IRS misses XP deadline, pays Microsoft millions for patches
- 12 April, 2014 05:05
The U.S. Internal Revenue Service (IRS) acknowledged this week that it missed the April 8 cut-off for Windows XP support, and will be paying Microsoft millions for an extra year of security patches.
Microsoft terminated Windows XP support on Tuesday when it shipped the final public patches for the nearly-13-year-old operating system. Without patches for vulnerabilities discovered in the future, XP systems will be at risk from cyber criminals who hijack the machines and plant malware on them.
During an IRS budget hearing Monday before the House Financial Services and General Government subcommittee, the chairman, Rep. Ander Crenshaw (R-Fla.) wondered why the agency had not wrapped up its Windows XP-to-Windows 7 move.
"Now we find out that you've been struggling to come up with [US]$30 million to finish migrating to Windows 7, even though Microsoft announced in 2008 that it would stop supporting Windows XP past 2014," Crenshaw said at the hearing. "I know you probably wish you'd already done that."
According to the IRS, it has approximately 110,000 Windows-powered desktops and notebooks. Of those, 52,000, or about 47%, have been upgraded to Windows 7. The remainder continue to run the aged, now retired, XP.
John Koskinen, the commissioner of the IRS, defended the unfinished migration, saying that his agency had $300 million worth of IT improvements on hold because of budget issues. One of those was the XP-to-7 migration.
"You're exactly right," Koskinen said of Crenshaw's point that everyone had fair warning of XP's retirement. "It's been some time where people knew Windows XP was going to disappear."
But he stressed that the migration had to continue. "Windows XP will no longer be serviced, so we are very concerned if we don't complete that work we're going to have an unstable environment in terms of security," Koskinen said.
According to Crenshaw, the IRS had previously said it would take $30 million out of its enforcement budget to finish the migration.
Part of that $30 million will be payment to Microsoft for what the Redmond, Wash. developer calls "Custom Support," the label for a program that provides patches for critical vulnerabilities in a retired operating system.
Analysts noted earlier this year that Microsoft had dramatically raised prices for Custom Support, which previously had been capped at $200,000 per customer for the first year. Instead, Microsoft negotiates each contract separately, asking for an average of $200 per PC for the first year of Custom Support.
Using that average -- and the number of PCs the IRS admitted were still running XP -- the IRS would pay Microsoft $11.6 million for one year of Custom Support.
The remaining $18.4 million would presumably be used to purchase new PCs to replace the oldest ones running XP. If all 58,000 remaining PCs were swapped for newer devices, the IRS would be spending an average of $317 per system.
The IRS isn't the only government agency that has acknowledged paying for post-retirement XP support. The U.K. government, for example, has paid Microsoft more than 5.5 million (approximately $9.2 million) for Windows XP, Office 2003 and Exchange 2003 patches for the next 12 months.
In a follow-up statement today, the IRS said that its XP problem does not extend to the systems that handle tax filings by individuals and companies.
"None of our filing season systems or other major business operating systems for taxpayers use Windows XP," an IRS spokesperson said Friday. "The IRS emphasizes the situation involving Windows will have no impact on taxpayers, including people filing their tax returns in advance of the April 15 deadline."
In other words, the IRS will not let taxpayers use the XP situation as an excuse not to meet the next Tuesday's filing deadline.
"The IRS ... is working to complete the updates [to Windows 7] by the end of calendar year 2014," the spokesperson added.
The agency, like most businesses and organizations, will face the same situation in less than six years: Microsoft plans to pull the patch plug on Windows 7 in mid-January 2020.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is firstname.lastname@example.org.
Read more about windows in Computerworld's Windows Topic Center.