Windows XP Security Issues: Fact Vs. Fiction

Are you prepared for the end of Microsoft support for Windows XP next month?

XP vulnerabilities, and that those who continue to run XP should not use it for web-browsing and email.

Security researcher Graham Cluely described other threats last year. In a blog post, he wrote: "Anyone connecting a Windows XP computer to the Internet after Microsoft drops its support in April 2014 is not only putting themselves at risk, but also endangering all of us on the Internet -- as their computers may be hijacked into botnets and used to spread malware and spam attacks."

Microsoft announced in January that it will continue to deliver anti-malware support to XP users through July 14, 2015, provided customers have Security Essentials installed by April 8. Microsoft will also maintain System Center Endpoint Protection, Forefront Client Security, Forefront Endpoint Protection, and Windows Intune for enterprise customers. Most security vendors also plan to support Windows XP for at least the next several years. All of these efforts could mitigate XP's potential risk after April, but Johnson said the protection will be more reactive than proactive.

Miller agreed. "Antivirus simply cannot protect you from every kind of attack," he said in a January blog post, comparing XP to a "rotting wooden boat."

XP poses a threat, not only to conventional PC users, but also to a variety of industrial systems, ATMs, and healthcare products. A February report by the SAN Institute identified Windows XP's prominence as a potential liability in the healthcare industry, for example. The OS also reportedly supports the majority of the world's ATMs, and Michael Assante, former VP and security chief for the North American Electric Reliability Corporation, told The Wall Street Journal that XP workstations are used in virtually all electric and gas utilities in the United States.

With such systems, "the issue is really: How connected are they to the public Internet, and how locked down are they?" Silver noted. He said single-application machines should be locked down to begin with, which will "hopefully make them less vulnerable."

But regardless of how many additional customers move on from XP by April, the most apocalyptic predictions could be overblown for a simple reason: IT admins aren't stupid. Yes, on the consumer side, some XP holdouts will surely fall victim to some scam or another, and it's probably inevitable that at least a few businesses suffer setbacks as well. But most IT admins have known about the April deadline for a long time, and many of those who cannot easily abandon XP have taken precautions to keep their data safe and secure.

A recent survey by Redmond Magazine, for example, found that only 35% of respondents run an XP system connected to the Internet; the others have already confined XP to protected networks or single-application use. Of more than 3,000 participants, only 28% had completely purged XP from their infrastructures. Nearly one in four said they have no plans to retire XP systems, and only one in six said they were scrambling to upgrade before April. Almost 40% blamed application compatibility for their failure to upgrade.

Johnson said Forrester has fielded "considerable inquiry" from XP holdouts, and that "most companies have started working on some kind of containment strategy." Tactics range from revoking admin rights on XP machines to paying Microsoft for extended support, which is generally only available to large organizations and can cost millions of dollars.

But whatever the tactic, the risks cannot be ignored. IT admins "might not be stupid, but they have a lot of XP machines left," said Silver. "In some cases, those machines are still doing important things and are connected to the Internet."

Incidents of mobile malware are way up, researchers say, and 78% of respondents worry about lost or stolen devices. But although many teams are taking mobile security more seriously, 42% still skip scanning completely, and just 39% have MDM systems in place. Find out more in the State Of Mobile Security report (free registration required).