How to keep Windows XP SP2 safer after Microsoft stops patching

Patches for the venerable service pack end Tuesday, but you can help protect your PC until you get SP3

Maybe you didn't get the memo: Tomorrow marks the end of patches for Windows XP Service Pack 2 (SP2).

And you're still running the nearly-six-year-old edition.

But XP SP2 won't shudder to a stop. Although Tuesday marks the support retirement of the service pack -- a date that some have called a "red alert" for people running SP2 -- that doesn't mean your copy of Windows will suddenly refuse to run.

It does mean that, after tomorrow, Microsoft will not offer any security patches, no matter how severe the vulnerability, no matter what part of Windows or associated component is involved. No more Windows patches -- and no more patches for Internet Explorer (IE) , no patches for Windows Media Player, no patches for Outlook Express.

You can, of course, sidestep the whole problem by upgrading to Windows XP SP3, which will be supported until April 2014: Microsoft has posted a page that explains how to do that here . (Note: Because there is no SP3 for the 64-bit version of Windows XP, you'll continue to receive security updates if you're running SP2 of that edition.)

Among your options: Download and install SP3 via Windows Update, download a disk image for upgrading multiple machines or order a SP3 CD for US$3.99.

In fact, you actually have four weeks to upgrade to SP3 before Microsoft releases the next likely XP patch on Aug. 10. There's little chance that Microsoft will issue an "out-of-band" emergency update before then.

But if you're committed to SP2, for whatever reason, and have no intention of upgrading anytime soon, there are steps you can take to make your PC more secure and your time on the Internet safer.

Dump Internet Explorer. After Tuesday, Microsoft won't be providing IE patches of any kind, for any version -- IE6, IE7 or even 2009's IE8 -- to people running Windows XP SP2.

But other browser makers aren't halting updates for their wares. Mozilla, Google , Apple and Opera will be shipping fixes for Windows XP versions of their Firefox, Chrome, Safari and Opera browsers for the foreseeable future.

More than a year ago, Mozilla debated whether to drop support for older editions of Windows , including Windows 2000 and Windows XP SP2. But the company decided against the move.

According to the system requirements for Firefox 4 Beta 1, the preview Mozilla released last week, the browser runs not only on Windows XP, but also Windows 2000. (Mozilla's systems requirement link for Firefox 4 currently takes you to the page for version 3.6.6, leading us to believe that the requirements will remain the same for Firefox 4, which is slated to ship in November 2010.)

And because Mozilla's policy is to continue supporting a browser with security updates for at least six months after the launch of its successor, moving to Firefox 4 down the road means that if the company ships Firefox 5, or whatever the next edition is called, a year later -- in November 2011 -- patches for it will be produced through May 2012 or later.

It's important to keep a browser up-to-date on patches because hackers continue to exploit browser vulnerabilities, particularly those in IE. They focus on IE bugs for a simple reason: Every Windows machine has it, and Microsoft's browser continues to be used by more people than any other.

Ironically, you may actual improve the security of your Windows XP SP2 machine if you dump IE.

Patch third-party programs, especially browser plug-ins. According to most vulnerability experts, it's not your operating system that today's attackers target: It's non-Microsoft software, particularly browser plug-ins.

Antivirus vendors McAfee and Symantec have both reported huge surges in attacks exploiting bugs in Adobe's Reader, one of the most widely-installed plug-ins. McAfee, for example, said that exploits of Reader jumped 65% in the first quarter of 2010 compared to 2009's total.

Those kind of numbers mean you should be spending more time patching third-party products, less time worrying about the inevitable vulnerabilities in Windows XP SP2 that Microsoft will no longer fix.

But that's tough: Most non-Microsoft software lacks automatic updating. Adobe, for instance, only instituted auto-updating for its regularly-exploited Reader and Acrobat in April -- and requires users to manually switch it on -- but it still hasn't offered the same functionality for its just-as-often-attacked Flash Player plug-in.

Stay safer. Without patches for the operating system, it's even more important than ever to practice safe computing.

  • Install antivirus software or a multi-component security suite if you don't have one on the PC already. If you do, keep it up to date by regularly downloading new signatures. Several AV programs, including Microsoft's own Security Essentials , are free.
  • Also, keep the firewall turned on -- easily done since Windows XP SP2 was the first Microsoft OS that not only included a firewall, but enabled it by default .
  • And remember the wisest advice: Don't steer to sites you're not sure can be trusted, don't open e-mails and attachments you didn't expect to receive, and don't download software from questionable sources.

We know, we know..., the same advice you've heard a hundred times.

Keep reading Microsoft's security bulletins. Just because your copy of Windows XP SP2 won't receive any more updates doesn't mean you should stop looking at the bulletins Microsoft publishes each Patch Tuesday.

Those bulletins may not strictly apply to XP SP2, but Microsoft often includes steps users can take to protect themselves if they're not able to deploy a patch. In the bulletins, that information is tucked under the subhead "Workarounds" beneath the information for each vulnerability.

The workarounds may include steps you can take with XP SP2 to deflect or hinder attacks. Obviously, your mileage may vary.

Microsoft's irregular security advisories -- generally issued as a prelude to an eventual patch -- also contain worthwhile information, including which Windows versions are affected, how attacks (if there are any at that point) are exploiting the bug and whether there are workarounds that can block or help block assaults.

Install Tuesday's patch. One of the four security updates slated for Tuesday applies to Windows XP SP2 -- the one that addresses the vulnerability a Google-employed security researcher revealed last month. You should, of course, grab it.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is .

Read more about windows in Computerworld's Windows Topic Center.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Microsoftoperating systemssoftwareWindows

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld (US)
Show Comments

Brand Post

Shining a light on creativity

MSI has long pushed the boundaries of invention with its ever-evolving range of laptops but it has now pulled off a world first with the new MSI Creative 17.

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?