Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Windows XP Security Apocalypse: Prepare To Be Pwned
Threaded  |  Newest First  |  Oldest First
TerryB
TerryB,
 User Rank: Ninja
11/7/2013 | 6:05:32 PM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
Mathew, this article obviously focused on general use case of a XP desktop. Meaning has internet access, consumes email and web browses. Those attack vectors are real and every point you make in article is certainly true.
But what about business use that just involve running a software package that still works fine for the business purpose? We have that case here, an HR package that maintains employee information (no payroll function) and allows easy reporting. This HR package will not run on Win 7, some DLL has a problem with Win 7. The vendor's answer is not to fix DLL to run on Win 7 but want you to pay $5K+ to upgrade just to accomplish same business things we do now.
So we implemented a virtual XP desktop running the HR package. HR users just remote desktop in from their Win 7 desktops (where they web browse and get email) to this XP desktop just to use HR package.
Just what exactly is the risk here? You don't care about further XP patches because, quite frankly, every patch has potential to cause problems with HR application anyway. The only attack vector left is a network worm, like Blaster in the Win 2K days. With SAN running desktop isolated on non routeable IP network, behind a firewall and proxy server, and no security to access internet thru proxy server, how exactly would even a network worm attack? Even if it did, you could replace infected system with virtual backup snapshot in seconds, the HR data is stored on a server.
Tell me, with a straight face, why in the heck I should worry about replacing this XP desktop by 2014? Or even 2020 for that matter. The o/s is absolutely irrelevant in this use case. And I suspect many other businesses find themselves with same decisions, this is not an isolated case. If XP is running applications to support spectrometers and other specialty hardware, why is this an issue to keep running it?
Mathew
Mathew,
 User Rank: Apprentice
11/8/2013 | 10:19:09 AM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
Hi Terry -- you've hit the nail on the head; this warning is aimed at general use of an XP desktop by businesses and consumers.

For businesses that need to continue running an XP-only software package, there's a lot less cause for concern if they carefully lock down the environment, for example by using a virtual desktop environment that sports minimum capabilities, plus (and this is a must) antivirus software. If the need to run IE6 is the XP holdup, other approaches (such as Browsium) can securely run IE6-only functionality in a newer/safer browser.

The key, however, is to study the problem, as you've done, and then invest the time/money required (even if scant) to come up with an approach that you trust, as well as a long-term exist strategy (cloud?).

My concern: How many businesses -- that I personally rely on to keep my personal data and/or credit card and bank details secure -- have carefully locked down every remaining XP instance, as you've done? Meanwhile, how many consumers will continue to use XP without being aware of the risk? (And finally, what do I do with my backup laptop that still runs XP, and runs well?)
mak63
mak63,
 User Rank: Apprentice
11/8/2013 | 7:49:36 PM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
Perhaps a few weeks or a month before the April deadline, Microsoft will give away Windows 8.1 for free, like Apple is doing with Maverick. Wouldn't that be something? Or maybe a cheap upgrade, like 10 bucks or so.
I would upgrade my 2nd box in a heartbeat!
jqb
jqb,
 User Rank: Apprentice
11/10/2013 | 4:52:39 AM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
Mathew, you lost me at the climate change comment. If you mean the climate has been changing since the formation of the Earth, OK, it has and always will. If you mean the current political definition of climate change (ie: Global Warming... oops, but it's not warming anymore, so better call it "climate change") then that is not as inevitable as XP's future as a dead end OS.
memo345
memo345,
 User Rank: Apprentice
11/11/2013 | 6:11:12 PM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
Now for older computers, moving to Linux might be an option, (if no bussiness application are needed of course) :)
noles17
noles17,
 User Rank: Apprentice
11/16/2013 | 10:52:59 PM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
You guys are scared for nothing. I am still using Windows 98 SE with it connected to the internet as my primary OS and support ended for it seven years ago. In fact, that's what I'm using right now to post this comment.By the way, it has never gotten a virus nor has it ever been hacked in the fifteen years and counting I've used and ran it as my psychical OS.
Mathew
Mathew,
 User Rank: Apprentice
11/20/2013 | 5:08:37 AM
re: Windows XP Security Apocalypse: Prepare To Be Pwned
Interesting observation. I wonder if today's malware won't work on Windows 98 SE systems? That said, I'm not sure your approach would promise the security that businesses would demand, or most consumers expect. Furthermore, don't you crave the features/performance offered by a more modern OS, or the ability to run recent versions of applications, never mind new ones? If memory serves me correctly, XP was a big step up from 98. 
Dave.Engineer
Dave.Engineer,
 User Rank: Apprentice
11/19/2013 | 3:22:53 PM
How to get unPwned
For the last 5 years, I've been working on a solution to this problem for businesses Worldwide.

Please see my video: The Global Approaching Windows® XP Pandemic at http://engineerenterprises.com

Thank you :)
bjornagain
bjornagain,
 User Rank: Apprentice
1/21/2014 | 12:29:43 PM
Why aren't the 500 million XP users ganging up on Microsoft to continue xp support?
First of all how will this "apocalypse" affect home users? Are firewalls, anti-malware/virus programs enough to prevent disaster? Primarily though, I am wondering why the 30% of stubborn XP users haven't petitioned Microshaft to continue support through fee-based support, that is, MODEST fee-based support? I've been in this business since DOS 3.3 was introduced and have suffered through all the changes including the disasters of Millenium, Vista, and now Windows 8. I deeply resent the loss of Outlook Express, one of the most widely used email clients on earth and even more the entire concept of the "Cloud". There is no such thing as "secure" when your personal data is being intercepted by God only knows who or even where that information is being stored. As we all know, or SHOULD know by now, NSA, Homeland Security and myriad other hidden "security" agencies has access to ANYBODY's information including their whereabouts, their political views and probably even their sexual proclivities.


But I digress.

The bottom line is that either Microsoft farm out the job of providing updates for XP to a 3rd party (if their arrogance will allow it) or do it themselves. Personally speaking, I've spent a great deal of time maintaining XP machines and have learned a great deal about their foibles. All I want is something that is reliable and resonably stable and XP serves the purpose very well.
Mathew
Mathew,
 User Rank: Apprentice
1/22/2014 | 7:18:52 AM
Re: Why aren't the 500 million XP users ganging up on Microsoft to continue xp support?
Modest fee-based support is a great idea. But reading between the lines, Microsoft has studied the ROI of this approach, and found it lacking. (Or else sees much more revenue to be gained from even a fraction of users moving to a new system and OS.) 

Furthermore it's unlikely that Microsoft would have over intellectual property -- Windows XP source code -- to a third party. 

So in terms of security updates and OS updates, it looks like Windows XP is about to become dead in the water.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-0624
PUBLISHED: 2022-06-28
Authorization Bypass Through User-Controlled Key in GitHub repository ionicabizau/parse-path prior to 5.0.0.
CVE-2017-20105
PUBLISHED: 2022-06-28
A vulnerability was found in Simplessus 3.7.7. It has been rated as critical. This issue affects some unknown processing. The manipulation of the argument path with the input ..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd leads to path traversal. The att...
CVE-2017-20106
PUBLISHED: 2022-06-28
A vulnerability, which was classified as critical, has been found in Lithium Forum 2017 Q1. This issue affects some unknown processing of the component Compose Message Handler. The manipulation of the argument upload_url leads to server-side request forgery. The attack needs to be approached locally...
CVE-2017-20107
PUBLISHED: 2022-06-28
A vulnerability, which was classified as problematic, was found in ShadeYouVPN.com Client 2.0.1.11. Affected is an unknown function. The manipulation leads to improper privilege management. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used...
CVE-2017-20104
PUBLISHED: 2022-06-28
A vulnerability was found in Simplessus 3.7.7. It has been declared as critical. This vulnerability affects unknown code of the component Cookie Handler. The manipulation of the argument UWA_SID leads to sql injection (Time). The attack can be initiated remotely. The exploit has been disclosed to th...