Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Windows XP Security Apocalypse: Prepare To Be Pwned
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
 User Rank: Apprentice
1/22/2014 | 7:18:52 AM
Re: Why aren't the 500 million XP users ganging up on Microsoft to continue xp support?
Modest fee-based support is a great idea. But reading between the lines, Microsoft has studied the ROI of this approach, and found it lacking. (Or else sees much more revenue to be gained from even a fraction of users moving to a new system and OS.) 

Furthermore it's unlikely that Microsoft would have over intellectual property -- Windows XP source code -- to a third party. 

So in terms of security updates and OS updates, it looks like Windows XP is about to become dead in the water.
bjornagain
50%
50%
bjornagain,
 User Rank: Apprentice
1/21/2014 | 12:29:43 PM
Why aren't the 500 million XP users ganging up on Microsoft to continue xp support?
First of all how will this "apocalypse" affect home users? Are firewalls, anti-malware/virus programs enough to prevent disaster? Primarily though, I am wondering why the 30% of stubborn XP users haven't petitioned Microshaft to continue support through fee-based support, that is, MODEST fee-based support? I've been in this business since DOS 3.3 was introduced and have suffered through all the changes including the disasters of Millenium, Vista, and now Windows 8. I deeply resent the loss of Outlook Express, one of the most widely used email clients on earth and even more the entire concept of the "Cloud". There is no such thing as "secure" when your personal data is being intercepted by God only knows who or even where that information is being stored. As we all know, or SHOULD know by now, NSA, Homeland Security and myriad other hidden "security" agencies has access to ANYBODY's information including their whereabouts, their political views and probably even their sexual proclivities.


But I digress.

The bottom line is that either Microsoft farm out the job of providing updates for XP to a 3rd party (if their arrogance will allow it) or do it themselves. Personally speaking, I've spent a great deal of time maintaining XP machines and have learned a great deal about their foibles. All I want is something that is reliable and resonably stable and XP serves the purpose very well.
Mathew
50%
50%
Mathew,
 User Rank: Apprentice
11/20/2013 | 5:08:37 AM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
Interesting observation. I wonder if today's malware won't work on Windows 98 SE systems? That said, I'm not sure your approach would promise the security that businesses would demand, or most consumers expect. Furthermore, don't you crave the features/performance offered by a more modern OS, or the ability to run recent versions of applications, never mind new ones? If memory serves me correctly, XP was a big step up from 98. 
Dave.Engineer
50%
50%
Dave.Engineer,
 User Rank: Apprentice
11/19/2013 | 3:22:53 PM
How to get unPwned
For the last 5 years, I've been working on a solution to this problem for businesses Worldwide.

Please see my video: The Global Approaching Windows® XP Pandemic at http://engineerenterprises.com

Thank you :)
noles17
50%
50%
noles17,
 User Rank: Apprentice
11/16/2013 | 10:52:59 PM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
You guys are scared for nothing. I am still using Windows 98 SE with it connected to the internet as my primary OS and support ended for it seven years ago. In fact, that's what I'm using right now to post this comment.By the way, it has never gotten a virus nor has it ever been hacked in the fifteen years and counting I've used and ran it as my psychical OS.
memo345
50%
50%
memo345,
 User Rank: Apprentice
11/11/2013 | 6:11:12 PM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
Now for older computers, moving to Linux might be an option, (if no bussiness application are needed of course) :)
jqb
50%
50%
jqb,
 User Rank: Apprentice
11/10/2013 | 4:52:39 AM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
Mathew, you lost me at the climate change comment. If you mean the climate has been changing since the formation of the Earth, OK, it has and always will. If you mean the current political definition of climate change (ie: Global Warming... oops, but it's not warming anymore, so better call it "climate change") then that is not as inevitable as XP's future as a dead end OS.
mak63
50%
50%
mak63,
 User Rank: Apprentice
11/8/2013 | 7:49:36 PM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
Perhaps a few weeks or a month before the April deadline, Microsoft will give away Windows 8.1 for free, like Apple is doing with Maverick. Wouldn't that be something? Or maybe a cheap upgrade, like 10 bucks or so.
I would upgrade my 2nd box in a heartbeat!
Mathew
50%
50%
Mathew,
 User Rank: Apprentice
11/8/2013 | 10:19:09 AM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
Hi Terry -- you've hit the nail on the head; this warning is aimed at general use of an XP desktop by businesses and consumers.

For businesses that need to continue running an XP-only software package, there's a lot less cause for concern if they carefully lock down the environment, for example by using a virtual desktop environment that sports minimum capabilities, plus (and this is a must) antivirus software. If the need to run IE6 is the XP holdup, other approaches (such as Browsium) can securely run IE6-only functionality in a newer/safer browser.

The key, however, is to study the problem, as you've done, and then invest the time/money required (even if scant) to come up with an approach that you trust, as well as a long-term exist strategy (cloud?).

My concern: How many businesses -- that I personally rely on to keep my personal data and/or credit card and bank details secure -- have carefully locked down every remaining XP instance, as you've done? Meanwhile, how many consumers will continue to use XP without being aware of the risk? (And finally, what do I do with my backup laptop that still runs XP, and runs well?)
TerryB
50%
50%
TerryB,
 User Rank: Ninja
11/7/2013 | 6:05:32 PM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
Mathew, this article obviously focused on general use case of a XP desktop. Meaning has internet access, consumes email and web browses. Those attack vectors are real and every point you make in article is certainly true.
But what about business use that just involve running a software package that still works fine for the business purpose? We have that case here, an HR package that maintains employee information (no payroll function) and allows easy reporting. This HR package will not run on Win 7, some DLL has a problem with Win 7. The vendor's answer is not to fix DLL to run on Win 7 but want you to pay $5K+ to upgrade just to accomplish same business things we do now.
So we implemented a virtual XP desktop running the HR package. HR users just remote desktop in from their Win 7 desktops (where they web browse and get email) to this XP desktop just to use HR package.
Just what exactly is the risk here? You don't care about further XP patches because, quite frankly, every patch has potential to cause problems with HR application anyway. The only attack vector left is a network worm, like Blaster in the Win 2K days. With SAN running desktop isolated on non routeable IP network, behind a firewall and proxy server, and no security to access internet thru proxy server, how exactly would even a network worm attack? Even if it did, you could replace infected system with virtual backup snapshot in seconds, the HR data is stored on a server.
Tell me, with a straight face, why in the heck I should worry about replacing this XP desktop by 2014? Or even 2020 for that matter. The o/s is absolutely irrelevant in this use case. And I suspect many other businesses find themselves with same decisions, this is not an isolated case. If XP is running applications to support spectrometers and other specialty hardware, why is this an issue to keep running it?


COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.