Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Windows XP Security Apocalypse: Prepare To Be Pwned
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/22/2014 | 7:18:52 AM
Re: Why aren't the 500 million XP users ganging up on Microsoft to continue xp support?
Modest fee-based support is a great idea. But reading between the lines, Microsoft has studied the ROI of this approach, and found it lacking. (Or else sees much more revenue to be gained from even a fraction of users moving to a new system and OS.) 

Furthermore it's unlikely that Microsoft would have over intellectual property -- Windows XP source code -- to a third party. 

So in terms of security updates and OS updates, it looks like Windows XP is about to become dead in the water.
User Rank: Apprentice
1/21/2014 | 12:29:43 PM
Why aren't the 500 million XP users ganging up on Microsoft to continue xp support?
First of all how will this "apocalypse" affect home users? Are firewalls, anti-malware/virus programs enough to prevent disaster? Primarily though, I am wondering why the 30% of stubborn XP users haven't petitioned Microshaft to continue support through fee-based support, that is, MODEST fee-based support? I've been in this business since DOS 3.3 was introduced and have suffered through all the changes including the disasters of Millenium, Vista, and now Windows 8. I deeply resent the loss of Outlook Express, one of the most widely used email clients on earth and even more the entire concept of the "Cloud". There is no such thing as "secure" when your personal data is being intercepted by God only knows who or even where that information is being stored. As we all know, or SHOULD know by now, NSA, Homeland Security and myriad other hidden "security" agencies has access to ANYBODY's information including their whereabouts, their political views and probably even their sexual proclivities.

But I digress.

The bottom line is that either Microsoft farm out the job of providing updates for XP to a 3rd party (if their arrogance will allow it) or do it themselves. Personally speaking, I've spent a great deal of time maintaining XP machines and have learned a great deal about their foibles. All I want is something that is reliable and resonably stable and XP serves the purpose very well.
User Rank: Apprentice
11/20/2013 | 5:08:37 AM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
Interesting observation. I wonder if today's malware won't work on Windows 98 SE systems? That said, I'm not sure your approach would promise the security that businesses would demand, or most consumers expect. Furthermore, don't you crave the features/performance offered by a more modern OS, or the ability to run recent versions of applications, never mind new ones? If memory serves me correctly, XP was a big step up from 98. 
User Rank: Apprentice
11/19/2013 | 3:22:53 PM
How to get unPwned
For the last 5 years, I've been working on a solution to this problem for businesses Worldwide.

Please see my video: The Global Approaching Windows® XP Pandemic at http://engineerenterprises.com

Thank you :)
User Rank: Apprentice
11/16/2013 | 10:52:59 PM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
You guys are scared for nothing. I am still using Windows 98 SE with it connected to the internet as my primary OS and support ended for it seven years ago. In fact, that's what I'm using right now to post this comment.By the way, it has never gotten a virus nor has it ever been hacked in the fifteen years and counting I've used and ran it as my psychical OS.
User Rank: Apprentice
11/11/2013 | 6:11:12 PM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
Now for older computers, moving to Linux might be an option, (if no bussiness application are needed of course) :)
User Rank: Apprentice
11/10/2013 | 4:52:39 AM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
Mathew, you lost me at the climate change comment. If you mean the climate has been changing since the formation of the Earth, OK, it has and always will. If you mean the current political definition of climate change (ie: Global Warming... oops, but it's not warming anymore, so better call it "climate change") then that is not as inevitable as XP's future as a dead end OS.
User Rank: Apprentice
11/8/2013 | 7:49:36 PM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
Perhaps a few weeks or a month before the April deadline, Microsoft will give away Windows 8.1 for free, like Apple is doing with Maverick. Wouldn't that be something? Or maybe a cheap upgrade, like 10 bucks or so.
I would upgrade my 2nd box in a heartbeat!
User Rank: Apprentice
11/8/2013 | 10:19:09 AM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
Hi Terry -- you've hit the nail on the head; this warning is aimed at general use of an XP desktop by businesses and consumers.

For businesses that need to continue running an XP-only software package, there's a lot less cause for concern if they carefully lock down the environment, for example by using a virtual desktop environment that sports minimum capabilities, plus (and this is a must) antivirus software. If the need to run IE6 is the XP holdup, other approaches (such as Browsium) can securely run IE6-only functionality in a newer/safer browser.

The key, however, is to study the problem, as you've done, and then invest the time/money required (even if scant) to come up with an approach that you trust, as well as a long-term exist strategy (cloud?).

My concern: How many businesses -- that I personally rely on to keep my personal data and/or credit card and bank details secure -- have carefully locked down every remaining XP instance, as you've done? Meanwhile, how many consumers will continue to use XP without being aware of the risk? (And finally, what do I do with my backup laptop that still runs XP, and runs well?)
User Rank: Ninja
11/7/2013 | 6:05:32 PM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
Mathew, this article obviously focused on general use case of a XP desktop. Meaning has internet access, consumes email and web browses. Those attack vectors are real and every point you make in article is certainly true.
But what about business use that just involve running a software package that still works fine for the business purpose? We have that case here, an HR package that maintains employee information (no payroll function) and allows easy reporting. This HR package will not run on Win 7, some DLL has a problem with Win 7. The vendor's answer is not to fix DLL to run on Win 7 but want you to pay $5K+ to upgrade just to accomplish same business things we do now.
So we implemented a virtual XP desktop running the HR package. HR users just remote desktop in from their Win 7 desktops (where they web browse and get email) to this XP desktop just to use HR package.
Just what exactly is the risk here? You don't care about further XP patches because, quite frankly, every patch has potential to cause problems with HR application anyway. The only attack vector left is a network worm, like Blaster in the Win 2K days. With SAN running desktop isolated on non routeable IP network, behind a firewall and proxy server, and no security to access internet thru proxy server, how exactly would even a network worm attack? Even if it did, you could replace infected system with virtual backup snapshot in seconds, the HR data is stored on a server.
Tell me, with a straight face, why in the heck I should worry about replacing this XP desktop by 2014? Or even 2020 for that matter. The o/s is absolutely irrelevant in this use case. And I suspect many other businesses find themselves with same decisions, this is not an isolated case. If XP is running applications to support spectrometers and other specialty hardware, why is this an issue to keep running it?

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-10-03
DedeCMS 5.7.98 has a file upload vulnerability in the background.
PUBLISHED: 2022-10-03
Microsoft Exchange Server Elevation of Privilege Vulnerability.
PUBLISHED: 2022-10-03
Microsoft Exchange Server Remote Code Execution Vulnerability.
PUBLISHED: 2022-10-02
In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
PUBLISHED: 2022-10-02
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.