Many of you will have heard by now that Support for Windows XP Ends on April 8, 2014. Since then, many of the Business Customers I have talked to have moved, or are in the process of moving, their organizations from Windows XP to modern operating systems like Windows 7 or Windows 8. In fact, I have been helping two large organisations; Legal & General and Brighton & Hove Council do just that.
There is a sense of urgency because after April 8, Windows XP Service Pack 3 (SP3) customers will no longer receive new security updates, non-security hotfixes, or online technical content updates. This means that any new vulnerabilities discovered in Windows XP after its “end of life” will not be addressed by new security updates from Microsoft. Still, I have talked to some customers who, for one reason or another, will not have completely migrated from Windows XP before April 8. I have even talked to some customers that say they won’t migrate from Windows XP until the hardware it’s running on fails.
This of course is a major issue as the newer versions of Windows will mean in a large number of cases for Home Users a New PC as their old one just won’t be powerful enough to run Windows 7 or 8. For the majority of my Home Users and Small business Customers this is a valid argument, especially in the current financial climate. One important thing to note is that your computer will not stop working and providing you take all your usual precautions then your computer will continue working into the future.
But what is the risk of continuing to run Windows XP after its end of support date? One risk is that attackers will have the advantage over defenders who choose to run Windows XP because attackers will likely have more information about vulnerabilities in Windows XP than defenders. Let me explain why this will be the case.
When Microsoft releases a security update, security researchers and criminals will often times reverse engineer the security update in short order in an effort to identify the specific section of code that contains the vulnerability addressed by the update. Once they identify this vulnerability, they attempt to develop code that will allow them to exploit it on systems that do not have the security update installed on them. They also try to identify whether the vulnerability exists in other products with the same or similar functionality. For example, if a vulnerability is addressed in one version of Windows, researchers investigate whether other versions of Windows have the same vulnerability.
But after April 8, 2014, people that continue to run Windows XP won’t have this advantage over attackers any longer. The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities. If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP. Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a “zero day” vulnerability forever. How often could this scenario occur? Between July 2012 and July 2013 Windows XP was an affected product in 45 Microsoft security bulletins, of which 30 also affected Windows 7 and Windows 8.
Some of the people I have discussed this scenario with are quick to point out that there are security mitigations built into Windows XP that can make it harder for such exploits to be successful. There is also anti-virus software that can help block attacks and clean up infections if they occur. The challenge here is that you’ll never know, with any confidence, if the protection you have can actually be trusted because attackers will be armed with public knowledge of zero day exploits in Windows XP that could enable them to compromise the system and possibly run the code of their choice. Furthermore, can the system’s APIs that anti-virus software uses be trusted under these circumstances? For some customers, and to be honest most home users, this level of confidence in the integrity of their systems might be okay, but for Business Users this might not be acceptable.
As for the security mitigations that Windows XP Service Pack 3 has, they were state of the art when they were developed many years ago. But we can see from data published in the Microsoft Security Intelligence Report that the security mitigations built into Windows XP are no longer sufficient to blunt many of the modern day attacks we currently see. The data available on malware infection rates for Windows operating systems indicates that the infection rate for Windows XP is significantly higher than those for modern day operating systems like Windows 7 and Windows 8.
This new data shows us that the predominate threats that individuals and organizations face are now much different than they were when Windows XP Service Pack 3 was released. Turning on the Windows Firewall in Windows XP Service Pack 2 and later operating systems forced attackers to evolve their attacks. Rather than actively targeting remote services, attackers now primarily focus on exploiting vulnerabilities in client applications such as web browsers and document readers. If these are kept up to date then this will lessen the areas that are vulnerable.
In addition, attackers have refined their tools and techniques over the past decade to make them more effective at exploiting vulnerabilities. As a result, the security features that are built into Windows XP are no longer sufficient to defend against modern threats. It’s a bit like having a burglar alarm and going away for a few days and you have that nagging doubt that you might have left a window unlocked and until you get home you will never know if you are safe.
So you might ask am I updating my own systems and the answer is that yes, over the coming months I will be upgrading all my own systems to Windows 7. I have chosen this version of Windows over Version 8, because in my opinion it is far superior. Windows 8 is great if you have a Tablet PC or a Touch Screen but for most people who don’t they will find it unwieldy and somewhat annoying. Windows 8 can be reset to be more like Windows 7 – with a start button for instance, by using Windows 8.1 – but I don’t like it personally. If you want some personal advice relating to your own systems then please contact me either by telephone, e-mail, or send me a message through my contact page.