Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
12/5/2013
09:42 AM
Maxim Weinstein
Maxim Weinstein
Security Insights
Connect Directly
RSS
E-Mail
50%
50%

The Dinosaur In The Room

Support for Windows XP ends in April 2014; the implications extend beyond the workstation

It's no secret that Microsoft is mothballing Windows XP early next year. Officially dubbed the end of "extended support," the retirement means that security updates will no longer be available. Naturally, this means that systems running XP will become increasingly insecure, as new vulnerabilities (or those that have been held in reserve by attackers) become available on the black market. It may seem easy to dismiss this concern out of hand if you've already migrated your workstations to later versions of Windows. But, in practice, the implications of the retirement extend far beyond the workstation.

Thanks to its stability and relatively light resource use, Windows XP has been the OS of choice for specialized systems for more than a decade now. POS systems, medical devices, inventory systems, and a plethora of other turnkey devices have been built around XP. The most security-conscious vendors will surely have a plan to address the retirement of the venerable OS. History tells us, though, that many vendors will ignore the problem, leaving their customers with devices -- potentially used for critical business or patient care functions -- that are completely exposed to new exploits.

While "embedded" versions of Windows XP present a threat from within an organization, the global install base of XP PCs represents a broader threat to the ecosystem. It's already the case that Windows XP PCs that are not up to date have high infection rates. But there are plenty of XP users who do, in fact, make an effort to keep their systems patched. It's safe to say that many of these users -- who clearly don't put much stock in upgrading to the latest OS every few years -- will keep on using XP well after its retirement. As unpatched XP vulnerabilities become known within the criminal underground, we are likely to see an uptick in infected machines. More bots mean more spam, broader spread of malware, more phishing, and so on. Whether this will represent a significant enough change in the global bot population to make a noticeable difference remains to be seen, but it's worth acknowledging the potential.

With these potential risks in mind, what can you do as an information security professional? First, perform a careful inventory of any devices throughout your organization that may be using Windows XP, especially those that are outside of the realm of your typical managed workstations. Talk with the vendors of those devices about their plans to secure the environment in the absence of Microsoft patches. Consider upgrading or retiring XP devices that will not be adequately secured. If that's not an option, then consider additional security precautions (isolating devices, installing additional security software, etc.) that you can take to prevent the loss of confidentiality, integrity, or availability that could accompany a successful exploit.

This would also be a great time to educate your users about the retirement of Windows XP (and Office 2003, whose support is also ending in April) and its security implications. Many of your users (and their parents, friends, siblings) likely have old machines at home running one or both pieces of software. A simple email, flyer, or intranet post explaining what's happening, what it means for security, and what users should do (i.e., get a new computer) is all it takes to help them improve their own security and contribute to the security of the Internet at large. Maxim Weinstein, CISSP, is a technologist and educator with a passion for information security. He works in product marketing at Sophos, where he specializes in server protection solutions. He is also a board member and former executive director of StopBadware. Maxim lives ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
independent_forever
50%
50%
independent_forever,
User Rank: Apprentice
12/31/2013 | 2:25:20 PM
re: The Dinosaur In The Room
about time....it was good when it first came out but as with other versions of windows has outlived its usefulness and should go now...as an admin I am tired of patching this outdated OS already....let's move on..
Becca Lipman
50%
50%
Becca Lipman,
User Rank: Apprentice
12/9/2013 | 2:47:46 PM
re: The Dinosaur In The Room
Excellent article. The retirement and subsequent impacts of Windows XP is difficult for a casual user to fully understand. Many feel the time to buy a new computer is not when the security is low, but when the old one stops functioning properly. The casual computer owner is mainly focused on extending the lifespan and keeping the speed manageable. This is unlike a cell phone, where new models and apps make it enticing to upgrade.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-6651
Published: 2014-07-31
Multiple directory traversal vulnerabilities in the Vitamin plugin before 1.1.0 for WordPress allow remote attackers to access arbitrary files via a .. (dot dot) in the path parameter to (1) add_headers.php or (2) minify.php.

CVE-2014-2970
Published: 2014-07-31
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139. Reason: This candidate is a duplicate of CVE-2014-5139, and has also been used to refer to an unrelated topic that is currently outside the scope of CVE. This unrelated topic is a LibreSSL code change adding functionality ...

CVE-2014-3488
Published: 2014-07-31
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

CVE-2014-3554
Published: 2014-07-31
Buffer overflow in the ndp_msg_opt_dnssl_domain function in libndp allows remote routers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS Search List (DNSSL) in an IPv6 router advertisement.

CVE-2014-5171
Published: 2014-07-31
SAP HANA Extend Application Services (XS) does not encrypt transmissions for applications that enable form based authentication using SSL, which allows remote attackers to obtain credentials and other sensitive information by sniffing the network.

Best of the Web
Dark Reading Radio