Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Windows XP Security Apocalypse: Prepare To Be Pwned
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
 User Rank: Apprentice
1/22/2014 | 7:18:52 AM
Re: Why aren't the 500 million XP users ganging up on Microsoft to continue xp support?
Modest fee-based support is a great idea. But reading between the lines, Microsoft has studied the ROI of this approach, and found it lacking. (Or else sees much more revenue to be gained from even a fraction of users moving to a new system and OS.) 

Furthermore it's unlikely that Microsoft would have over intellectual property -- Windows XP source code -- to a third party. 

So in terms of security updates and OS updates, it looks like Windows XP is about to become dead in the water.
bjornagain
50%
50%
bjornagain,
 User Rank: Apprentice
1/21/2014 | 12:29:43 PM
Why aren't the 500 million XP users ganging up on Microsoft to continue xp support?
First of all how will this "apocalypse" affect home users? Are firewalls, anti-malware/virus programs enough to prevent disaster? Primarily though, I am wondering why the 30% of stubborn XP users haven't petitioned Microshaft to continue support through fee-based support, that is, MODEST fee-based support? I've been in this business since DOS 3.3 was introduced and have suffered through all the changes including the disasters of Millenium, Vista, and now Windows 8. I deeply resent the loss of Outlook Express, one of the most widely used email clients on earth and even more the entire concept of the "Cloud". There is no such thing as "secure" when your personal data is being intercepted by God only knows who or even where that information is being stored. As we all know, or SHOULD know by now, NSA, Homeland Security and myriad other hidden "security" agencies has access to ANYBODY's information including their whereabouts, their political views and probably even their sexual proclivities.


But I digress.

The bottom line is that either Microsoft farm out the job of providing updates for XP to a 3rd party (if their arrogance will allow it) or do it themselves. Personally speaking, I've spent a great deal of time maintaining XP machines and have learned a great deal about their foibles. All I want is something that is reliable and resonably stable and XP serves the purpose very well.
Mathew
50%
50%
Mathew,
 User Rank: Apprentice
11/20/2013 | 5:08:37 AM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
Interesting observation. I wonder if today's malware won't work on Windows 98 SE systems? That said, I'm not sure your approach would promise the security that businesses would demand, or most consumers expect. Furthermore, don't you crave the features/performance offered by a more modern OS, or the ability to run recent versions of applications, never mind new ones? If memory serves me correctly, XP was a big step up from 98. 
Dave.Engineer
50%
50%
Dave.Engineer,
 User Rank: Apprentice
11/19/2013 | 3:22:53 PM
How to get unPwned
For the last 5 years, I've been working on a solution to this problem for businesses Worldwide.

Please see my video: The Global Approaching Windows® XP Pandemic at http://engineerenterprises.com

Thank you :)
noles17
50%
50%
noles17,
 User Rank: Apprentice
11/16/2013 | 10:52:59 PM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
You guys are scared for nothing. I am still using Windows 98 SE with it connected to the internet as my primary OS and support ended for it seven years ago. In fact, that's what I'm using right now to post this comment.By the way, it has never gotten a virus nor has it ever been hacked in the fifteen years and counting I've used and ran it as my psychical OS.
memo345
50%
50%
memo345,
 User Rank: Apprentice
11/11/2013 | 6:11:12 PM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
Now for older computers, moving to Linux might be an option, (if no bussiness application are needed of course) :)
jqb
50%
50%
jqb,
 User Rank: Apprentice
11/10/2013 | 4:52:39 AM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
Mathew, you lost me at the climate change comment. If you mean the climate has been changing since the formation of the Earth, OK, it has and always will. If you mean the current political definition of climate change (ie: Global Warming... oops, but it's not warming anymore, so better call it "climate change") then that is not as inevitable as XP's future as a dead end OS.
mak63
50%
50%
mak63,
 User Rank: Apprentice
11/8/2013 | 7:49:36 PM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
Perhaps a few weeks or a month before the April deadline, Microsoft will give away Windows 8.1 for free, like Apple is doing with Maverick. Wouldn't that be something? Or maybe a cheap upgrade, like 10 bucks or so.
I would upgrade my 2nd box in a heartbeat!
Mathew
50%
50%
Mathew,
 User Rank: Apprentice
11/8/2013 | 10:19:09 AM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
Hi Terry -- you've hit the nail on the head; this warning is aimed at general use of an XP desktop by businesses and consumers.

For businesses that need to continue running an XP-only software package, there's a lot less cause for concern if they carefully lock down the environment, for example by using a virtual desktop environment that sports minimum capabilities, plus (and this is a must) antivirus software. If the need to run IE6 is the XP holdup, other approaches (such as Browsium) can securely run IE6-only functionality in a newer/safer browser.

The key, however, is to study the problem, as you've done, and then invest the time/money required (even if scant) to come up with an approach that you trust, as well as a long-term exist strategy (cloud?).

My concern: How many businesses -- that I personally rely on to keep my personal data and/or credit card and bank details secure -- have carefully locked down every remaining XP instance, as you've done? Meanwhile, how many consumers will continue to use XP without being aware of the risk? (And finally, what do I do with my backup laptop that still runs XP, and runs well?)
TerryB
50%
50%
TerryB,
 User Rank: Ninja
11/7/2013 | 6:05:32 PM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
Mathew, this article obviously focused on general use case of a XP desktop. Meaning has internet access, consumes email and web browses. Those attack vectors are real and every point you make in article is certainly true.
But what about business use that just involve running a software package that still works fine for the business purpose? We have that case here, an HR package that maintains employee information (no payroll function) and allows easy reporting. This HR package will not run on Win 7, some DLL has a problem with Win 7. The vendor's answer is not to fix DLL to run on Win 7 but want you to pay $5K+ to upgrade just to accomplish same business things we do now.
So we implemented a virtual XP desktop running the HR package. HR users just remote desktop in from their Win 7 desktops (where they web browse and get email) to this XP desktop just to use HR package.
Just what exactly is the risk here? You don't care about further XP patches because, quite frankly, every patch has potential to cause problems with HR application anyway. The only attack vector left is a network worm, like Blaster in the Win 2K days. With SAN running desktop isolated on non routeable IP network, behind a firewall and proxy server, and no security to access internet thru proxy server, how exactly would even a network worm attack? Even if it did, you could replace infected system with virtual backup snapshot in seconds, the HR data is stored on a server.
Tell me, with a straight face, why in the heck I should worry about replacing this XP desktop by 2014? Or even 2020 for that matter. The o/s is absolutely irrelevant in this use case. And I suspect many other businesses find themselves with same decisions, this is not an isolated case. If XP is running applications to support spectrometers and other specialty hardware, why is this an issue to keep running it?


Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
CVE-2021-31660
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.