Windows XP Security Issues: Fact Vs. Fiction - InformationWeek
IoT
IoT
Software // Operating Systems
News
3/12/2014
09:50 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Windows XP Security Issues: Fact Vs. Fiction

Are you prepared for the end of Microsoft support for Windows XP next month?

XP vulnerabilities, and that those who continue to run XP should not use it for web-browsing and email.

Security researcher Graham Cluely described other threats last year. In a blog post, he wrote: "Anyone connecting a Windows XP computer to the Internet after Microsoft drops its support in April 2014 is not only putting themselves at risk, but also endangering all of us on the Internet -- as their computers may be hijacked into botnets and used to spread malware and spam attacks."

Microsoft announced in January that it will continue to deliver anti-malware support to XP users through July 14, 2015, provided customers have Security Essentials installed by April 8. Microsoft will also maintain System Center Endpoint Protection, Forefront Client Security, Forefront Endpoint Protection, and Windows Intune for enterprise customers. Most security vendors also plan to support Windows XP for at least the next several years. All of these efforts could mitigate XP's potential risk after April, but Johnson said the protection will be more reactive than proactive.

Miller agreed. "Antivirus simply cannot protect you from every kind of attack," he said in a January blog post, comparing XP to a "rotting wooden boat."

XP poses a threat, not only to conventional PC users, but also to a variety of industrial systems, ATMs, and healthcare products. A February report by the SAN Institute identified Windows XP's prominence as a potential liability in the healthcare industry, for example. The OS also reportedly supports the majority of the world's ATMs, and Michael Assante, former VP and security chief for the North American Electric Reliability Corporation, told The Wall Street Journal that XP workstations are used in virtually all electric and gas utilities in the United States.

With such systems, "the issue is really: How connected are they to the public Internet, and how locked down are they?" Silver noted. He said single-application machines should be locked down to begin with, which will "hopefully make them less vulnerable."

But regardless of how many additional customers move on from XP by April, the most apocalyptic predictions could be overblown for a simple reason: IT admins aren't stupid. Yes, on the consumer side, some XP holdouts will surely fall victim to some scam or another, and it's probably inevitable that at least a few businesses suffer setbacks as well. But most IT admins have known about the April deadline for a long time, and many of those who cannot easily abandon XP have taken precautions to keep their data safe and secure.

A recent survey by Redmond Magazine, for example, found that only 35% of respondents run an XP system connected to the Internet; the others have already confined XP to protected networks or single-application use. Of more than 3,000 participants, only 28% had completely purged XP from their infrastructures. Nearly one in four said they have no plans to retire XP systems, and only one in six said they were scrambling to upgrade before April. Almost 40% blamed application compatibility for their failure to upgrade.

Johnson said Forrester has fielded "considerable inquiry" from XP holdouts, and that "most companies have started working on some kind of containment strategy." Tactics range from revoking admin rights on XP machines to paying Microsoft for extended support, which is generally only available to large organizations and can cost millions of dollars.

But whatever the tactic, the risks cannot be ignored. IT admins "might not be stupid, but they have a lot of XP machines left," said Silver. "In some cases, those machines are still doing important things and are connected to the Internet."

Incidents of mobile malware are way up, researchers say, and 78% of respondents worry about lost or stolen devices. But although many teams are taking mobile security more seriously, 42% still skip scanning completely, and just 39% have MDM systems in place. Find out more in the State Of Mobile Security report (free registration required).

Michael Endler joined InformationWeek as an associate editor in 2012. He previously worked in talent representation in the entertainment industry, as a freelance copywriter and photojournalist, and as a teacher. Michael earned a BA in English from Stanford University in 2005 ... View Full Bio

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 4 / 4
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
3/12/2014 | 5:27:25 PM
How is this going to work out again?
I know many IT organizations have done everything they can do, short of replacing Windows XP machines, but 500 million XP users and we're hoping most of them won't go out on the Internet? The police forces of IT organizations better get a tremendous infusion of manpower.
Laurianne
100%
0%
Laurianne,
User Rank: Author
3/12/2014 | 3:30:07 PM
Re: Healthcare scare?
I also see XP running widely in retail and hospitality settings. Given the current data breach climate for retail, this seems extra worrisome.
jagibbons
0%
100%
jagibbons,
User Rank: Ninja
3/12/2014 | 3:17:27 PM
Re: Healthcare scare?
Most ATMs do run Windows XP. It's the version for embedded devices which has far fewer security holes to begin with, but that is the predominant operating system. At some point, they will have to be replaced. I don't envy those who will be responsible for the logistics on that. Sadly, all of us who bank or use healthcare will end up paying for the inevitable upgrades.
danielcawrey
50%
50%
danielcawrey,
User Rank: Ninja
3/12/2014 | 1:44:08 PM
Re: Healthcare scare?
I will be glad to see this OS fade from relevance. But it is true, many ATMs and security devices still use Windows XP. That's scary these devices have not innovated on the level that needs to be done. 

My thinking now is: How soon will we hear about a security breach in relation to Microsoft pulling support for Windows XP?
moonwatcher
50%
50%
moonwatcher,
User Rank: Ninja
3/12/2014 | 12:45:15 PM
Does Microsoft REALLY care?
A quote from the article states, "Anyone connecting a Windows XP computer to the Internet after Microsoft drops its support in April 2014 is not only putting themselves at risk, but also endangering all of us on the Internet -- as their computers may be hijacked into botnets and used to spread malware and spam attacks."

Well, if Microsoft REALLY cared about the Internet getting flooded with a bunch of compromised XP machines doing denial of service and other sorts of mischief, they'd offer everyone running XP a nearly FREE upgrade to Windows 7 Home Premium. It isn't like they'd be losing money doing so.

Why Windows 7? Because most XP machines still running could fairly easily run Windows 7, but NOT Windows 8.1 because it requires a motherboard with a BIOS supporting a feature called Data Execution Prevention. Throwing 500 million perfectly good PCs into the landfill ought to be a crime, so giving an upgrade would be a good solution for many of them.

I set my neighbor up on Ubuntu (an easy to use flavor of Linux) and after about 20 minutes of instruction she was good to go. At least she will not have to buy a new PC just to do things she was already doing. Linux is not just for geeks only these days.
jagibbons
100%
0%
jagibbons,
User Rank: Ninja
3/12/2014 | 12:26:40 PM
Healthcare scare?
The dominance of XP in the healthcare and banking industries is worrisome. I know those industries have great security folks working to protect critical data, but there's a real target there. Hopefully, once reality hits, enterprises will find ways to move off XP when they previously thought it wasn't possible or just not a high priority.
<<   <   Page 4 / 4
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll