Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
12/5/2013
09:42 AM
Maxim Weinstein
Maxim Weinstein
Security Insights
50%
50%

The Dinosaur In The Room

Support for Windows XP ends in April 2014; the implications extend beyond the workstation

It's no secret that Microsoft is mothballing Windows XP early next year. Officially dubbed the end of "extended support," the retirement means that security updates will no longer be available. Naturally, this means that systems running XP will become increasingly insecure, as new vulnerabilities (or those that have been held in reserve by attackers) become available on the black market. It may seem easy to dismiss this concern out of hand if you've already migrated your workstations to later versions of Windows. But, in practice, the implications of the retirement extend far beyond the workstation.

Thanks to its stability and relatively light resource use, Windows XP has been the OS of choice for specialized systems for more than a decade now. POS systems, medical devices, inventory systems, and a plethora of other turnkey devices have been built around XP. The most security-conscious vendors will surely have a plan to address the retirement of the venerable OS. History tells us, though, that many vendors will ignore the problem, leaving their customers with devices -- potentially used for critical business or patient care functions -- that are completely exposed to new exploits.

While "embedded" versions of Windows XP present a threat from within an organization, the global install base of XP PCs represents a broader threat to the ecosystem. It's already the case that Windows XP PCs that are not up to date have high infection rates. But there are plenty of XP users who do, in fact, make an effort to keep their systems patched. It's safe to say that many of these users -- who clearly don't put much stock in upgrading to the latest OS every few years -- will keep on using XP well after its retirement. As unpatched XP vulnerabilities become known within the criminal underground, we are likely to see an uptick in infected machines. More bots mean more spam, broader spread of malware, more phishing, and so on. Whether this will represent a significant enough change in the global bot population to make a noticeable difference remains to be seen, but it's worth acknowledging the potential.

With these potential risks in mind, what can you do as an information security professional? First, perform a careful inventory of any devices throughout your organization that may be using Windows XP, especially those that are outside of the realm of your typical managed workstations. Talk with the vendors of those devices about their plans to secure the environment in the absence of Microsoft patches. Consider upgrading or retiring XP devices that will not be adequately secured. If that's not an option, then consider additional security precautions (isolating devices, installing additional security software, etc.) that you can take to prevent the loss of confidentiality, integrity, or availability that could accompany a successful exploit.

This would also be a great time to educate your users about the retirement of Windows XP (and Office 2003, whose support is also ending in April) and its security implications. Many of your users (and their parents, friends, siblings) likely have old machines at home running one or both pieces of software. A simple email, flyer, or intranet post explaining what's happening, what it means for security, and what users should do (i.e., get a new computer) is all it takes to help them improve their own security and contribute to the security of the Internet at large. Maxim Weinstein, CISSP, is a technologist and educator with a passion for information security. He works in product marketing at Sophos, where he specializes in server protection solutions. He is also a board member and former executive director of StopBadware. Maxim lives ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
independent_forever
50%
50%
independent_forever,
User Rank: Apprentice
12/31/2013 | 2:25:20 PM
re: The Dinosaur In The Room
about time....it was good when it first came out but as with other versions of windows has outlived its usefulness and should go now...as an admin I am tired of patching this outdated OS already....let's move on..
Becca Lipman
50%
50%
Becca Lipman,
User Rank: Apprentice
12/9/2013 | 2:47:46 PM
re: The Dinosaur In The Room
Excellent article. The retirement and subsequent impacts of Windows XP is difficult for a casual user to fully understand. Many feel the time to buy a new computer is not when the security is low, but when the old one stops functioning properly. The casual computer owner is mainly focused on extending the lifespan and keeping the speed manageable. This is unlike a cell phone, where new models and apps make it enticing to upgrade.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2037
Published: 2014-11-26
Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.

CVE-2014-6609
Published: 2014-11-26
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.

CVE-2014-6610
Published: 2014-11-26
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dia...

CVE-2014-7141
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

CVE-2014-7142
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (crash) via a crafted (1) ICMP or (2) ICMP6 packet size.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?