bulletins, that information is tucked under the subhead "Workarounds" beneath the information for each vulnerability.

The workarounds may include steps you can take with XP SP2 to deflect or hinder attacks. Obviously, your mileage may vary.

Microsoft's irregular security advisories -- generally issued as a prelude to an eventual patch -- also contain worthwhile information, including which Windows versions are affected, how attacks (if there are any at that point) are exploiting the bug and whether there are workarounds that can block or help block assaults.

Install Tuesday's patch. One of the four security updates slated for Tuesday applies to Windows XP SP2 -- the one that addresses the vulnerability a Google-employed security researcher revealed last month. You should, of course, grab it.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers, and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His email address is

Read more about Windows in Computerworld's Windows Topic Center.

This story, "How to keep Windows XP SP2 safer after Microsoft stops patching" was originally published by Computerworld.

Copyright © 2010 IDG Communications, Inc.