Comments
Windows XP Security Issues: Fact Vs. Fiction
Threaded  |  Newest First  |  Oldest First
jagibbons
100%
0%
jagibbons,
User Rank: Ninja
3/12/2014 | 12:26:40 PM
Healthcare scare?
The dominance of XP in the healthcare and banking industries is worrisome. I know those industries have great security folks working to protect critical data, but there's a real target there. Hopefully, once reality hits, enterprises will find ways to move off XP when they previously thought it wasn't possible or just not a high priority.
danielcawrey
50%
50%
danielcawrey,
User Rank: Ninja
3/12/2014 | 1:44:08 PM
Re: Healthcare scare?
I will be glad to see this OS fade from relevance. But it is true, many ATMs and security devices still use Windows XP. That's scary these devices have not innovated on the level that needs to be done. 

My thinking now is: How soon will we hear about a security breach in relation to Microsoft pulling support for Windows XP?
jagibbons
0%
100%
jagibbons,
User Rank: Ninja
3/12/2014 | 3:17:27 PM
Re: Healthcare scare?
Most ATMs do run Windows XP. It's the version for embedded devices which has far fewer security holes to begin with, but that is the predominant operating system. At some point, they will have to be replaced. I don't envy those who will be responsible for the logistics on that. Sadly, all of us who bank or use healthcare will end up paying for the inevitable upgrades.
Laurianne
100%
0%
Laurianne,
User Rank: Author
3/12/2014 | 3:30:07 PM
Re: Healthcare scare?
I also see XP running widely in retail and hospitality settings. Given the current data breach climate for retail, this seems extra worrisome.
Gary_EL
IW Pick
100%
0%
Gary_EL,
User Rank: Ninja
3/12/2014 | 6:21:57 PM
Re: Healthcare scare?
This going to be the calamity what Y2K never was. Why? Because every one was prepared for Y2K, and responsible people who should know better are burying their heads in the sand this time around. I wonder where the responsibility is going to lie for the catastrophes that will be sure to occur. I plan on having an extra supply of cash, my prescriptions, and ready-to-eat food that doesn't need to be cooked by April 8.

I winder, would it be legal for another organization to take control of this abandoned operating system, still adequate for those of us who aren't software developers, and supply updates and such?
chasster123
50%
50%
chasster123,
User Rank: Apprentice
3/13/2014 | 11:52:01 AM
Re: Healthcare scare?
Comparing Y2K to this is Apples and Watermelons.

Much of the Y2K fear was identified by a simple test on PCs by changing the system clock to see how applications would function when dated in the future. Though this was not a 100% test it did wead out some motherboards and indicate that others would work well for years - as they did.

This being the first time of the industry reaching such a Timestamp was  heavily publisised.

I am aware of assorted consultants / comapnies that simply took advantage of the Media Fear that computer life was to end that day.

In fact very few items failed (that moment) and those that did (of all that I've heard) were items like the fuel distribution pump in a transportation yard. There were other issues but the World Did Not End and it will not in April.
TerryB
50%
50%
TerryB,
User Rank: Ninja
3/13/2014 | 1:12:47 PM
Re: Healthcare scare?
Exactly. Except for a few isolated PC issues, Y2K was about the transition from days where storage (and memory) was so expensive you saved space by storing dates in Julian and two digit year formats. Compounding that, us programmers who thought we were clever learned stupid math tricks in code to do date arithmetic on these dates with 2 digit years. None of that would work after going from 19 to 20 in century. That's why ERP work was at an all time high during late 90's.

This XP thing is all about security, period. Commenters in this forum have done an excellent job discussing the issues. The most at risk XP user will be the non IT savvy home user who mostly browsing internet and get emails. There will definitely be exploits looking for these people.
CraigHerberg
50%
50%
CraigHerberg,
User Rank: Strategist
3/17/2014 | 2:14:06 PM
Re: Healthcare scare?
Y2K was a little more complicated than checking PCs BIOS to see if they would behave on and after January 1, 2000.  There were millions of programs, many of which were used to run hospitals, universities, banks, airplanes, etc., coded as if [19]99 were the end of time.  Using a two-digit year made good sense in the 1970s, when storage was expensive and the year 2000 was a quarter century away, but it became very tedius and expensive to fix before the turn of the century.  Even worse, the practice of using a two-digit year continued well into the 1990s.
jdempsey972
100%
0%
jdempsey972,
User Rank: Apprentice
3/13/2014 | 12:55:57 PM
Re: Healthcare scare?
Support for embedded XP ends on 1/12/2016.

http://support.microsoft.com/lifecycle/search/default.aspx?sort=PN&qid=&alpha=Windows+XP+Embedded&Filter=FilterNO
moonwatcher
50%
50%
moonwatcher,
User Rank: Ninja
3/12/2014 | 12:45:15 PM
Does Microsoft REALLY care?
A quote from the article states, "Anyone connecting a Windows XP computer to the Internet after Microsoft drops its support in April 2014 is not only putting themselves at risk, but also endangering all of us on the Internet -- as their computers may be hijacked into botnets and used to spread malware and spam attacks."

Well, if Microsoft REALLY cared about the Internet getting flooded with a bunch of compromised XP machines doing denial of service and other sorts of mischief, they'd offer everyone running XP a nearly FREE upgrade to Windows 7 Home Premium. It isn't like they'd be losing money doing so.

Why Windows 7? Because most XP machines still running could fairly easily run Windows 7, but NOT Windows 8.1 because it requires a motherboard with a BIOS supporting a feature called Data Execution Prevention. Throwing 500 million perfectly good PCs into the landfill ought to be a crime, so giving an upgrade would be a good solution for many of them.

I set my neighbor up on Ubuntu (an easy to use flavor of Linux) and after about 20 minutes of instruction she was good to go. At least she will not have to buy a new PC just to do things she was already doing. Linux is not just for geeks only these days.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
3/12/2014 | 5:27:25 PM
How is this going to work out again?
I know many IT organizations have done everything they can do, short of replacing Windows XP machines, but 500 million XP users and we're hoping most of them won't go out on the Internet? The police forces of IT organizations better get a tremendous infusion of manpower.
Somedude8
50%
50%
Somedude8,
User Rank: Ninja
3/12/2014 | 5:27:57 PM
Huh?
"... they probably don't have time to even replace XP systems with virtual machines, let alone migrate their operations to Windows 7."

Its easier to replace systems with VMs than to upgrade the OS? Am I missing something here?
Michael Endler
50%
50%
Michael Endler,
User Rank: Author
3/12/2014 | 6:13:37 PM
Re: Huh?
Nope, you're not missing anything; it was just phrased ambiguously. I wasn't trying to convey degree of difficulty but rather degree of XP removal--i.e. keeping it around in virtual environments represents a lesser degree of removal than moving wholesale to Windows 7.
Somedude8
50%
50%
Somedude8,
User Rank: Ninja
3/12/2014 | 6:15:58 PM
Re: Huh?
Ah good deal. I thought maybe I was having a moment there. Its been a day of moments!
Michael Endler
50%
50%
Michael Endler,
User Rank: Author
3/12/2014 | 6:41:21 PM
Re: The issue is no one trusts Microsoft
You know, it's interesting; not all XP users are going to upgrade over the next few months, but tens of millions of them will-- and all of that market share has to go somewhere. It could mean Windows 7 gets a boost, but it could shake down some other ways too.

That said, no one I interviewed for this story felt that a major shake-up is in the cards. Mike Silver said consumers are certainly turning away from Windows but that corporate environments are unlikely to experience a major OS shift. Dave Johnson said Mac OS X is gaining market share in the enterprise at around 1% annually, and that both Macs and Chromebooks could receive more enterprise attention after XP goes dark-- but he also didn't feel businesses are about to drop Windows en masse. Apps and services are moving from the OS to the browser and cloud, and both analysts mentioned that trend as significant to the future of Windows, however. Personally, I have no doubt that Windows 7, OS X, Chrome and Linux will all gain share, and I suspect Windows will fall below 90% PC market share-- but beyond that, it's tough to say how quickly bigger changes might unfold.


What do readers think? A lot of those XP licenses are going to get replaced by something. What OS do you see gaining? Are some of you moving to Windows 7 or 8? Jumping to Mac? Shifting to tablets for most things? Sticking with XP?
PaulS681
50%
50%
PaulS681,
User Rank: Ninja
3/12/2014 | 6:56:25 PM
Re: The issue is no one trusts Microsoft
I think there are many people who say they are going to jump to a Mac but do not. Cost is an issue with the Mac. You can still get a entry level PC for a fraction of the price of a Mac.
Michael Endler
50%
50%
Michael Endler,
User Rank: Author
3/12/2014 | 7:00:24 PM
Re: The issue is no one trusts Microsoft
No doubt. Last I'd heard, Apple actually has more market share than anyone else in the $1000+ PC market. But virtually all Apple computers (certainly the ones that sell in greatest volume) fall in that category. Nice machines, but expensive. Given that so many companies say they're sticking with XP due to upgrade costs, I don't imagine many of them are going to jump to Apple.
anon9798589529
50%
50%
anon9798589529,
User Rank: Apprentice
3/13/2014 | 9:18:27 AM
Re: The issue is no one trusts Microsoft
Michael,

I am a desktop home PC user, with XP. Do I need to buy a new Win 7 computer, or just insure that my anti-virus/malware softwate pruduct is up to date?

 
Michael Endler
50%
50%
Michael Endler,
User Rank: Author
3/13/2014 | 3:00:03 PM
Re: The issue is no one trusts Microsoft
It's a calculated risk, but if it were me, I'd probably upgrade; that's what I've been recommending to friends and family.

AV software will help, but it is gonna be more reactive than proactive, so there are no guarantees. Depending on your computer, you might be able to upgrade OSes, rather than purchasing a new machine. As many in this thread have pointed out, your online habits and software needs will dictate what kind of replacement OS (if any) would be most ideal. For web browsing and email, a tablet or Chromebook might be just as good (and likely faster) than an old PC. If you ever do heavier content creation, such as running Photoshop, then it's a different story (though if you're running something like Photoshop, I'd wonder why you haven't embraced a more modern OS already).
anon9798589529
50%
50%
anon9798589529,
User Rank: Apprentice
3/13/2014 | 3:17:56 PM
Re: The issue is no one trusts Microsoft
Michael,

Thank you VERY MUCH for your prompt reply & reconmmendation
ShadyBuffalo64
50%
50%
ShadyBuffalo64,
User Rank: Apprentice
3/14/2014 | 12:04:47 PM
Re: The issue is no one trusts Microsoft
There are couple of options - The best is a new PC running Windows 7 - There are plenty around HP is actively selling new machines with Windows 7. (https://shopping.hp.com/desktops%20&%20all-in-ones/windows+7)

If it's out of your budget, you can consider going to Linux, take a look at this - http://www.pcworld.com/article/2107641/3-easy-linux-alternatives-for-windows-xp-refugees-who-dont-want-a-new-pc.html

Staying on XP will be like driving without a seatbelt, it's only a matter of time before something BAD is going to happen.
AlR157
50%
50%
AlR157,
User Rank: Apprentice
3/13/2014 | 1:04:50 PM
Re: The issue is no one trusts Microsoft
Not well disclosed (since there's no attached revenue stream except for virus folk):

~90% of malware is hosted on XP

~90% of XP machines are in China

~90% of Chineese software, including OSs like XP, is pirated (not patchable under MS policy hence first bullet)

No one is screaming about Apple dropping support for Lion after four years with no notice. Why all the teeth knashing over XP? Anyone with any security chops has been saying XP is overdue for replacement for years.

Nothing to see here; move on.
PaulS681
IW Pick
100%
0%
PaulS681,
User Rank: Ninja
3/12/2014 | 6:51:56 PM
XP.. Is it Safe?
I gave been asked that a few times this week. People think they have to upgrade, that what they are using isn't safe. If your definition of not being safe is running an OS that isn't being patched then yes. When I think of not being safe I think of sitting in the middle of a busy road or txting while driving... things that will harm you physically.

If you just use your computer for email and web browsing with some office apps mixed in and run anti virus I think you can rest comfortably. You don't need to run out and upgrade to 7.

If you are a business and those XP machines will not touch the internet then your ok. If they do then you better at least have a plan to upgrade. Those machines will be security holes in your network.
mak63
0%
100%
mak63,
User Rank: Ninja
3/13/2014 | 3:16:06 AM
Can Microsoft come up on top?
If so many important systems still running XP, (ATMs, healthcare, electric/gas utilities, etc) will be at risk after April, can Microsoft offer an almost free upgrade to Windows 7 Home Premium, and show that they care what happens after the end of the support?

(As moonwatcher correctly pointed out, many XP machines can't run Windows 8)

Another point.  "Silver told us many late-comers are removing admin rights, restricting permissions, and otherwise locking down any XP systems that can't be retired."
Shouldn't business, corporations, industries, etc have done that a long time ago, regardless of the end of the XP's support? No wonder why so many systems get hacked.
ianmacdonald
0%
100%
ianmacdonald,
User Rank: Apprentice
3/13/2014 | 5:59:54 AM
Probably not as serious as is made out.
The main security concerns on all Windows versions are those of users being duped into installing rogue software such as fake patches, browser plugins or antivirus programs, and of browser plugins such as Flash or Acrobat which have security holes.

To mitigate the former, bar ordinary users from installing software by making them limited users, or by way of a software restriction policy. 

http://sourceforge.net/projects/softwarepolicy/ may be of help here.

As for browser plugins, remove those which are not actually needed to minimise the attack surface. In reality, only the Flash Player plugin is needed on most computers, the rest can be disabled or removed (including Acrobat/Adobe, surprisingly)  If Sun/Oracle Java is installed, remove that too since it is often used as a secondary attack vector for browser plugin vulns. And no, virtually no webpages use Java these days. Java and Javascript are entirely different.

If remaining on XP you should strongly discourage the use of Internet Explorer, as that will no longer be patched. Install Firefox or an alternative, which is supported by its vendor. 
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
3/13/2014 | 8:05:15 AM
Re: Probably not as serious as is made out.
Excellent suggestions. I would add a disclaimer on Java though. Many educational LMS and e-learning sites still rely heavily on Java to deliver content to students. That may be a limited-case reason to use it, but make sure it's updating regularly on its own.
SaneIT
50%
50%
SaneIT,
User Rank: Ninja
3/14/2014 | 8:57:40 AM
Re: Probably not as serious as is made out.
@ianmacdonald

This is great advice.  I have in-laws who still use a Window 2K desktop, they absolutely refuse to upgrade because it still does what they need it to.  Years ago I locked it down as tightly as I could to prevent any attacks because they are far from computer savvy.  That desktop is going on 14 years old and still humming along.  The only issues they every have is the occasional lost password for email or an issue with their ISP.  IF it a very lightly used XP box and you can lock it down then you can be reasonably safe.  

 
Michael Endler
100%
0%
Michael Endler,
User Rank: Author
3/17/2014 | 3:35:58 PM
Re: Probably not as serious as is made out.
I don't doubt that someone who knows what she/he is doing can safely lock down an aging machine. But isn't there some presumption here that user patterns will never change? Some people don't want to upgrade because their current computer meets their current needs. As long as those needs don't change and precautions are taken, perhaps these people can get away without upgrading. But "needs," including the need to be protected while computing, involve a lot of gray areas, especially as more and more essential activities move to the browser. Tech savvy Windows XP holdouts might recognize that seemingly slight changes in behavior present larger changes in malware risks. But tech savvy people aren't the only ones using computers. Some people who say "Windows XP is good enough for me" undeniably have a valid point. But I'm not so sure about others.
chasster123
50%
50%
chasster123,
User Rank: Apprentice
3/13/2014 | 11:44:44 AM
XP - where it can continue in use
Not every application requires Internet access.

Not every user needs or is allowed access to the Internet or online email.

Some of where I know this is the case include the following.

Acounting firms, Doctors office, assorted SMBs, schools, children of assorted families, etc.

For these systems the exposure / risk is minimal.

If data files are not moved to these systems, or at minimum receive very high AV attention, the risk is low to their becoming infected.

It is the SAFE thing to say - replace and pay more money and seek the mythical guarantee of being secure (era, Phishing email, Trojans, etc.)

Shoud it be openly scrubed from the planet - NO.

Should the user have a good understanding of their environment and use before continuing to use XP - YES.
ShadyBuffalo64
50%
50%
ShadyBuffalo64,
User Rank: Apprentice
3/14/2014 | 11:57:38 AM
Linux could be a great option
For many, the cost of a new PC and near vertical learning curve of Windows 8 is a major issue. However I have tried a number Linux distros and I have to say that they are definitely a good option. THe setup process is a bit challenging and you need to know that Windows applications wont run, but there are numerous replacements that are just as good and often better. For most, Libre Office and Linux versions of software will do just fine.

Here are some alternatives :

http://www.pcworld.com/article/2107641/3-easy-linux-alternatives-for-windows-xp-refugees-who-dont-want-a-new-pc.html


My personal favorie distro is Mint Linux because it's the closest to the Windows style UI.

http://www.linuxmint.com/
Michael Endler
50%
50%
Michael Endler,
User Rank: Author
3/17/2014 | 3:26:33 PM
Re: Linux could be a great option
Thanks for the Linux resources, but I don't think I can agree that Windows 8.1 imposes a "near vertical learning curve," especially if the alternative is jumping from XP to Linux. Windows 8.1 can be baffling to a first-time user, but I think 15 minutes of guided training is probably enough for most people to get the general idea, and to learn how to tweak settings to their preferences. That's not to say that Windows 8.1 doesn't include some silly/stubborn UI elements-- it does. But while the "learning curve" talking point isn't irrelevant, I think it's become a bit mythologized. Whether people like using the OS is a different (albeit related) factor than whether people can learn how it works. For at least some IW commenters, the former issue seems to be as big or bigger than the latter.
robzilla
IW Pick
100%
0%
robzilla,
User Rank: Strategist
3/14/2014 | 5:53:50 PM
14 years of support not enough?
I do not understand how people could not have taken action to switch operating systems? If you only use xp for email and browsing then a couple hundred dollars will get you a laptop or tablet that will run so much better. To complain about support ending is unbelievable in my opinion. What other OS has ever been supported for so long. Just bite the bullet and switch. Also Windows 8 is not nearly as bad as all the people are complaining about. Windows 7 is a great desktop OS but it is a resource hog and slow to boot up compared to win 8. I am not a windows lover either but I give credit where it is due and Windows 8 is really awesome on the right device. If you really can't get a new tablet or pc then Linux is the best alternative you have. It just won't run too well on 512mb of ram. Modern Linux had evolved and it needs modern hardware. I really so no option for people other than getting a new device unless it is some business setting and using special software and even then there should be some alternative.
IMjustinkern
IW Pick
100%
0%
IMjustinkern,
User Rank: Strategist
3/17/2014 | 4:02:28 PM
on the menu at Milwaukee Vietnamese restaurant ...
... the restaurant I went to this weekend was running their reservations & sales on XP. I asked the bartender/owner they he anything about the end of life. He didn't, laughed said "we're probably too busy to care." After, he said he'd have his IT guy look at it. Just an anecdote, but certainly worth remembering that not everyone has expiring tech anywhere close to the top of their concerns. 

P.S. And no, just because it was a Vietnamese restaurant in Milwaukee doesn't mean brats were on the menu. The High Life and donuts, however, were delicious with the pho. 
Michael Endler
100%
0%
Michael Endler,
User Rank: Author
3/17/2014 | 4:16:50 PM
Re: on the menu at Milwaukee Vietnamese restaurant ...
Thanks for sharing the story. I'm sure others are in the same boat. Personally, I've run into several people who were running XP and unaware of the impending support termination deadline.
boardhead
50%
50%
boardhead,
User Rank: Apprentice
4/7/2014 | 6:43:56 PM
Cloud printing
Michael,

I've replaced my XP pc with a Chromebook for internet use.  However I don't have a cloud based printer and can't print directly from Chromebook so my pc must be on and connected to the printer.  Am I at risk if the pc is connected to wifi to recieve print but not connected to the internet?


Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.