IRS admits it will pay "millions" to Microsoft for extra Windows XP support

Windows XP got its latest, and last, software updates from Microsoft earlier this week, but the 12 year old operating system is still installed and being used on millions of PCs. This week, the The U.S. Internal Revenue Service admitted it will have to pay "millions" to Microsoft in order to keep getting support for the many Windows XP computers it continues to use.

Computerworld reports that, during a budget hearing Monday before the U.S. House Financial Services and General Government subcommittee, IRS commissioner John Koskinen said that the agency will take $30 million out of its enforcement budget to finish the migration of its PCs from Windows XP to Windows 7. Part of that money will go to Microsoft so it can offer its "custom support" for XP PCs for another year.

There are about 110,000 PCs that are used by the IRS and about 53 percent of them still run on Windows XP, with the rest running on Windows 7. Koskinen told the committee that the agency had  $300 million worth of IT improvements that still need to be done, including the Windows XP upgrades. The work is expected to be completed by the end of 2014.

Of course, the IRS is getting ready for the annual ritual of April 15th, the deadline for U.S. citizens to turn in their federal taxes, In a statement, the agency said none of their PCs that handle tax filing are using Windows XP, so taxpayers can't use that as an excuse to not file their return before the end of the day on Tuesday.

Source: Computerworld | Tax return image via Shutterstock

Report a problem with article
Previous Story

Microsoft releases Bing Translator plugin for WordPress sites

Next Story

Amazon's smartphone rumored for a June announcement

77 Comments

Commenting is disabled on this article.

The OS isn't the problem guys, its the software designed to run on it. Many businesses have machines that run XP but the software that runs on the OS just isn't getting or will ever get upgraded by the manufacture. Example: I worked for a company that had a $300,000 press machine that ran on Windows XP and you can bet 3X the value that it won't be upgraded but it must be supported till they will replace the machine cause of the software that runs the thing. The software on it and like so many other machines (atm's anyone??) just won't run on other OS's or the companies won't support it for testing on another OS.

At Least with this money going to m$ at least we know where it's going instead of going to some senator or Corprate lobbyist.

blade1269 said,
At Least with this money going to m$ at least we know where it's going instead of going to some senator or Corprate lobbyist.

"m$"? Really?

Is m$ part of a reference to a cell in column M on your Excel worksheet? You'll need to supply a row number to go with that.

I guess the frustrating part out of all of this is Windows 7 has been out since when, beginning of 2009? And we couldn't have slowly migrated over? Who is in charge of these decisions? I mean we all knew this was coming.

For the people saying your tax dollars cover this: I would have to say that you are mistaken. Tax dollars can't even cover the interest on the national debt. Everything that government organizations do is on borrowed money.

For the people saying to move to Linux. I'll have to guess that you aren't in the IT field. How does Linux integrate with active directory? I don't think it does. This is a major factor when you are managing over 100,000 workstations. How can you make sure 100,000 Linux workstations all have the correct security updates applied and the correct domain policies are applied? What about the software we use that was written for Windows? It's easy to say move to Linux, but not likely to happen.

Its better to switch to Linux or any open source OS rather stick to XP. XP has become vulnerable to the extreme. Its dead literally.

bodmas said,
Its better to switch to Linux or any open source OS rather stick to XP. XP has become vulnerable to the extreme. Its dead literally.

As we've just seen these past few days, Linux isn't as secure as you or others think. The OpenSSL problem has been around for 2 years, I thought the whole bonus to OSS is the old argument that "more eyes on the code means it's more secure". So I guess the guys looking at the OpenSSL code were blind?

Others can't/haven't moved yet from XP because their internal home made apps that they use each day don't support anything newer. They'll have to port/re-write them or something to that extent which takes time but also takes money to. The IRS will move off of XP but it could be a year from now or two, who knows?

I agree. If you're going Linux over security concerns, you're just going out of the frying pan and into the fire.

The OpenSSL "heartbleed" is proof of that, it's a bigger problem than most people realize.

Seketh said,
I agree. If you're going Linux over security concerns, you're just going out of the frying pan and into the fire.

The OpenSSL "heartbleed" is proof of that, it's a bigger problem than most people realize.


Guys, you took me wrong. I never said to move to linux or to any open sus but my comment was meant to leave the XP as it becomes as weak OS as Linux and other Open Sus. further I meant why to pay for XP when you get same weak/strong OS like Linux etc.

Seketh said,
I agree. If you're going Linux over security concerns, you're just going out of the frying pan and into the fire.

The OpenSSL "heartbleed" is proof of that, it's a bigger problem than most people realize.


The OpenSSL "heartbleed" is fixed and the fix is available to everyone for free.

Going from security problems not being fixed to security problems being fixed is not "going out of the frying pan and into the fire".

Beaux said,
The OpenSSL "heartbleed" is fixed and the fix is available to everyone for free.
TANSTAAFL. The resources required for updating all the affected software, generating new public-private key pairs, destroying all session cookies, blanking all passwords, informing all users and so on is hardly available for "free". And how about the estimated half a million certificates needing to be revoked and reissued? You think the CAs are feeling particularly generous all of a sudden? What about all the non-upgradable embedded systems that use OpenSSL as mentioned by Bruce Schneier and others? How much do you think it'll cost to dump all of them and buy replacements, assuming of course that in every case the replacements will be of the drop-in variety not requiring any other expenditure at all?

Romero said,
TANSTAAFL.
You're trying to change the subject. The comment was about a comparison between 2 things. Everything you're saying applies to both sides of the comparison, so it's irrelevant.

Beaux said,
You're trying to change the subject.
No, everything I wrote about how "free" the fix is relevant to whatever I quoted and only what quoted, period. You guys fighting over open vs. closed source is not my concern here and you can go on with your ridiculous argument for all I care.

Romero said,
No, everything I wrote about how "free" the fix is relevant to whatever I quoted
Everything you wrote is not relevant to anything. It has no useful point and doesn't make any difference in the real world.

Beaux said,
It has no useful point and doesn't make any difference in the real world.
Only someone who hasn't had to deal with the fallout of this bug and spent good money to get multiple servers fixed and working properly can make such an ignorant statement.

Romero said,
Only someone who hasn't had to deal with the fallout of this bug and spent good money to get multiple servers fixed and working properly can make such an ignorant statement.
That statement has nothing to do with the bug. Nothing you're talking about has anything to do with the bug. Everything you're talking about is irrelevant to anything in the previous discussion.

You seem to lack basic reading comprehension skills. I quoted you saying the fix is free, and elaborated on how in the real world it's hardly free when you factor in all the things you need to do to secure your servers and systems again. The rest of the discussion about open vs. closed source was entirely separate and I did not refer to it at any point, so your objections are ridiculous. Everything I said was pertinent to the bit I quoted, nothing else. Just because it's irrelevant to the rest of your argument doesn't mean it's irrelevant to everything you said. How hard is that to understand, really?

Romero said,
Everything I said was pertinent to the bit I quoted
It was not pertinent at all. NONE of it was. How hard is that to understand, really?

Beaux said,
It was not pertinent at all. NONE of it was. How hard is that to understand, really?
You can go on repeating this ad nauseam, doesn't make it true in the least. Comprehension 101 fail.

Romero said,
You can go on repeating this ad nauseam, doesn't make it true in the least. Comprehension 101 fail.
You can go on repeating that it was pertinent ad nauseam, doesn't make it true in the least. Comprehension 101 fail.

Romero said,
Lol, devolving into childish repetition now because you have nothing better to say? How old are you anyway? :rofl:
I was pointing out how you have nothing better to say. If you think it's pertinent, you could try explaining how it's pertinent, but instead you just go with the childish "YOU'RE WRONG! FAIL!"

I explained, more than once, how it's pertinent to what I quoted, but if you cannot understand this very simple thing then what else is there to suggest other than basic comprehension failure? No other conclusion can be reached at given the evidence above.

Romero said,
I explained, more than once, how it's pertinent to what I quoted, but if you cannot understand this very simple thing then what else is there to suggest other than basic comprehension failure? No other conclusion can be reached at given the evidence above.
That's just as childish. "If you don't understand then you just fail. NA! NA! NA!" You don't think you're being childish?

Just because you observe people spending billions or trillions of dollars to implement the fix doesn't mean the fix isn't available to anyone for free. It still stands that the fix is available to anyone for free.

All I'm saying is that just that one patched OpenSSL version being available for free means nothing at all in the real world where this damn bug has cost me and thousands of others probably millions (or billions as you said) of dollars in total to fix. I'm pi**ed at the number of sleepless nights I've spent over this and I know first-hand that one can't just wave their hands and say, "oh the fix for this is free and quite simple". If only it were but NO it isn't. I already mentioned the embedded systems, and what about all the damn software where the OpenSSL libs were statically compiled? You think updates for all those are automatic, simple and free too? That's as far as my commentary on this went, except you went off on a tangent about it not being relevant to the rest of your discussion and other such nonsense. Honestly, I don't see what would lead anyone to make such a big deal out of this and throw tantrums like you are doing.

Romero said,
All I'm saying is that just that one patched OpenSSL version being available for free means nothing at all in the real world where this damn bug has cost me and thousands of others probably millions (or billions as you said) of dollars in total to fix. I'm pi**ed at the number of sleepless nights I've spent over this and I know first-hand that one can't just wave their hands and say, "oh the fix for this is free and quite simple". If only it were but NO it isn't. I already mentioned the embedded systems, and what about all the damn software where the OpenSSL libs were statically compiled? You think updates for all those are automatic, simple and free too? That's as far as my commentary on this went, except you went off on a tangent about it not being relevant to the rest of your discussion and other such nonsense. Honestly, I don't see what would lead anyone to make such a big deal out of this and throw tantrums like you are doing.
Could you make your strawman any more obvious? Did you think no one would notice that little "and quite simple" you added on to that sentence? No one said it was simple. You're arguing against nothing. That's why what you're saying is irrelevant. You're throwing tantrums and arguing that it's not simple when no one is even saying that it is simple.

And now you're deflecting from the main point I made, which is that all said and done fixing this issue is not free either even if the standalone patch for OpenSSL is. More nonsense and at this point deliberate refusal to acknowledge the truth (unless you're truly ignorant of the costs involved).

Romero said,
And now you're deflecting from the main point I made, which is that all said and done fixing this issue is not free either even if the standalone patch for OpenSSL is. More nonsense and at this point deliberate refusal to acknowledge the truth (unless you're truly ignorant of the costs involved).
The "main point you made" is irrelevant. You're trying to argue something that no one is arguing against. That's what irrelevant means.

Like I said, you can go on repeating this ad nauseam all you want but just because you can't figure out something so simple and term it irrelevant doesn't magically make it so. Also, you seem to be ignorant of the fact that not all comments need necessarily constitute an argument against all that's been stated earlier. It can just be, gasp, commentary on something but clearly this concept is beyond your grasp and you just like nitpicking and arguing endlessly for the sake of doing so.

Edited by Romero, Apr 17 2014, 9:19pm :

Romero said,
Like I said, you can go on repeating this ad nauseam all you want but just because you can't figure it out and term it irrelevant doesn't magically make it so.
And now you go back to your childish rhetoric...

The IRS is pretty stupid IMO. Microsoft ended support for a more than decade old system for a reason. This not only protects users and get up to date, but also helping itself, developers and businesses innovate further with more modern systems.

The IRS could have used those 'millions of dollars' on upgrading their systems to WIndows 8.1 or 7, which probably wouldn't even need any hardware upgrades and wouldn't have cost that much anyway. Especially with all the transition discounts Microsoft was offering, especially for businesses and governments. Gosh the IRS is dumb.

j2006 said,
The IRS is pretty stupid IMO. Microsoft ended support for a more than decade old system for a reason. This not only protects users and get up to date, but also helping itself, developers and businesses innovate further with more modern systems.

The IRS could have used those 'millions of dollars' on upgrading their systems to WIndows 8.1 or 7, which probably wouldn't even need any hardware upgrades and wouldn't have cost that much anyway. Especially with all the transition discounts Microsoft was offering, especially for businesses and governments. Gosh the IRS is dumb.


Well, it's not THEIR money, so what do they care? LOL

I agree, there's no excuse, but there's no onus on them to do anything faster, cheaper, or responsibly...

Cocoliso said,
What does this extra support means? What type of support does it provide?

Security fixes. Their own private Patch Tuesday for XP past April 2014.

Cocoliso said,
What does this extra support means? What type of support does it provide?
What was said above, plus should there be any issues they get to call MS, and MS will make a fix for them. In short these companies/organizations are hiring MS to keep the OS running smoothly and securely.

If some 70 year old doesn't want to change because Windows 7 looks different that's one thing, let them be idiots, but now its my tax money that's being wasted on this crap.

Umm... when you're a government agency dealing with sensitive consumer and business financial information... "might not be the most secure" and "it just works!" does not make sense... or in this cents!

warwagon said,
Makes sense. Might not be the most secure.. But for 99% of what the average user needs...It just works!

To my defense I clicked a Facebook link which for whatever ever reason has a totally different article title than what is published on Neowin

If its just a terminal that is not connected to the internet then fine, Its not like their server is powered by Windows XP

j2006 said,
Umm... when you're a government agency dealing with sensitive consumer and business financial information... "might not be the most secure" and "it just works!" does not make sense... or in this cents!

whats with all this bull that "if youre a goverment agency or some company there is sensitive consumer and business financial information... bla bla bla"


if a person has at least some experience combined with knowledge, he can use windows xp ten years from now and he wont have a single virus

it should be upgraded and an antivirus should be installed, because many people cant do a thing with computers and they will break it

garou_heki said,
if a person has at least some experience combined with knowledge, he can use windows xp ten years from now and he wont have a single virus
Forget the fact that even experienced pros can have machines fall prey to zero-days, do you honestly think the average pencil pusher in a government department has this requisite knowledge you're talking about? lol :rofl:

Nashy said,
There is no excuse for this incompetence from government IT departments.

The fact that it's the government isn't enough? LOL

The difference between public and private companies is that many private companies don't even bother to buy extended support. They just don't give a crap.

Seketh said,
The difference between public and private companies is that many private companies don't even bother to buy extended support. They just don't give a crap.

Who are some that are not paying for extended support?

My company, for example, a private european hospital. You wouldn't believe the ammount of sensitive data that could be easily seen or manipulated by someone who has experience in hacking XP systems.

E.T.A. for upgrade? None. IT is litteraly just now upgrading Pentium 4 machines to Core i3 PC's.... still loading them with Windows XP. It's madness.

Nashy said,
There is no excuse for this incompetence from government IT departments.
IT Departments don't just get to do what they want. If there's no budget given to them to upgrade the OS/Hardware, it's not gonna happen.

As the article said, they are taking this money out of ENFORCEMENT.. that means that they have never been given the budget to do the needed upgrades in the first place, and are having to shuffle money around now cause it's too late.

If they are, it's not because they use XP, as the bug is not in SSL, but rather a specific implementation (OpenSSL)

As a point of note, the CRA (Canada's version of the IRS) was affected by Heart Bleed

ViperAFK said,
Windows does not use OpenSSL

Windows itself does not, but third party software can. Got a couple Server machines here running Apache with OpenSSL for example.. but yea your standard desktop doesn't (usually) need to worry about it.

Kelxin said,

Actually, Windows and Windows servers can both make use of openssl.

http://slproweb.com/products/Win32OpenSSL.html

And my point was, if they haven't even taken the time to update something they knew was coming for years, think they updated something they just found out about?

I'm aware applications can make use of openssl and that one can configure windows server to do so, I'm just saying that XP itself does not use openssl, so the windows version is somewhat irrelevant, what's relevent is does the software the IRS is running on top of XP uses openssl, and if so have they patched those applications.

_Alexander said,
I love how companies think that upgrading to an OS that will go into extended support in a year is a good idea

same here, its crazy!

_Alexander said,
I love how companies think that upgrading to an OS that will go into extended support in a year is a good idea
Windows 7 is likely going to be the new XP, that is, it will be the staple OS for business for many years, and MS will continue to support it, despite Windows 8 or 9.. Also, upgrading to 7 saves companies a LOT of money on retraining pencil pushers in how to use it, and in having re-write their training manuals to exclude things like "Click Start and.."
It really does add up.

Hussam Al-tayeb said,
It is cheaper than using your tax money to buy thousands of new computers that are fast enough to run more recent versions of windows.

Okay, and in 5 years (or whatever) they don't have to replace those systems too?

And in the mean time paying millions for extended XP support.
The upgrade costs are not gone and still there, just extended to a later time.

The kind of deal MS had with big corporations was like this: Let us assume you have 5000 computers. You bought a VLK for windows XP in 2001/2002. In addition, you paid 50 dollars per computer per year to MS. In exchange for that 50 dollars, MS promised you will get the new windows for cheaper and that they will support you till you upgrade. You missed out on Vista, then windows 7 and kept paying that 50 dollars per computer per year.
Windows 8 came out and it is much cheaper that older versions of windows. Corporations realized that paying that extra 50 dollars for nothing was starting to look like a dumb idea. Why would I pay extra 50 dollars to get a discount on an already cheaper product?
Therefore, Microsoft has no more reason to keep extending Windows XP support and they went ahead and stopped support.
Now that windows XP support is over, corporations no longer "can"/"have to" pay 50 dollars per year per computer for the cheaper upgrade path.
Microsoft realized that they will lose out on this "extra money" so they came up with a paid extra support for windows XP. It is the only remaining way to make money off windows XP for them.
The good thing is that only governments are going to follow the new system because it is going to cost much and it is only feasible since they probably have thousands and thousands of computers. It averages out as a small increase only over what they were already paying Microsoft.

Edited by Hussam Al-tayeb, Apr 12 2014, 1:26pm :

Shadowzz said,

Okay, and in 5 years (or whatever) they don't have to replace those systems too?

And in the mean time paying millions for extended XP support.
The upgrade costs are not gone and still there, just extended to a later time.

I think his point is more along the lines of trying to buy it all NOW because of the deadline is more expensive than spreading it out over a year or two.

End of they day, clearly there was no budget for it in the first place, as the article says they are taking the money out of Enforcement to do it.. Which means that they were never given the money to do it properly in the first place..

Ryoken said,

I think his point is more along the lines of trying to buy it all NOW because of the deadline is more expensive than spreading it out over a year or two.

End of they day, clearly there was no budget for it in the first place, as the article says they are taking the money out of Enforcement to do it.. Which means that they were never given the money to do it properly in the first place..

Yes because MS made NO announcements regarding XP's EOL. NONE right?

Didn't we know years ago when the date would be?

timster said,
your tax dollars, hard at work!
It sounds bad, I know.. but then again, upgrading all those computers, OS's, and the staff that uses them, would cost a LOT more.. Really it sounds worse than it is.

That, and if they tried to do this earlier the House/Senate would read that as they clearly don't need the money anyway and make cuts.. I mean even NOW they are taking the money out of Enforcement, to do it..

Ryoken said,
then again, upgrading all those computers, OS's, and the staff that uses them, would cost a LOT more.
And it is going to cost a LOT LOT more the longer it is delayed.