Application Security
1/16/2014
12:10 PM
Connect Directly
RSS
E-Mail
50%
50%

Microsoft Delays Windows XP Antivirus Doomsday

Security Essentials for XP gets 15-month extension, but some antivirus vendors promise updates through 2017 and beyond.

7 Mistakes Microsoft Made In 2013
7 Mistakes Microsoft Made in 2013
(Cick image for larger view and slideshow.)

Microsoft announced Wednesday that even after it ceases support for its aging Windows XP operating system in April, it won't stop issuing new signatures and updates for its XP antivirus software engine until mid-2015. That represents an about-face by Microsoft, which previously said that as of April it would cease updating all of its XP-compatible security software, including the free Security Essentials.

Microsoft's Malware Protection Center, which announced the extension, pitched it as a way to help businesses and consumers move to a newer version of Windows. "To help organizations complete their migrations, Microsoft will continue to provide updates to our anti-malware signatures and engine for Windows XP users through July 14, 2015," Microsoft's malware protection team said in a blog post.

But the post also emphasized that Windows XP will still receive its final set of operating system security patches and other updates on April 8, 2014. "After this date, Windows XP will no longer be a supported operating system," it read. (Aficionados of the impending Windows XP update doomsday can follow along at home by downloading Microsoft's free Windows XP End Of Support Countdown Gadget.)

[What will happen to all those XP machines and their networks on April 8? Read Windows XP Won't Go Quietly.]

The reprieve means that for Windows XP enterprise users, Microsoft will continue to maintain -- for the next 18 months -- System Center Endpoint Protection, Forefront Client Security, Forefront Endpoint Protection, and Windows Intune. Meanwhile, for Windows XP consumer users, Microsoft will continue to keep Microsoft Security Essentials updated.

The Microsoft security team cautioned, however, that using up-to-date antivirus still might not protect Windows XP users against post-April attacks, especially because attackers may then be able to reverse-engineer new patches for more recent Microsoft operating systems to find exploitable vulnerabilities in Windows XP: "Our research shows that the effectiveness of anti-malware solutions on out-of-support operating systems is limited. Running a well-protected solution starts with using modern software and hardware designed to help protect against today's threat landscape."

The research referenced by Microsoft refers to figures first detailed in October 2013 by Mike Reavey, Microsoft's Trustworthy Computing general manager, who said, "Windows XP is six times more likely to be infected than Windows 8, even though it has the same malware encounter rate." In no small part, the relative susceptibility of Windows XP to malware has to do with the security protections that Microsoft has built into more modern versions of Windows as well as Internet Explorer.

Despite the impending security risks, a NetMarketShare study found that as of December 2013, Windows XP still commanded 29% of the Windows market share -- behind Windows 7 (48%) but well ahead of Windows 8 (11%) and Windows Vista (4%).

What will be the impact of Microsoft's antivirus software reprieve? Later generations of Windows XP were built to install Microsoft's Security Essentials antivirus software by default, if no other antivirus tools were detected. Accordingly, Microsoft's extension could be a boon to any businesses or consumers who currently rely on Microsoft's own antivirus tools, even if they don't know that it's running. Furthermore, on the immunology tip, keeping up-to-date antivirus software installed on more Windows XP machines will help provide herd immunity for Internet users at large.

Make no mistake, however: Continuing to use Windows XP after April 2014 will become a riskier endeavor. "Anyone connecting a Windows XP computer to the Internet after Microsoft drops its support in April 2014 is not only putting themselves at risk, but also endangering all of us on the Internet -- as their computers may be hijacked into botnets and used to spread malware and spam attacks," independent security researcher Graham Cluley warned last year.

XP holdouts needn't stick with Microsoft's antivirus offerings. Independent German security software testing lab AV-Test recently queried 27 different vendors and found that all plan to continue XP support for at least the next two years. "Trend Micro, for example, has already confirmed that it will keep its products up to date until at least 2017, while Webroot even plans to delay the cancellation of updates for its products on Windows XP systems until at least April 2019," AV-Test said Wednesday in a blog post.

The testing firm said that it will continue to evaluate the effectiveness of vendors' security suite software running on Windows XP. Even so, anyone who continues to use Windows XP after April 2014 must take additional steps to protect themselves beyond using up-to-date antivirus engines and signatures.

For starters, AV-Test recommends that after April, Windows XP users should spend as little time connected to the Internet as possible, and never do so using Internet Explorer. "We also recommend the use of an alternative browser such as Google Chrome or Firefox, which will continue to be kept up to date with the best possible security, if the announcements made by their developers are anything to go by."

Outlook Express users should also ditch that email client. "Switch from Outlook Express to another mail program because Outlook Express is part of the XP operating system and will therefore also receive no updates whatsoever after the end of support," said AV-Test. The testing firm noted that among the many alternatives, perhaps the best known is Thunderbird, which Mozilla has promised to continue updating for Windows XP, at least for the foreseeable future.

Having a wealth of data is a good thing -- if you can make sense of it. Most companies are challenged with aggregating and analyzing the plethora of data being generated by their security applications and devices. This Dark Reading report, How Existing Security Data Can Help ID Potential Attacks, recommends how to effectively leverage security data in order to make informed decisions and spot areas of vulnerability. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
global-george
50%
50%
global-george,
User Rank: Apprentice
1/16/2014 | 3:10:15 PM
I have too many XP machines to upgrade them all
Since my office has 26 Windows XP machines I cannot afford to upgrade all of them to Windows 7 and no one here likesWindows 8, so I hired an IT Consultant who recommended a very polished Linux operating system called Robolinux which runs XP or 7, inside it, making our XP machines completely immune to all viruses and malware, requiring absolutely no updates or anti virus or anti malware software purchases. The Robolinux OS was a 7 minute install per PC. Also extremely easy for our users to operate it. It saved our company thousands of dollars. At first I was skeptical but my local IT Guru explained to me how the advanced Robolinux VM technology operates and it made perfect sense to me. So far after 6 months not one of our 26 Windows XP boxes have been infected by any viruses or malware. I hope this helps others who just can't afford to upgrade.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
1/16/2014 | 3:58:04 PM
Re: I have too many XP machines to upgrade them all
That's an interesting approach. Has the experience sold you on Robolinux OS going forward. Or do you see your organization migrating back to Windows for you next client refresh. What's your strategy?
GAProgrammer
0%
100%
GAProgrammer,
User Rank: Apprentice
1/16/2014 | 4:00:13 PM
Re: I have too many XP machines to upgrade them all
Really? You have 26 (or more) employees yet can't afford $3700 in software and maybe the same amount in consulting fees? I understand that no one likes to spend money, but $7500 in upgrade costs for someone with that many computers seems more than reasonable. By the way, that is retail pricing, not even OEM pricing.

I hear people whining about Microsoft and their costs, but it all seems reasonable to me. To be on XP still, especially as a small business, just sounds like poor planning to me. While I disagree with your lack of enthusiam for Windows 8, there is no good business reason not to move to Windows 7.
global-george
100%
0%
global-george,
User Rank: Apprentice
1/16/2014 | 4:15:01 PM
Re: I have too many XP machines to upgrade them all
Our internal IT folks are busy porting all of our custom applications to either SAAS or native Linux applications. We did the math and the savings are significant. So yes we plan to keep Robolinux which our Users really love as it is much faster and is way more secure than any Windows OS, especially Windows 7.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/16/2014 | 4:20:59 PM
Re: I have too many XP machines to upgrade them all
Are you planning to refresh the hardware? Does Robolinix support mobile platforms? This is all very interesting to me! Thanks!
global-george
100%
0%
global-george,
User Rank: Apprentice
1/16/2014 | 4:21:46 PM
Re: I have too many XP machines to upgrade them all
$3700? You apparently are not in IT or your math skills are lacking. For starters the XP apps won't run on 8 and Windows 7 requires New hardware.
global-george
50%
50%
global-george,
User Rank: Apprentice
1/16/2014 | 4:32:31 PM
Re: I have too many XP machines to upgrade them all
New hardware is not required for Robolinux, that in itself saved us a fortune. However as the more aging pc's break, yes we will then purchase new machines on an as needed basis. As far as mobile is concerned Linux is inherently very strong in this space so no issue there.
Gary_EL
50%
50%
Gary_EL,
User Rank: Apprentice
1/17/2014 | 12:23:51 AM
Smart move on Microsoft's Part
The timing here is absolutely amazing. I need to buy a backup machine, and, not wanting to spend serious money on a decent Windows 7 box, I was going to buy a Chrombook. This would have been a huge move for me, because aside from some dabbling with Ubuntu, I'm a pure Microsoft user. Now, I don't have to venture from the comfy home I've been warm and happy in since 1985. So, no Chromebook, but a $60 Pentium IV from Craigslist, and one relieved customer will stay exclusively onboard with Bill and the Redmond crew.
anon6040656171
50%
50%
anon6040656171,
User Rank: Apprentice
4/21/2014 | 2:46:43 PM
No, sorry, wrong - plug well and truly pulled...
Er... Looks like Micro$oft didn't read this website. They pulled the plug on all the XP installed Security Essentials boxes I am running. Maybe they were kidding this website?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
DevOpsí Impact on Application Security
DevOpsí Impact on Application Security
Managing the interdependency between software and infrastructure is a thorny challenge. Often, itís a ďdevelopers are from Mars, systems engineers are from VenusĒ situation.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3090
Published: 2014-09-23
IBM Rational ClearCase 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

CVE-2014-3101
Published: 2014-09-23
The login form in the Web component in IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 does not insert a delay after a failed authentication attempt, which makes it easier for remote attackers to obtain access via a brute-force attack.

CVE-2014-3103
Published: 2014-09-23
The Web component in IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http...

CVE-2014-3104
Published: 2014-09-23
IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

CVE-2014-3105
Published: 2014-09-23
The OSLC integration feature in the Web component in IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 provides different error messages for failed login attempts depending on whether the username exists, which allows remote attackers to enumerate account n...

Best of the Web
Dark Reading Radio