Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

Guest Blog // Selected Security Content Provided By Sophos
What's This?
12/5/2013
09:42 AM
Maxim Weinstein
Maxim Weinstein
Security Insights
50%
50%

The Dinosaur In The Room

Support for Windows XP ends in April 2014; the implications extend beyond the workstation

It's no secret that Microsoft is mothballing Windows XP early next year. Officially dubbed the end of "extended support," the retirement means that security updates will no longer be available. Naturally, this means that systems running XP will become increasingly insecure, as new vulnerabilities (or those that have been held in reserve by attackers) become available on the black market. It may seem easy to dismiss this concern out of hand if you've already migrated your workstations to later versions of Windows. But, in practice, the implications of the retirement extend far beyond the workstation.

Thanks to its stability and relatively light resource use, Windows XP has been the OS of choice for specialized systems for more than a decade now. POS systems, medical devices, inventory systems, and a plethora of other turnkey devices have been built around XP. The most security-conscious vendors will surely have a plan to address the retirement of the venerable OS. History tells us, though, that many vendors will ignore the problem, leaving their customers with devices -- potentially used for critical business or patient care functions -- that are completely exposed to new exploits.

While "embedded" versions of Windows XP present a threat from within an organization, the global install base of XP PCs represents a broader threat to the ecosystem. It's already the case that Windows XP PCs that are not up to date have high infection rates. But there are plenty of XP users who do, in fact, make an effort to keep their systems patched. It's safe to say that many of these users -- who clearly don't put much stock in upgrading to the latest OS every few years -- will keep on using XP well after its retirement. As unpatched XP vulnerabilities become known within the criminal underground, we are likely to see an uptick in infected machines. More bots mean more spam, broader spread of malware, more phishing, and so on. Whether this will represent a significant enough change in the global bot population to make a noticeable difference remains to be seen, but it's worth acknowledging the potential.

With these potential risks in mind, what can you do as an information security professional? First, perform a careful inventory of any devices throughout your organization that may be using Windows XP, especially those that are outside of the realm of your typical managed workstations. Talk with the vendors of those devices about their plans to secure the environment in the absence of Microsoft patches. Consider upgrading or retiring XP devices that will not be adequately secured. If that's not an option, then consider additional security precautions (isolating devices, installing additional security software, etc.) that you can take to prevent the loss of confidentiality, integrity, or availability that could accompany a successful exploit.

This would also be a great time to educate your users about the retirement of Windows XP (and Office 2003, whose support is also ending in April) and its security implications. Many of your users (and their parents, friends, siblings) likely have old machines at home running one or both pieces of software. A simple email, flyer, or intranet post explaining what's happening, what it means for security, and what users should do (i.e., get a new computer) is all it takes to help them improve their own security and contribute to the security of the Internet at large. Maxim Weinstein, CISSP, is a technologist and educator with a passion for information security. He works in product marketing at Sophos, where he specializes in server protection solutions. He is also a board member and former executive director of StopBadware. Maxim lives ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
independent_forever
50%
50%
independent_forever,
User Rank: Apprentice
12/31/2013 | 2:25:20 PM
re: The Dinosaur In The Room
about time....it was good when it first came out but as with other versions of windows has outlived its usefulness and should go now...as an admin I am tired of patching this outdated OS already....let's move on..
Becca Lipman
50%
50%
Becca Lipman,
User Rank: Apprentice
12/9/2013 | 2:47:46 PM
re: The Dinosaur In The Room
Excellent article. The retirement and subsequent impacts of Windows XP is difficult for a casual user to fully understand. Many feel the time to buy a new computer is not when the security is low, but when the old one stops functioning properly. The casual computer owner is mainly focused on extending the lifespan and keeping the speed manageable. This is unlike a cell phone, where new models and apps make it enticing to upgrade.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12777
PUBLISHED: 2020-08-10
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
CVE-2020-12778
PUBLISHED: 2020-08-10
Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
CVE-2020-12779
PUBLISHED: 2020-08-10
Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
CVE-2020-12780
PUBLISHED: 2020-08-10
A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
CVE-2020-12781
PUBLISHED: 2020-08-10
Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.