Vulnerabilities / Threats
11/6/2013
09:54 AM
Connect Directly
RSS
E-Mail
50%
50%

Windows XP Security Apocalypse: Prepare To Be Pwned

Patching XP makes Microsoft no money. But millions of unpatched and easy-to-exploit systems equal cybercrime payday.

Windows XP holdouts: Prepare to get pwned.

That's the future facing Windows XP users, for the simple reason that the future security and reliability of their operating system hinges on two economic factors that are beyond their control, and which pose a significant information security risk.

First, XP no longer contributes to Microsoft's bottom line, hence -- more than 12 years after the product was first released -- the software vendor plans to stop releasing public updates and patches come April 2014. Second, cybercriminals get maximum bang for their buck when they target widely installed systems that sport known vulnerabilities.

[ Do you really understand the threats you face? Read Think Hackers Are IT's Biggest Threat? Guess Again. ]

With an estimated 500 million systems in use today running Windows XP, they're soon going to become easing pickings for cybercriminals.

People don't like to hear that. They've invested in Windows XP -- maybe way back in late 2001, when it was first released -- and their consumer laptops continue to run just fine, thanks very much. Many businesses large and small, from neighborhood dental and medical facilities all the way up to Fortune 1000 firms, have invested in software, embedded systems or heavily customized applications that only run on XP or Internet Explorer 6. They don't want to pony up for new hardware, OS licenses and replacement applications. Furthermore today's economic climate stinks and to top it off, for the majority of would-be users, Microsoft has failed to make Windows 8 sexy.

Like climate change, signs of the impending XP security apocalypse can be ignored, but not refuted.

Even so, my incoming hate mail recently peaked after I detailed Microsoft's assertion that scans of real-world Windows installations found that six times the number of Windows XP systems are infected with malware as Windows 7 systems. One reader emailed: "How much did you get paid by Microsoft for your trashy fear monger piece about XP?"

My hands are clean. In security circles, Microsoft's findings aren't surprising. For starters, XP lacks the modern attack-prevention and mitigation techniques built into Windows operating systems after Microsoft found secure-code-writing religion in 2003. As a result, XP is easier to exploit than later versions of Windows, for the simple reason that more attacks will get through -- and an attacker just needs one exploit to work.

Furthermore, XP continues to be widely used, thus making it an attractive target. As of October 2013, 31% of all PCs still ran Windows XP, putting it in second place behind Windows 7 (46% market share), but ahead of versions of Windows 8 (9%), Mac OS X (8%), Vista (4%) and Linux (2%), according to NetMarketShare.com. By the end of 2013, reckons Gartner, there will be 1.63 billion PCs, which puts the Windows XP install base at about 500 million units.

With a user base like that, however, is Microsoft missing a huge potential revenue boost, by not attempting to sell future security patches to anyone who wants to keep using -- and trusting -- Windows XP? In fact, Wes Miller of analysis company Directions On Microsoft argues that when it comes to XP, "there's no gold left in them thar hills." In other words, anyone who wants to continue receiving security updates from Microsoft will need to pay for the privilege, and dearly. For everyone else, Microsoft has no financial incentive to feed you any more security updates; plan accordingly.

"I hate to sound like a shill, but XP systems will be ripe for an ass-kicking beginning next spring. And they can, and will, be taken advantage of," says Miller. "I also don't believe Microsoft will do any favors for businesses that stay on XP -- and don't pay the hefty costs for custom support agreements with a locked and loaded exit plan in place."

Remaining XP users, furthermore, will not just put themselves at risk, but -- per herd immunity -- make themselves a risk to the rest of us too. "Anyone connecting a Windows XP computer to the internet after Microsoft drops its support in April 2014 is not only putting themselves at risk, but also endangering all of us on the Internet -- as their computers may be hijacked into botnets and used to spread malware and spam attacks," says independent security researcher Graham Cluley.

Come April 2014, massive numbers of XP users might not get owned right away. But as Microsoft continues to release monthly security patches for supported versions of Windows, attackers will reverse-engineer the underlying flaws and turn them into working exploits. For an illustration of how that works, just look at how attackers today are reverse-engineering Oracle's Java updates to find working exploits for the outdated versions of Java 6 and Java 7 still used by hundreds of millions of people. Economically speaking, cybercriminals can't afford not to attack all of those easy-to-exploit Java users, which has made it attackers' most-used technique for compromising systems.

Expect the same thing to happen with Windows XP, once it becomes a sitting duck. "It appears a lot of organizations don't realize -- or don't care -- [how] porous Windows XP will become after it ceases being patched in April," says Directions on Microsoft's Miller. "It isn't a war-hardened OS, as some customers believe. It's a U.S.S. Constitution in an era of metal battleships."

Windows XP holdouts: Prepare to sink or swim.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
1/22/2014 | 7:18:52 AM
Re: Why aren't the 500 million XP users ganging up on Microsoft to continue xp support?
Modest fee-based support is a great idea. But reading between the lines, Microsoft has studied the ROI of this approach, and found it lacking. (Or else sees much more revenue to be gained from even a fraction of users moving to a new system and OS.) 

Furthermore it's unlikely that Microsoft would have over intellectual property -- Windows XP source code -- to a third party. 

So in terms of security updates and OS updates, it looks like Windows XP is about to become dead in the water.
bjornagain
50%
50%
bjornagain,
User Rank: Apprentice
1/21/2014 | 12:29:43 PM
Why aren't the 500 million XP users ganging up on Microsoft to continue xp support?
First of all how will this "apocalypse" affect home users? Are firewalls, anti-malware/virus programs enough to prevent disaster? Primarily though, I am wondering why the 30% of stubborn XP users haven't petitioned Microshaft to continue support through fee-based support, that is, MODEST fee-based support? I've been in this business since DOS 3.3 was introduced and have suffered through all the changes including the disasters of Millenium, Vista, and now Windows 8. I deeply resent the loss of Outlook Express, one of the most widely used email clients on earth and even more the entire concept of the "Cloud". There is no such thing as "secure" when your personal data is being intercepted by God only knows who or even where that information is being stored. As we all know, or SHOULD know by now, NSA, Homeland Security and myriad other hidden "security" agencies has access to ANYBODY's information including their whereabouts, their political views and probably even their sexual proclivities.


But I digress.

The bottom line is that either Microsoft farm out the job of providing updates for XP to a 3rd party (if their arrogance will allow it) or do it themselves. Personally speaking, I've spent a great deal of time maintaining XP machines and have learned a great deal about their foibles. All I want is something that is reliable and resonably stable and XP serves the purpose very well.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
11/20/2013 | 5:08:37 AM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
Interesting observation. I wonder if today's malware won't work on Windows 98 SE systems? That said, I'm not sure your approach would promise the security that businesses would demand, or most consumers expect. Furthermore, don't you crave the features/performance offered by a more modern OS, or the ability to run recent versions of applications, never mind new ones? If memory serves me correctly, XP was a big step up from 98. 
Dave.Engineer
50%
50%
Dave.Engineer,
User Rank: Apprentice
11/19/2013 | 3:22:53 PM
How to get unPwned
For the last 5 years, I've been working on a solution to this problem for businesses Worldwide.

Please see my video: The Global Approaching Windows® XP Pandemic at http://engineerenterprises.com

Thank you :)
noles17
50%
50%
noles17,
User Rank: Apprentice
11/16/2013 | 10:52:59 PM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
You guys are scared for nothing. I am still using Windows 98 SE with it connected to the internet as my primary OS and support ended for it seven years ago. In fact, that's what I'm using right now to post this comment.By the way, it has never gotten a virus nor has it ever been hacked in the fifteen years and counting I've used and ran it as my psychical OS.
memo345
50%
50%
memo345,
User Rank: Apprentice
11/11/2013 | 6:11:12 PM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
Now for older computers, moving to Linux might be an option, (if no bussiness application are needed of course) :)
jqb
50%
50%
jqb,
User Rank: Apprentice
11/10/2013 | 4:52:39 AM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
Mathew, you lost me at the climate change comment. If you mean the climate has been changing since the formation of the Earth, OK, it has and always will. If you mean the current political definition of climate change (ie: Global Warming... oops, but it's not warming anymore, so better call it "climate change") then that is not as inevitable as XP's future as a dead end OS.
mak63
50%
50%
mak63,
User Rank: Apprentice
11/8/2013 | 7:49:36 PM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
Perhaps a few weeks or a month before the April deadline, Microsoft will give away Windows 8.1 for free, like Apple is doing with Maverick. Wouldn't that be something? Or maybe a cheap upgrade, like 10 bucks or so.
I would upgrade my 2nd box in a heartbeat!
Mathew
50%
50%
Mathew,
User Rank: Apprentice
11/8/2013 | 10:19:09 AM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
Hi Terry -- you've hit the nail on the head; this warning is aimed at general use of an XP desktop by businesses and consumers.

For businesses that need to continue running an XP-only software package, there's a lot less cause for concern if they carefully lock down the environment, for example by using a virtual desktop environment that sports minimum capabilities, plus (and this is a must) antivirus software. If the need to run IE6 is the XP holdup, other approaches (such as Browsium) can securely run IE6-only functionality in a newer/safer browser.

The key, however, is to study the problem, as you've done, and then invest the time/money required (even if scant) to come up with an approach that you trust, as well as a long-term exist strategy (cloud?).

My concern: How many businesses -- that I personally rely on to keep my personal data and/or credit card and bank details secure -- have carefully locked down every remaining XP instance, as you've done? Meanwhile, how many consumers will continue to use XP without being aware of the risk? (And finally, what do I do with my backup laptop that still runs XP, and runs well?)
TerryB
50%
50%
TerryB,
User Rank: Ninja
11/7/2013 | 6:05:32 PM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
Mathew, this article obviously focused on general use case of a XP desktop. Meaning has internet access, consumes email and web browses. Those attack vectors are real and every point you make in article is certainly true.
But what about business use that just involve running a software package that still works fine for the business purpose? We have that case here, an HR package that maintains employee information (no payroll function) and allows easy reporting. This HR package will not run on Win 7, some DLL has a problem with Win 7. The vendor's answer is not to fix DLL to run on Win 7 but want you to pay $5K+ to upgrade just to accomplish same business things we do now.
So we implemented a virtual XP desktop running the HR package. HR users just remote desktop in from their Win 7 desktops (where they web browse and get email) to this XP desktop just to use HR package.
Just what exactly is the risk here? You don't care about further XP patches because, quite frankly, every patch has potential to cause problems with HR application anyway. The only attack vector left is a network worm, like Blaster in the Win 2K days. With SAN running desktop isolated on non routeable IP network, behind a firewall and proxy server, and no security to access internet thru proxy server, how exactly would even a network worm attack? Even if it did, you could replace infected system with virtual backup snapshot in seconds, the HR data is stored on a server.
Tell me, with a straight face, why in the heck I should worry about replacing this XP desktop by 2014? Or even 2020 for that matter. The o/s is absolutely irrelevant in this use case. And I suspect many other businesses find themselves with same decisions, this is not an isolated case. If XP is running applications to support spectrometers and other specialty hardware, why is this an issue to keep running it?
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.