Application Security
1/16/2014
12:10 PM
50%
50%

Microsoft Delays Windows XP Antivirus Doomsday

Security Essentials for XP gets 15-month extension, but some antivirus vendors promise updates through 2017 and beyond.

7 Mistakes Microsoft Made In 2013
7 Mistakes Microsoft Made in 2013
(Cick image for larger view and slideshow.)

Microsoft announced Wednesday that even after it ceases support for its aging Windows XP operating system in April, it won't stop issuing new signatures and updates for its XP antivirus software engine until mid-2015. That represents an about-face by Microsoft, which previously said that as of April it would cease updating all of its XP-compatible security software, including the free Security Essentials.

Microsoft's Malware Protection Center, which announced the extension, pitched it as a way to help businesses and consumers move to a newer version of Windows. "To help organizations complete their migrations, Microsoft will continue to provide updates to our anti-malware signatures and engine for Windows XP users through July 14, 2015," Microsoft's malware protection team said in a blog post.

But the post also emphasized that Windows XP will still receive its final set of operating system security patches and other updates on April 8, 2014. "After this date, Windows XP will no longer be a supported operating system," it read. (Aficionados of the impending Windows XP update doomsday can follow along at home by downloading Microsoft's free Windows XP End Of Support Countdown Gadget.)

[What will happen to all those XP machines and their networks on April 8? Read Windows XP Won't Go Quietly.]

The reprieve means that for Windows XP enterprise users, Microsoft will continue to maintain -- for the next 18 months -- System Center Endpoint Protection, Forefront Client Security, Forefront Endpoint Protection, and Windows Intune. Meanwhile, for Windows XP consumer users, Microsoft will continue to keep Microsoft Security Essentials updated.

The Microsoft security team cautioned, however, that using up-to-date antivirus still might not protect Windows XP users against post-April attacks, especially because attackers may then be able to reverse-engineer new patches for more recent Microsoft operating systems to find exploitable vulnerabilities in Windows XP: "Our research shows that the effectiveness of anti-malware solutions on out-of-support operating systems is limited. Running a well-protected solution starts with using modern software and hardware designed to help protect against today's threat landscape."

The research referenced by Microsoft refers to figures first detailed in October 2013 by Mike Reavey, Microsoft's Trustworthy Computing general manager, who said, "Windows XP is six times more likely to be infected than Windows 8, even though it has the same malware encounter rate." In no small part, the relative susceptibility of Windows XP to malware has to do with the security protections that Microsoft has built into more modern versions of Windows as well as Internet Explorer.

Despite the impending security risks, a NetMarketShare study found that as of December 2013, Windows XP still commanded 29% of the Windows market share -- behind Windows 7 (48%) but well ahead of Windows 8 (11%) and Windows Vista (4%).

What will be the impact of Microsoft's antivirus software reprieve? Later generations of Windows XP were built to install Microsoft's Security Essentials antivirus software by default, if no other antivirus tools were detected. Accordingly, Microsoft's extension could be a boon to any businesses or consumers who currently rely on Microsoft's own antivirus tools, even if they don't know that it's running. Furthermore, on the immunology tip, keeping up-to-date antivirus software installed on more Windows XP machines will help provide herd immunity for Internet users at large.

Make no mistake, however: Continuing to use Windows XP after April 2014 will become a riskier endeavor. "Anyone connecting a Windows XP computer to the Internet after Microsoft drops its support in April 2014 is not only putting themselves at risk, but also endangering all of us on the Internet -- as their computers may be hijacked into botnets and used to spread malware and spam attacks," independent security researcher Graham Cluley warned last year.

XP holdouts needn't stick with Microsoft's antivirus offerings. Independent German security software testing lab AV-Test recently queried 27 different vendors and found that all plan to continue XP support for at least the next two years. "Trend Micro, for example, has already confirmed that it will keep its products up to date until at least 2017, while Webroot even plans to delay the cancellation of updates for its products on Windows XP systems until at least April 2019," AV-Test said Wednesday in a blog post.

The testing firm said that it will continue to evaluate the effectiveness of vendors' security suite software running on Windows XP. Even so, anyone who continues to use Windows XP after April 2014 must take additional steps to protect themselves beyond using up-to-date antivirus engines and signatures.

For starters, AV-Test recommends that after April, Windows XP users should spend as little time connected to the Internet as possible, and never do so using Internet Explorer. "We also recommend the use of an alternative browser such as Google Chrome or Firefox, which will continue to be kept up to date with the best possible security, if the announcements made by their developers are anything to go by."

Outlook Express users should also ditch that email client. "Switch from Outlook Express to another mail program because Outlook Express is part of the XP operating system and will therefore also receive no updates whatsoever after the end of support," said AV-Test. The testing firm noted that among the many alternatives, perhaps the best known is Thunderbird, which Mozilla has promised to continue updating for Windows XP, at least for the foreseeable future.

Having a wealth of data is a good thing -- if you can make sense of it. Most companies are challenged with aggregating and analyzing the plethora of data being generated by their security applications and devices. This Dark Reading report, How Existing Security Data Can Help ID Potential Attacks, recommends how to effectively leverage security data in order to make informed decisions and spot areas of vulnerability. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
global-george
50%
50%
global-george,
User Rank: Apprentice
1/16/2014 | 3:10:15 PM
I have too many XP machines to upgrade them all
Since my office has 26 Windows XP machines I cannot afford to upgrade all of them to Windows 7 and no one here likesWindows 8, so I hired an IT Consultant who recommended a very polished Linux operating system called Robolinux which runs XP or 7, inside it, making our XP machines completely immune to all viruses and malware, requiring absolutely no updates or anti virus or anti malware software purchases. The Robolinux OS was a 7 minute install per PC. Also extremely easy for our users to operate it. It saved our company thousands of dollars. At first I was skeptical but my local IT Guru explained to me how the advanced Robolinux VM technology operates and it made perfect sense to me. So far after 6 months not one of our 26 Windows XP boxes have been infected by any viruses or malware. I hope this helps others who just can't afford to upgrade.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
1/16/2014 | 3:58:04 PM
Re: I have too many XP machines to upgrade them all
That's an interesting approach. Has the experience sold you on Robolinux OS going forward. Or do you see your organization migrating back to Windows for you next client refresh. What's your strategy?
global-george
100%
0%
global-george,
User Rank: Apprentice
1/16/2014 | 4:15:01 PM
Re: I have too many XP machines to upgrade them all
Our internal IT folks are busy porting all of our custom applications to either SAAS or native Linux applications. We did the math and the savings are significant. So yes we plan to keep Robolinux which our Users really love as it is much faster and is way more secure than any Windows OS, especially Windows 7.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/16/2014 | 4:20:59 PM
Re: I have too many XP machines to upgrade them all
Are you planning to refresh the hardware? Does Robolinix support mobile platforms? This is all very interesting to me! Thanks!
global-george
50%
50%
global-george,
User Rank: Apprentice
1/16/2014 | 4:32:31 PM
Re: I have too many XP machines to upgrade them all
New hardware is not required for Robolinux, that in itself saved us a fortune. However as the more aging pc's break, yes we will then purchase new machines on an as needed basis. As far as mobile is concerned Linux is inherently very strong in this space so no issue there.
GAProgrammer
0%
100%
GAProgrammer,
User Rank: Guru
1/16/2014 | 4:00:13 PM
Re: I have too many XP machines to upgrade them all
Really? You have 26 (or more) employees yet can't afford $3700 in software and maybe the same amount in consulting fees? I understand that no one likes to spend money, but $7500 in upgrade costs for someone with that many computers seems more than reasonable. By the way, that is retail pricing, not even OEM pricing.

I hear people whining about Microsoft and their costs, but it all seems reasonable to me. To be on XP still, especially as a small business, just sounds like poor planning to me. While I disagree with your lack of enthusiam for Windows 8, there is no good business reason not to move to Windows 7.
global-george
100%
0%
global-george,
User Rank: Apprentice
1/16/2014 | 4:21:46 PM
Re: I have too many XP machines to upgrade them all
$3700? You apparently are not in IT or your math skills are lacking. For starters the XP apps won't run on 8 and Windows 7 requires New hardware.
Gary_EL
50%
50%
Gary_EL,
User Rank: Apprentice
1/17/2014 | 12:23:51 AM
Smart move on Microsoft's Part
The timing here is absolutely amazing. I need to buy a backup machine, and, not wanting to spend serious money on a decent Windows 7 box, I was going to buy a Chrombook. This would have been a huge move for me, because aside from some dabbling with Ubuntu, I'm a pure Microsoft user. Now, I don't have to venture from the comfy home I've been warm and happy in since 1985. So, no Chromebook, but a $60 Pentium IV from Craigslist, and one relieved customer will stay exclusively onboard with Bill and the Redmond crew.
anon6040656171
50%
50%
anon6040656171,
User Rank: Apprentice
4/21/2014 | 2:46:43 PM
No, sorry, wrong - plug well and truly pulled...
Er... Looks like Micro$oft didn't read this website. They pulled the plug on all the XP installed Security Essentials boxes I am running. Maybe they were kidding this website?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
DevOps’ Impact on Application Security
DevOps’ Impact on Application Security
Managing the interdependency between software and infrastructure is a thorny challenge. Often, it’s a “developers are from Mars, systems engineers are from Venus” situation.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-3605
Published: 2014-11-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6407. Reason: This candidate is a reservation duplicate of CVE-2014-6407. Notes: All CVE users should reference CVE-2014-6407 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-6093
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.0.x before 7.0.0.2 CF29, 8.0.x through 8.0.0.1 CF14, and 8.5.x before 8.5.0 CF02 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6196
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM Web Experience Factory (WEF) 6.1.5 through 8.5.0.1, as used in WebSphere Dashboard Framework (WDF) and Lotus Widget Factory (LWF), allows remote attackers to inject arbitrary web script or HTML by leveraging a Dojo builder error in an unspecified WebSp...

CVE-2014-7247
Published: 2014-11-25
Unspecified vulnerability in JustSystems Ichitaro 2008 through 2011; Ichitaro Government 6, 7, 2008, 2009, and 2010; Ichitaro Pro; Ichitaro Pro 2; Ichitaro 2011 Sou; Ichitaro 2012 Shou; Ichitaro 2013 Gen; and Ichitaro 2014 Tetsu allows remote attackers to execute arbitrary code via a crafted file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?