Application Security
1/16/2014
12:10 PM
Connect Directly
RSS
E-Mail
50%
50%

Microsoft Delays Windows XP Antivirus Doomsday

Security Essentials for XP gets 15-month extension, but some antivirus vendors promise updates through 2017 and beyond.

7 Mistakes Microsoft Made In 2013
7 Mistakes Microsoft Made in 2013
(Cick image for larger view and slideshow.)

Microsoft announced Wednesday that even after it ceases support for its aging Windows XP operating system in April, it won't stop issuing new signatures and updates for its XP antivirus software engine until mid-2015. That represents an about-face by Microsoft, which previously said that as of April it would cease updating all of its XP-compatible security software, including the free Security Essentials.

Microsoft's Malware Protection Center, which announced the extension, pitched it as a way to help businesses and consumers move to a newer version of Windows. "To help organizations complete their migrations, Microsoft will continue to provide updates to our anti-malware signatures and engine for Windows XP users through July 14, 2015," Microsoft's malware protection team said in a blog post.

But the post also emphasized that Windows XP will still receive its final set of operating system security patches and other updates on April 8, 2014. "After this date, Windows XP will no longer be a supported operating system," it read. (Aficionados of the impending Windows XP update doomsday can follow along at home by downloading Microsoft's free Windows XP End Of Support Countdown Gadget.)

[What will happen to all those XP machines and their networks on April 8? Read Windows XP Won't Go Quietly.]

The reprieve means that for Windows XP enterprise users, Microsoft will continue to maintain -- for the next 18 months -- System Center Endpoint Protection, Forefront Client Security, Forefront Endpoint Protection, and Windows Intune. Meanwhile, for Windows XP consumer users, Microsoft will continue to keep Microsoft Security Essentials updated.

The Microsoft security team cautioned, however, that using up-to-date antivirus still might not protect Windows XP users against post-April attacks, especially because attackers may then be able to reverse-engineer new patches for more recent Microsoft operating systems to find exploitable vulnerabilities in Windows XP: "Our research shows that the effectiveness of anti-malware solutions on out-of-support operating systems is limited. Running a well-protected solution starts with using modern software and hardware designed to help protect against today's threat landscape."

The research referenced by Microsoft refers to figures first detailed in October 2013 by Mike Reavey, Microsoft's Trustworthy Computing general manager, who said, "Windows XP is six times more likely to be infected than Windows 8, even though it has the same malware encounter rate." In no small part, the relative susceptibility of Windows XP to malware has to do with the security protections that Microsoft has built into more modern versions of Windows as well as Internet Explorer.

Despite the impending security risks, a NetMarketShare study found that as of December 2013, Windows XP still commanded 29% of the Windows market share -- behind Windows 7 (48%) but well ahead of Windows 8 (11%) and Windows Vista (4%).

What will be the impact of Microsoft's antivirus software reprieve? Later generations of Windows XP were built to install Microsoft's Security Essentials antivirus software by default, if no other antivirus tools were detected. Accordingly, Microsoft's extension could be a boon to any businesses or consumers who currently rely on Microsoft's own antivirus tools, even if they don't know that it's running. Furthermore, on the immunology tip, keeping up-to-date antivirus software installed on more Windows XP machines will help provide herd immunity for Internet users at large.

Make no mistake, however: Continuing to use Windows XP after April 2014 will become a riskier endeavor. "Anyone connecting a Windows XP computer to the Internet after Microsoft drops its support in April 2014 is not only putting themselves at risk, but also endangering all of us on the Internet -- as their computers may be hijacked into botnets and used to spread malware and spam attacks," independent security researcher Graham Cluley warned last year.

XP holdouts needn't stick with Microsoft's antivirus offerings. Independent German security software testing lab AV-Test recently queried 27 different vendors and found that all plan to continue XP support for at least the next two years. "Trend Micro, for example, has already confirmed that it will keep its products up to date until at least 2017, while Webroot even plans to delay the cancellation of updates for its products on Windows XP systems until at least April 2019," AV-Test said Wednesday in a blog post.

The testing firm said that it will continue to evaluate the effectiveness of vendors' security suite software running on Windows XP. Even so, anyone who continues to use Windows XP after April 2014 must take additional steps to protect themselves beyond using up-to-date antivirus engines and signatures.

For starters, AV-Test recommends that after April, Windows XP users should spend as little time connected to the Internet as possible, and never do so using Internet Explorer. "We also recommend the use of an alternative browser such as Google Chrome or Firefox, which will continue to be kept up to date with the best possible security, if the announcements made by their developers are anything to go by."

Outlook Express users should also ditch that email client. "Switch from Outlook Express to another mail program because Outlook Express is part of the XP operating system and will therefore also receive no updates whatsoever after the end of support," said AV-Test. The testing firm noted that among the many alternatives, perhaps the best known is Thunderbird, which Mozilla has promised to continue updating for Windows XP, at least for the foreseeable future.

Having a wealth of data is a good thing -- if you can make sense of it. Most companies are challenged with aggregating and analyzing the plethora of data being generated by their security applications and devices. This Dark Reading report, How Existing Security Data Can Help ID Potential Attacks, recommends how to effectively leverage security data in order to make informed decisions and spot areas of vulnerability. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
global-george
50%
50%
global-george,
User Rank: Apprentice
1/16/2014 | 3:10:15 PM
I have too many XP machines to upgrade them all
Since my office has 26 Windows XP machines I cannot afford to upgrade all of them to Windows 7 and no one here likesWindows 8, so I hired an IT Consultant who recommended a very polished Linux operating system called Robolinux which runs XP or 7, inside it, making our XP machines completely immune to all viruses and malware, requiring absolutely no updates or anti virus or anti malware software purchases. The Robolinux OS was a 7 minute install per PC. Also extremely easy for our users to operate it. It saved our company thousands of dollars. At first I was skeptical but my local IT Guru explained to me how the advanced Robolinux VM technology operates and it made perfect sense to me. So far after 6 months not one of our 26 Windows XP boxes have been infected by any viruses or malware. I hope this helps others who just can't afford to upgrade.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
1/16/2014 | 3:58:04 PM
Re: I have too many XP machines to upgrade them all
That's an interesting approach. Has the experience sold you on Robolinux OS going forward. Or do you see your organization migrating back to Windows for you next client refresh. What's your strategy?
global-george
100%
0%
global-george,
User Rank: Apprentice
1/16/2014 | 4:15:01 PM
Re: I have too many XP machines to upgrade them all
Our internal IT folks are busy porting all of our custom applications to either SAAS or native Linux applications. We did the math and the savings are significant. So yes we plan to keep Robolinux which our Users really love as it is much faster and is way more secure than any Windows OS, especially Windows 7.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/16/2014 | 4:20:59 PM
Re: I have too many XP machines to upgrade them all
Are you planning to refresh the hardware? Does Robolinix support mobile platforms? This is all very interesting to me! Thanks!
global-george
50%
50%
global-george,
User Rank: Apprentice
1/16/2014 | 4:32:31 PM
Re: I have too many XP machines to upgrade them all
New hardware is not required for Robolinux, that in itself saved us a fortune. However as the more aging pc's break, yes we will then purchase new machines on an as needed basis. As far as mobile is concerned Linux is inherently very strong in this space so no issue there.
GAProgrammer
0%
100%
GAProgrammer,
User Rank: Guru
1/16/2014 | 4:00:13 PM
Re: I have too many XP machines to upgrade them all
Really? You have 26 (or more) employees yet can't afford $3700 in software and maybe the same amount in consulting fees? I understand that no one likes to spend money, but $7500 in upgrade costs for someone with that many computers seems more than reasonable. By the way, that is retail pricing, not even OEM pricing.

I hear people whining about Microsoft and their costs, but it all seems reasonable to me. To be on XP still, especially as a small business, just sounds like poor planning to me. While I disagree with your lack of enthusiam for Windows 8, there is no good business reason not to move to Windows 7.
global-george
100%
0%
global-george,
User Rank: Apprentice
1/16/2014 | 4:21:46 PM
Re: I have too many XP machines to upgrade them all
$3700? You apparently are not in IT or your math skills are lacking. For starters the XP apps won't run on 8 and Windows 7 requires New hardware.
Gary_EL
50%
50%
Gary_EL,
User Rank: Apprentice
1/17/2014 | 12:23:51 AM
Smart move on Microsoft's Part
The timing here is absolutely amazing. I need to buy a backup machine, and, not wanting to spend serious money on a decent Windows 7 box, I was going to buy a Chrombook. This would have been a huge move for me, because aside from some dabbling with Ubuntu, I'm a pure Microsoft user. Now, I don't have to venture from the comfy home I've been warm and happy in since 1985. So, no Chromebook, but a $60 Pentium IV from Craigslist, and one relieved customer will stay exclusively onboard with Bill and the Redmond crew.
anon6040656171
50%
50%
anon6040656171,
User Rank: Apprentice
4/21/2014 | 2:46:43 PM
No, sorry, wrong - plug well and truly pulled...
Er... Looks like Micro$oft didn't read this website. They pulled the plug on all the XP installed Security Essentials boxes I am running. Maybe they were kidding this website?
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
DevOps’ Impact on Application Security
DevOps’ Impact on Application Security
Managing the interdependency between software and infrastructure is a thorny challenge. Often, it’s a “developers are from Mars, systems engineers are from Venus” situation.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.