Software // Operating Systems
News
3/12/2014
09:50 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Windows XP Security Issues: Fact Vs. Fiction

Are you prepared for the end of Microsoft support for Windows XP next month?

Windows 8.1 Update 1: 10 Key Changes
Windows 8.1 Update 1: 10 Key Changes
(Click image for larger view and slideshow.)

In less than a month, Microsoft will stop supporting Windows XP, still the second most widely used PC operating system in the world. The company announced the OS's April 8 termination date years ago, but with as many as 500 million XP systems still active last month, not everyone is going to make a move in time.

XP users have vocally protested Microsoft's abandonment of such a popular product. Objections include upgrade costs, application compatibility concerns, and whether customers should be effectively forced to leave a product that they are happy with. Despite Microsoft's increased efforts, which now include daily pop-up notifications on XP systems, almost one in three computers still ran the 12-year-old OS in February, according to web-tracking firm Net Applications. More alarming for Microsoft, Windows XP's market share hasn't decreased since last year and Windows 8.1's has barely grown. Both trends imply the company's escalating messaging has fallen largely on deaf ears.

[Will Microsoft win back users with Windows 8.1 Update 1? Read Microsoft Windows 8.1 Update Surfaces.]

So what will happen when April 8 passes and millions of people are still running Windows XP?

"We're into panic time," Michael Silver, a VP at the research firm Gartner, said in an interview. He said the amount of risk depends to some extent on what XP laggards can accomplish in a hurry.

"The ones we're speaking to now are the ones that have done barely anything." If companies haven't already taken action, Silver said, they probably don't have time to even replace XP systems with virtual machines, let alone migrate their operations to Windows 7. Silver told us many late-comers are removing admin rights, restricting permissions, and otherwise locking down any XP systems that can't be retired.

"The reality is, the absence of patches for Windows XP just exposes companies to risk," Forrester analyst David Johnson said, noting that companies must be mindful, not only of security concerns, but also of compliance obligations.

For its part, Microsoft has been trumpeting for months that Windows XP is six times more likely than Windows 8.1 to contract malware. Some InformationWeek readers labeled the statistics as a scare tactic, pointing out that Microsoft has newer products it wants to sell. This cynicism isn't without merit-- but don't be too quick to label Microsoft a fearmonger. Security experts agree: You stick with XP at your own peril.

"It appears a lot of organizations don't realize or don't care how porous Windows XP will become after it ceases being patched in April. It isn't a war-hardened OS, as some customers believe," Wes Miller, research VP with IT consulting firm Directions on Microsoft, said last fall in a blog post. "XP systems will be ripe for an ass-kicking beginning next spring, and they can, and will, be taken advantage of."

Indeed, zero-day exploits are a major IT headache even today, with Microsoft supplying patches and support. The situation could get worse after April, especially if criminals are stockpiling new exploits in anticipation of the deadline, as some have speculated. Silver warned that attackers might also be able to use future Windows 7 and Windows 8 patches to reverse-engineer

Michael Endler joined InformationWeek as an associate editor in 2012. He previously worked in talent representation in the entertainment industry, as a freelance copywriter and photojournalist, and as a teacher. Michael earned a BA in English from Stanford University in 2005 ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 4   >   >>
anon9798589529
50%
50%
anon9798589529,
User Rank: Apprentice
3/13/2014 | 3:17:56 PM
Re: The issue is no one trusts Microsoft
Michael,

Thank you VERY MUCH for your prompt reply & reconmmendation
Michael Endler
50%
50%
Michael Endler,
User Rank: Author
3/13/2014 | 3:00:03 PM
Re: The issue is no one trusts Microsoft
It's a calculated risk, but if it were me, I'd probably upgrade; that's what I've been recommending to friends and family.

AV software will help, but it is gonna be more reactive than proactive, so there are no guarantees. Depending on your computer, you might be able to upgrade OSes, rather than purchasing a new machine. As many in this thread have pointed out, your online habits and software needs will dictate what kind of replacement OS (if any) would be most ideal. For web browsing and email, a tablet or Chromebook might be just as good (and likely faster) than an old PC. If you ever do heavier content creation, such as running Photoshop, then it's a different story (though if you're running something like Photoshop, I'd wonder why you haven't embraced a more modern OS already).
TerryB
50%
50%
TerryB,
User Rank: Ninja
3/13/2014 | 1:12:47 PM
Re: Healthcare scare?
Exactly. Except for a few isolated PC issues, Y2K was about the transition from days where storage (and memory) was so expensive you saved space by storing dates in Julian and two digit year formats. Compounding that, us programmers who thought we were clever learned stupid math tricks in code to do date arithmetic on these dates with 2 digit years. None of that would work after going from 19 to 20 in century. That's why ERP work was at an all time high during late 90's.

This XP thing is all about security, period. Commenters in this forum have done an excellent job discussing the issues. The most at risk XP user will be the non IT savvy home user who mostly browsing internet and get emails. There will definitely be exploits looking for these people.
AlR157
50%
50%
AlR157,
User Rank: Apprentice
3/13/2014 | 1:04:50 PM
Re: The issue is no one trusts Microsoft
Not well disclosed (since there's no attached revenue stream except for virus folk):

~90% of malware is hosted on XP

~90% of XP machines are in China

~90% of Chineese software, including OSs like XP, is pirated (not patchable under MS policy hence first bullet)

No one is screaming about Apple dropping support for Lion after four years with no notice. Why all the teeth knashing over XP? Anyone with any security chops has been saying XP is overdue for replacement for years.

Nothing to see here; move on.
jdempsey972
100%
0%
jdempsey972,
User Rank: Apprentice
3/13/2014 | 12:55:57 PM
Re: Healthcare scare?
Support for embedded XP ends on 1/12/2016.

http://support.microsoft.com/lifecycle/search/default.aspx?sort=PN&qid=&alpha=Windows+XP+Embedded&Filter=FilterNO
chasster123
50%
50%
chasster123,
User Rank: Apprentice
3/13/2014 | 11:52:01 AM
Re: Healthcare scare?
Comparing Y2K to this is Apples and Watermelons.

Much of the Y2K fear was identified by a simple test on PCs by changing the system clock to see how applications would function when dated in the future. Though this was not a 100% test it did wead out some motherboards and indicate that others would work well for years - as they did.

This being the first time of the industry reaching such a Timestamp was  heavily publisised.

I am aware of assorted consultants / comapnies that simply took advantage of the Media Fear that computer life was to end that day.

In fact very few items failed (that moment) and those that did (of all that I've heard) were items like the fuel distribution pump in a transportation yard. There were other issues but the World Did Not End and it will not in April.
chasster123
50%
50%
chasster123,
User Rank: Apprentice
3/13/2014 | 11:44:44 AM
XP - where it can continue in use
Not every application requires Internet access.

Not every user needs or is allowed access to the Internet or online email.

Some of where I know this is the case include the following.

Acounting firms, Doctors office, assorted SMBs, schools, children of assorted families, etc.

For these systems the exposure / risk is minimal.

If data files are not moved to these systems, or at minimum receive very high AV attention, the risk is low to their becoming infected.

It is the SAFE thing to say - replace and pay more money and seek the mythical guarantee of being secure (era, Phishing email, Trojans, etc.)

Shoud it be openly scrubed from the planet - NO.

Should the user have a good understanding of their environment and use before continuing to use XP - YES.
anon9798589529
50%
50%
anon9798589529,
User Rank: Apprentice
3/13/2014 | 9:18:27 AM
Re: The issue is no one trusts Microsoft
Michael,

I am a desktop home PC user, with XP. Do I need to buy a new Win 7 computer, or just insure that my anti-virus/malware softwate pruduct is up to date?

 
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
3/13/2014 | 8:05:15 AM
Re: Probably not as serious as is made out.
Excellent suggestions. I would add a disclaimer on Java though. Many educational LMS and e-learning sites still rely heavily on Java to deliver content to students. That may be a limited-case reason to use it, but make sure it's updating regularly on its own.
ianmacdonald
0%
100%
ianmacdonald,
User Rank: Apprentice
3/13/2014 | 5:59:54 AM
Probably not as serious as is made out.
The main security concerns on all Windows versions are those of users being duped into installing rogue software such as fake patches, browser plugins or antivirus programs, and of browser plugins such as Flash or Acrobat which have security holes.

To mitigate the former, bar ordinary users from installing software by making them limited users, or by way of a software restriction policy. 

http://sourceforge.net/projects/softwarepolicy/ may be of help here.

As for browser plugins, remove those which are not actually needed to minimise the attack surface. In reality, only the Flash Player plugin is needed on most computers, the rest can be disabled or removed (including Acrobat/Adobe, surprisingly)  If Sun/Oracle Java is installed, remove that too since it is often used as a secondary attack vector for browser plugin vulns. And no, virtually no webpages use Java these days. Java and Javascript are entirely different.

If remaining on XP you should strongly discourage the use of Internet Explorer, as that will no longer be patched. Install Firefox or an alternative, which is supported by its vendor. 
<<   <   Page 2 / 4   >   >>
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government Tech Digest Oct. 27, 2014
To meet obligations -- and avoid accusations of cover-up and incompetence -- federal agencies must get serious about digitizing records.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and community news at InformationWeek.com.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.