The Windows XP Rundown is Really About Security

Tuesday, March 18, 2014

Praveen Manohar

37c1b0270687e8148e56508e805f8b8e

April 8 is quickly approaching, which as we know means the end of support for Windows XP SP3. Why does anyone care? Well, according to Netmarketshare, Windows XP users still make up approximately 29 percent of the desktop operating system (OS) market. So, with just a few weeks left before the big day, now is an appropriate time to discuss the implications of the end of XP support and explore what the rundown is really all about: security.  

For the 29 percent remaining on XP, there are various factors that have stalled their move away from the OS, including: migration with no downtime, lack of budget and lack of expertise and resources. So, where does security fit in?

From an antimalware standpoint, the OS itself is actually quite secure—and could continue to be so—because Microsoft will regularly release updates to antimalware signatures for Windows XP through July 14, 2015. What’s more, users will receive adequate support from external antivirus and firewall vendors who have already confirmed they will continue to support Windows XP after April 8. These third-party sources help detect threats, block attacks and cleanup infections, but the question remains: for how long?

According to a survey conducted by AV-Test.org, most third-party sources will support XP at least for another year, with other large security vendors stating their support will continue further into the future, even as far as 2019.  

So, to uncover the real security issues with the XP rundown, we need to consider application vulnerabilities. These days, malicious attacks typically go after application vulnerabilities versus direct attacks on remote services, and common application targets include Web browsers, WordPress, OpenX, document readers, Lotus Notes and SharePoint. With Web browsers in particular, which interact the most with the Internet, attackers prey on vulnerabilities and use the application to steal data, take control of computers, destroy documents and much more. And specific browser features are more prone to attack, such as ActiveX, Plug-ins, VBScript and JavaScript.

Windows XP systems cannot upgrade to versions of Internet Explorer (IE) beyond IE8. There have been many vulnerabilities in IE8 that have been patched to date, but moving forward Microsoft will not continue the vulnerability patching process for it. As a result, hackers will surely exploit vulnerabilities and cause great harm to IE8 users operating on XP. So, users sticking with XP should ditch IE for an alternate browser, such as Google Chrome or Mozilla Firefox. However, even this will not provide the safety needed moving forward as most of these browsers have their source code available for anyone to scrutinize, making it easy for hackers to do their homework. Also, these third-party browser vendors will eventually stop supporting XP as well—likely within the next year. For example, Google announced extended support for Chrome on XP ends in April 2015. After that, users who have gone that route are back to square one.

Something that has caused even greater panic than the dangers to end user machines is the fact that 95 percent of ATMs use Windows XP. That said, the good news is that most ATMs use Windows XP Embedded (XPe)—the componentized version of the Windows XP Professional Edition. This version has limited components that are chosen by the user, which does help reduce the risk exposure.

Furthermore, support for Windows XPe will continue until January 12, 2016. So, ATMs should remain relatively safe until then and are covered as far as compliance and protection standards. Some smart financial institutions, like U.S. Bank, have already started the migration from the old OS and others would be wise to do the same. The situation is no different forpoint-of-sale (POS) device operators, which mostly run on Windows XPe, who should also plan their migration before support for Windows XPe ends.

With the real security implications of the XP rundown defined, let this serve as a wakeup call for those still running XP on their systems. The era is coming to an end. It’s time to switch to the latest OS and get ready to live in a world without Windows XP. If they don’t, the consequences from a security perspective will likely be significant.

About the Author: Praveen Manohar is a Head Geek at SolarWinds, a global IT management software provider based in Austin, Texas. He has nearly a decade of IT industry experience in roles such as support engineer, product trainer and technical consultant. His expertise lies in technologies including NetFlow, Flexible NetFlow, Cisco NBAR, Cisco IPSLA, WMI and SNMP. IN his role as Head Geek, Praveen gives strategic guidance for end users on applications, networks and performance monitoring.

Possibly Related Articles:
19225
Operating Systems Enterprise Security CVE Vulnerabilities
Information Security Software
Support Security Windows XP end of life
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.