Microsoft

Windows XP is a much greater risk than Heartbleed

Heartbleed has dominated headlines for over week, but that one vulnerability pales in comparison to the threat from hundreds of millions of Windows XP systems.

Windows XP is worse than Heartbleed

You've probably noticed that the Heartbleed vulnerability in OpenSSL has gotten a ton of attention. You know a computer security issue is a big deal when even local news and late night TV hosts are talking about it. Despite the hype and hoopla, though, there's another threat out there that makes Heartbleed seem trivial by comparison: Windows XP.

Heartbleed is significant because it could enable an attacker to expose or intercept sensitive information that should be encrypted. It's a big deal when things like passwords and credit card information can be easily compromised. Andrew Storms, senior director of DevOps for CloudPassage, told me, "This is probably one of the more serious bugs I've seen in my 15 years of working in the security industry," and that sentiment has been echoed by a number of security experts.

So, what makes Windows XP a bigger security concern than Heartbleed? Well, the same reason that the expiration of support for Windows XP was not a "Y2K" event, as some had described it.

When April 8, 2014, passed by and Windows XP machines continued working just like the day before, and the world didn't come to a crashing halt, there were probably many businesses and individuals stubbornly continuing to use Windows XP who thought -- or possibly even said out loud -- "See? I told you it wasn't a big deal." However, that smug hubris will eventually come back to bite them and will have security implications for the rest of us who share the internet with them as well.

Just as Y2K was a specific event, Heartbleed was just one vulnerability. It was identified, a patch was developed, and the world was put on notice. Now, we can move on. It was an isolated moment in time.

Windows XP, on the other hand, is now a permanent, ongoing "zero day" vulnerability. If attackers are smart and stealthy, we may not even know how many vulnerabilities are discovered in Windows XP from this point on -- or how critical they are. There won't be any more patches or updates, so it's permanently at risk.

We need to stop looking at security as a thing and more as a process -- it is a verb, not a noun. There's an ongoing circle of life where weaknesses and vulnerabilities are discovered and corrected in a co-evolution of attackers and defenders.

"XP, on the other hand, has stopped evolving and any vulnerability discovered from April 8, 2014, into the future will remain a danger to everyone connected to the Internet," declares TK Keanini, CTO of Lancope. "The only solution for XP at this point is to make it go away -- rid it from existence. Everyone needs to do their part to get rid of it, because if we don't, in this connected world, it will ultimately be a bad thing for everyone."

Tim Erlin, director of IT security and risk strategy for Tripwire, shared some thoughts as well. "No one is surprised by the Windows XP risk. Still, the risk presented by XP is going to get worse over time, not better. As a risk, Windows XP is much harder to mitigate than Heartbleed because replacing an entire platform is a more difficult task than updating a library."

I spoke with Evolve IP CTO Scott Kinka, who explained the root of the problem. He told me, "At this point, our best prospects are actually our worst customers."

To put it another way, the companies and individuals who most need the wakeup call about Windows XP are also the least likely to hear it or take action. Many cite financial reasons as a justification for not upgrading off of Windows XP, or investing in some sort of managed solution or virtualization platform to continue using Windows XP more securely, but the simple reality is that there will also be a significant cost of continuing to use Windows XP. At this point, spending no money isn't really an option -- it's just a matter of whether you spend the money to proactively address the situation or spend it cleaning up the mess after it's too late.

Keanini summed it up the pervasive threat of Windows XP: "Hunt down expired versions of XP and terminate it!"

Do you agree that Windows XP poses a bigger security risk than Heartbleed? Share your opinion in the discussion thread below.

About

Tony Bradley is a principal analyst with Bradley Strategy Group. He is a respected authority on technology, and information security. He writes regularly for Forbes, and PCWorld, and contributes to a wide variety of online and print media outlets. He...

195 comments
Jow Below
Jow Below

Total crock. The US government is getting extended support.  MS wants to frighten the population towards 7 & 8 for sales purposes and because the newer OSs have more NSA backdoors.


XP is still reliable and viable.  The only downer is third party companies are dropping support.  Other than that, that OS works just fine.


If people are freaking out over Heartbleed, it's not an XP, 7 or 8 issue.  It's the job of the security architecture to remedy.  Let's give the XP fearmongering a rest already!

dogknees
dogknees

Simple question for those that want support for XP to be continued.


How long? If 10 years is not a reasonable timeframe, what is. As a guide, how long do you continue to update your products at no cost to the customer?

sbarman
sbarman

THE SKY IS FALLING! THE SKY IS FALLING!

Y2K BUG WILL DESTROY EVERYTHING!

GPS WILL RUN OVERRUN ITS CLOCK AND GIVE WRONG DIRECTIONS!

THE SKY IS FALLING! THE SKY IS FALLING!

Gisabun
Gisabun

A really dumb article. Of course Heartbleed will be less of a risk than Win XP. If not already, Heartbleed will be fixed by every site. Win XP can't be fixed. Already MS released an advisory for a new IE bug. So IE 7 and later for Win Vista and later will be fixed but not anything on IE..

Soon there will be other vulnerabilities. Malware writers will see a problem that was fixed and will see if Win XP has the same issue [knowing it won't be fixed].

GsyMoo
GsyMoo

It's alright, since I heard about the "XP Risk" I only do my shopping and banking on my Stock Android

lowprofile
lowprofile

Well, I guess I will go on EBay and buy myself a fresh copy of XP to keep and going to install it on one of my laptops because there is nothing wrong with it. Guess what? I went to the pharmacy a couple of days ago to pick up my prescription and guess what OS the Pharmacy staff was using? Windows XP.

P.S.

WIndows XP is selling like hot cakes on EBay I would suggest that you order yourself a copy. Also, don't pay attention to people who have fallen for the money gouging and sneakingly helping the NSA tactics of Microsoft. Windows XP doesn't have an easily accessible back door to the NSA and the NSA knows it! Microsoft is doing everything they can move people off of XP because they are probably getting hush-hush money and perks from the NSA.

rtillx4
rtillx4

Give me a freaking break. It is all about the dollars! MS can not sell you a new OS if you think your old one is okay. 

And windows eight (up with the dumb A) is a joke, especially on a desktop or non-touch laptop. I can paint my washing machine a different color, and hook it to an automatic timer and call it a new and improved version, but it still just cleans clothes. 

 All those way smart people that work for MS can't figure out that we do not want new and changed, we want better but familiar. Don't fix it if it ain't broke. 

 What if language was like an OS? You have to learn a new way to talk every few years? Do you think that would hold you back at all? Of course it would and we would all just keep talking the same way we have since shortly after birth.

chris-b
chris-b

As head of IT for a smallish business that still relies on some old 16-bit DOS stuff,  I thought that we were going to need to stay on XP, but it turns out that 32-bit Windows 7 runs most 16-bit programs just fine. Windows 7 64-bit might as well be a brick for most of our operational tools, but we're buying refurbed boxes with Intel Core2 Duos for about $150 with an OEM Win7 license and they are so much better than our old XP boxes with practically no learning curve.


So I'm on board now. @ADarkAria, you might give that a try - it just might help you as well.

ADarkAria
ADarkAria

Just purchased a brand new full retail version of XP Pro...just in case I ever need to reinstall to a new hard drive if my existing one crashes and burns.  That way I'll be able to install it on ANY drive I decide to purchase...AT MY DISCRETION and ON MY TIMELINE...

Oh...and I'll be continuing to use all the frigging, costly software I rely on that won't run on Win 7 or 8...or 8.1...or 9...or 15...or 203...or whatever MS chooses to screw customers with based on THEIR TIMELINE and bottom-line.  NSA..."touch" that!


MS had such a fabulous opportunity to turn this situation into another avenue of profit but instead opted to flip off many, many consumers telling them to "Kiss My @$$!"  A poor business model, horrible judgement, and proof that MS could care less about the needs of a variety of customers, the actual market.  No, MS has elected to drive the market down their one-way path!  Seems like there should be room for everyone...  They'll keep supporting it for China...but not the U.S.  hmmmm......  What made us so "lucky?"


It appears MS even has shills like the author of this article who will threaten, insult and strive to drum up a "Sky-is-Falling" mob against non-conformists ...in an effort to try to shame and re-engineer everyone onto MS's bandwagon under pain of browbeating.  Give me a break!

wjkahlssmd
wjkahlssmd

For MS to just throw up their hands and abandon the CLOUD with such a "security risk" is incredible. I think that they are trying to force the hand of government to pay for the updates...They have created something that will live on for another decade in low income areas of the world. There has to be a way to recompense MS for the expense of keeping the rest of us safe.


I own many systems... from win 3.1 to an including Win8. I write software for all of them.

neoquon
neoquon

Without updates, people will be looking for loopholes in XP and attacking it knowing the loophole won't be patched. This creates a certain risk for XP users. If your computer is not going to be connected to the internet then XP is fine.

rsbarve
rsbarve

THERE IS A GOOD OPPORTUNITY TO PROVIDE  SECURITY SUPPORT TO WINDOWS XP which is a good system for PCs of low end not costing a fortune. 

hirussellsmith
hirussellsmith

Windows XP becomes vulnerable due to end of support from Microsoft's end. The biggest threat is intrusion that may damage your organization's backbone.

mikifinaz1
mikifinaz1

Well, Micrsoft has been slowly Pis**** me off and I have finally reached the point where I can dump all MS products. With XP dead I can now fully shift over to Linux Mint. For over a year now I have been reading about Linux and practicing with it on a dual boot system (more help than I got when Windows (DOS to Win X....name a version was dumped on an unsuspecting public) and it is time to take off the training wheels You know you can get real good deals on PCs out of Europe and they will actually install whatever linux distro you want and the support is nicer too. So I guess I am also kissing off Dell, HP, emachine etc. as well.

Good riddens MS you can kiss my hind parts... 

Joshua Morden
Joshua Morden

If you're using it online, then there is definitely at problem.

kitekrazy
kitekrazy

I guess MS will say anything to try to get someone to move "up" to that loser OS called Windows 8.

mike.gordon
mike.gordon

I wonder if Microsoft could have made as much money just offering a quarterly fee for upgrades to it's OS and Essentials instead of . It could still have been called XP and kept a choice of UI and saved al those unbelieveably complex licencing policies they use for corporate users that used to drive me to distraction. 

They wouldn't have had to release new versions of office and swap the UI about and pretend it was a brand new product . We could all just have got on with our own business be it home or Business users. 

I know this is very simplistic but it would have kept users onside for longer and saved a fortune in unnecessary retraining on how to use Office on each release.

Marvin Biel
Marvin Biel

i dont agree... if you use it for home use only theres no problem with that...and some of user using pc that was compatibility only in XP or old OS especially in low specification computers...

cd.thomassin
cd.thomassin

When I purchased XP I bought only the right to use it, not the piece of software itself. If it becomes a threat because MS stops servicing it it is not my fault, as XP continues to do the job I bought it for, but MS fault. Or they should provide the piece of software which serves my purpose and does not expose anyone else to a threat, but FOR FREE. Why should I pay to protect the community? I am not paid for it, and it is not my responsibility. IT IS MS RESPONSIBILITY!

leo8888
leo8888

Can someone please explain why using XP is such a risk if the user only uses a modern browser like Firefox or SeaMonkey with up to date plugins and a decent active antivirus? Aren't most attacks through infected websites opened from Internet Explorer? Just want to get more opinions on the technical aspects of the risks of using XP.

john.a.wills
john.a.wills

"justification for not upgrading off of Windows XP"... off WHAT of Windows XP?

dwliberty
dwliberty

So I am not a 'techno nut' but I use my computers as tools for my personal life and business.  How about purchasing some good antivirus software and maybe even some internet security software?   There is a lot out there such as Kaspersky, Norton, McAffee and such.  Would that keep my system 'safe', whatever that is?   I found some that will run on my XP laptop and my Vista laptop.

Treknology
Treknology

I respond to this in the same way as about two weeks ago.


There are two reasons to attack XP-specific machines:


a) Sleeper bugs for co-ordinated DDOS attacks etc., which when it comes to the real percentage of XP machines out there is probably no longer viable.


b) Self-indulgent "geniuses" who will have already moved onto the higher challenges Win 8.1 SP1 because sitting in the corner smuggly grinning about mass damage to XP machines is no longer adequately rewarding.


Yes, I'm side-grading because I have to remain market-compatible, but my off-the-net XP machines will remain as useful as my 98SE machines, and my DOS 3.3 genuine PC/AT.

Network Doctor
Network Doctor

Another thought: Windows XP is a 13 year old OS that was supported by Microsoft for all those years. I am tired of hearing, media or Microsoft or security experts are trying to scare "you" in to upgrading, or Microsoft is out to just make money. Longest supported OS so far. No one is trying to force you to do anything it is just time to upgrade, XP had a great run. 13 years people time to let go!!!

Pronounce
Pronounce

This article probably says more about Pop-media than it does about IT security. Those in the know, and the passionate don't need (or want) to be convinced (and I believe some of these type just like to argue). Really the point is the people who would never read TechRepublic (or tech anything for that matter). The vast majority of people that this article applies to are not a part of this group.


So I propose something radical. Why not have our government security agencies use a piece of their vast Publicly owned resources to use the same vulnerabilities (Windows XP, Heartbleed, etc.) to track down the criminals stealing the public's data and shut them down?

Billb114
Billb114

I agree that Microsoft would just LOVE us all to believe XP is worse than Heartbleed.  They're probably selling vulnerability secrets as I type this! Me, I'm not upgrading anytime soon. When I do get tired of XP I'll be switching to Linux.  

berniesa
berniesa

Why not call MS for what they look like and investigate deeply. It smell, crackle, waddle, etc like a protection and extortion racket.

radiogeorge
radiogeorge

I hate this mess. I guess I'm what can be called an intermediate level user, and my take is that for the immediate future, using XP is OK, but there likely will come a time when the professional hackers will likely cause XP to become unusable.


But you know what? The solution-at least the one I am using--is simply NO BIG DEAL!


I bought a new laptop with Windows 8.1 on it. It is connected to the Internet and I use it for whatever I need to be connected to the Internet to do. I yanked the internet connection to my trusty desktop with Windows XP Pro and it will continue to work just fine, and will not be subject to the "invasion" of the lurking bad guys. I don't have to spend lots of bucks and take huge amounts of time to change my way of working which, so far, has never generated any complaints or problems.


I hooked up a powered hub and a KVM switch, and added 3 external hard drives (the 500 GB to 1 TB ones) so data transfer is not a problem for stuff I need to download and upload.


I think I'm one of a lot of computer users still using, for example, Word 2000. I write notes, the occasional letter, and very simple stuff and have simply never needed to upgrade to Microsoft's upgrades which contain features I just don't use and never will. "New and improved with more features" seems to mean "more bloat and higher price tag" for MS. No paranoia, just common sense: the world of computers provides the absolute best examples of planned obsolescence in the world of business.


Couple other points: first, all that MS says about Windows 8.1 just ain't true. I am able to run Word 2000 on the Windows 8 computer flawlessly (which they say can't be done) and even FrontPage 2002! No special add-on needed or emulator programs. I have several other oldies but goodies that work just fine on WIndows 8.1. The easy how-to is explained on various websites.


Finally, I WILL have Windows XP Pro for as long as I want. I bought the pro installation package which comes with all Service Pack components through SP3 on eBay for $130. This enables installation on multiple computers without hassle (and yes it is 100% legit; it was designed for repair shops and retail stores), so if my "XP computer" craps out, I'll still have the means to crank up another one and continue as usual.


Yes, it will take a little extra money, but don't we all seem to find that cash when it comes to something we really like? 

Tiger-Pa
Tiger-Pa

Thank God Henry Ford wasn't as stubborn as most of the commenters on here or we would still be driving horse-drawn carriages on dirt roads.

roger
roger

This comment section appears to have become a venting session for all that is XP...

The bottom line is, there are going to be instances where XP machines can be used and will continue to be useful. However, like it or not, life moves on, times change, OS's continue to be developed/refined. Despite all the vehemence displayed in the comments below Win7 and Win8 are all currently being used at our place of business, and the transition from XP was relatively painless... and life goes on... 


I normally enjoy reading through the comment section because I learn facts about the original article that the writer may have omitted or gotten wrong...nuggets of wisdom if you will.... As for OS's I tend to be fairly pragmatic...


In these posts, for the most part, I only see people who have become so enthralled with an outdated OS that it borders on worship...show me the facts and I will listen, but don't keep spouting off the anti corporation, anti MS or anti anything non-XP and make it sound like truth... Face it, you feel so strongly about it because you believe it with every fiber(even if the facts don't support your beliefs) not because its true. There are a lot of religions out there with many followers in the same boat as you.... Starting to sound like the iFanboys!

Network Doctor
Network Doctor

What the article forgot to mention is that XP will not go away any time soon. Microsoft in it infinite wisdom added Windows XP to Windows 7 (virtual XP built in). We have found many many exploits running XP this way. So all the people that moved from Windows XP on a physical machine running Windows XP only software just moved to Windows 7 with Windows XP in virtual mode and still have the same security problems, maybe more. Microsoft needs to remove Windows XP virtual from Windows 7 or support Windows XP until end of life of Windows 7. In other words very bad move by Microsoft on Windows 7 to have Windows XP built in.

rchiandotti
rchiandotti

by the way, dont forget the worst threat in the internet is the NSA, producing a lot of gap in the OS world, even microsoft knows and consent.

A41202813GMAIL
A41202813GMAIL

Thank You.


I Was Worried.


If XP Is Worse Than HEARTBLEED, Then I Can Finally Take A Breather.


XP, FOREVER !


red5mec
red5mec

Although I think the situation should be taken seriously let me just say that I had an old PC (P4) with XP running on it brought to me because it would not boot.  On investigating the problems it had I found it had not been updated for years.  It had SP2 still running.  Auto updates and the firewall were turned off.  It had no anti-virus software installed on it.  But it's issues were minor.  It had six or so minor viruses on it.  The booting problem had nothing to do with a security issue.  I cleaned it up, updated the SP and all the MS updates that were out there.  I did the usual tuneup stuff.  That PC was running great when I gave it back to the guy.  I gave him the spiel about how dangerous it is to still be running XP and he needs to update to 7 or 8 (which means he has to buy a new PC, of course) but down deep I just do not believe it is going to be the catastrophic problem some are making it out to be.


I do the spiel but if a person takes reasonable caution while online I think XP will survive for quite awhile.


Oh...and obviously XP is not obsolete.  Otherwise MS would not be letting the Chinese or the bankers continue to receive updates for their XP devices.  If MS is willing to let bankers keep using XP embedded in ATM machines which are designed to transfer individual's financial data, how can anyone call that an insecure OS?  It is all about pushing users to the "new" OS's.  It should be taken seriously because MS is going to see that XP users move on however they can force it to happen.

tvmuzik
tvmuzik

To the publishers of this chicken-little article: Seriously, how much did Microsoft pay all you media outlets to drool this new anti-XP propaganda!  You sound like a bunch of teenie-bopper girlie whining spoiled brat high-school girls in a mall: "Ew, Like, you'd better upgrade your makeup or else, Like, your face will, Like, Ex-PloOode and splash blood all over us".


Hmmm, wait a sec, you sound like spoiled brat college-grad rookie yuppies "the internet belongs to us Win8 users... if our machines get online attacks, we can scapegoat all the XP users in the world who still have the audacity to log on our internet".

Hmmmmm, wait a sec, oh forget it, never mind, you know what I mean- so don't feign naivete, okay.

In case you're still queen of denial, Cleo, reminder: we still have many ATMs and banks online all around the world still running on XP.  The government in the U.K. signed a £5.548 million contract with Microsoft for a year’s worth of Windows XP support (good until April 2015).


As for the average joe sittin at home still using XP, average joe doesn't give a rat's mass what the rest of you chicken-littles are doing to upgrade to the latest greatest OS.  Average Joe will upgrade his OS however he sees fit and whatever will work best for him.  I have three machines: two Offline running XP, and my third machine goes Online running Win7.  I have ways to work around all the XP Hate, and many options for upgrades to my machines and software; and I really do not necessarily have to use Microsoft to do all that.

I'm glad this paranoid article made it to my inbox! Oh by the way, I lied: I have a fourth machine... it's my dusty old Dell GX110 machine super-tweaked and super-freaked all the way to its max... it still has XP service pack 2 running in it.... and I will connect it to your internet. 

You afraid your internet will get, Like, hacked and attacked because I'm still, Like, using XP?

...Good! I hope your face exploOodes!

bitonw
bitonw

nonsense; with the right precautions you can still run WinXP.

- don't use WinXP for bank or other sensitive business

- logon only as limited user

- install a third party security scanner (avast)

- use any auto updating browser like Firefox / Chrome


Gisabun
Gisabun

@lowprofile Unsure why selling like hotcakes except maybe the people who don't like anything since are buying spare copies. And how do you know there is no backdoor for Windows XP? If anything, Win XP is less secure. Seems you are a conspiracy theorist. [Next you will say the moon is not round.]

Gisabun
Gisabun

@ADarkAria Huh? If you have an OEM copy installed on a system [from Dell, HP, etc.] and the disk crashes, you can use the same serial number provided or use the image included.

lowprofile
lowprofile

Exactly. There is nothing wrong with Windows XP and this is just a way that Microsoft can try to get more money for that Freak show of an OS called Windows 8 and all it is is just a back to the NSA.

rabit949
rabit949

@cd.thomassin  i am not so certain you understand what exactly it is you had purchased.  if you really did only pay for a "right" to use XP, that seems more like some agreement you have between you and whomever you paid for the software.  when XP was initially released, it had an end-of-support date and life cycle timeframe, which they extended to that April 2014 date (originally it was due to end support earlier).  windows 7 and 8 also have life cycles, due to expire just down the road as well.  you may think it is unfair, but you have to understand that it is YOUR responsibility to keep your DATA safe.  XP most likely will continue to function for most intents and purposes, but i personally do not recall anywhere where microsoft said they are offering to protect and secure their XP SOFTWARE (for running your applications) for the rest of your life or until you are happy : ] Lol

JazzGuyy
JazzGuyy

@leo8888 It is a risk because there are often time lags between when the bad guys discover a vulnerability and the security software makers can update their products to provide protection. These gaps, which can be as long as months, allow your computer to be compromised. Once malware is on your computer it may be used to generate spam or further spread malware to others' computers so you are not the only one at risk of being affected. No one has yet figured out how to build security software that anticipates problems and stops them. Even the so-called heuristics in some security software is only partially effective.

csumbler
csumbler

@leo8888  Because Microsoft like the auto industry relies on planned obsolesce to keep the cash rolling in.  Keeping an old OS is a kin to keeping your perfectly good car for 12 years and counting. Sure it doesn't have the bells and whistles of a shinny new car. How safe it is (excluding GM of course) is up to the operator.  It's in Microsofts financial interest  to employ media scare tactics such as this to help their financial bottom line.

jana.squires
jana.squires

The problem with this is just having anti-virus protection is not enough. Any security vendor worth its salt will tell you to ensure the OS is patched. The anti-virus will catch known malware, and maybe even recognize suspicious file behaviour but when there are no patches to support OS vulnerabilities, then you are operating at your own risk.

tomi01
tomi01

On the same note, Henry Ford wasn't stupid enough to take cars with a steering wheel and try to change it into a scooter or a joystick to drive with instead and expect people to want to drive the car without issues and fatalities.....

dbryce
dbryce

@rchiandotti 
Sorry - I disagree - the worse threat on the internet is big data - and uneducated users that sole driving focus seems to be convince not protecting themselves.  

Network Doctor
Network Doctor

@bitonw I wouldn't use Chrome even if you paid me. Read the EULA very carefully. Chrome is a huge security risk. Google states anything you type in the browser is their data and can be used for anything. So that password you typed is theirs. That on line form you filled out with your SSN is theirs.

JazzGuyy
JazzGuyy

@tomi01 Actually Henry Ford's first cars had tillers and not steering wheels. He also kept strange gear shifting and other things in the Model T long after most everyone else adopted other approaches.

Editor's Picks