EU

OK, so stick with Windows XP: But how big a risk do you run?

Some organisations intend to keep using Windows XP even in the post-apocalyptic world after Microsoft ends support in 12 months. It's a calculated risk and one they should weigh up carefully.

Even the spectre of security breaches and crashing apps is failing to convince some Windows XP-using organisations to abandon the OS before Microsoft cuts off support in a year's time.

Recent figures from software consultancy Camwood suggest one in five companies using XP plans to stick with it despite the 8 April 2014 deadline, after which no new patches or bug fixes will be issued.

Those organisations may be taking a calculated risk and assume Windows XP's longevity means major vulnerabilities have been identified and dealt with. But that assumption is misplaced, according to Rik Ferguson, global VP security research at Trend Micro.

"It's a racing certainty that significant new vulnerabilities with XP will be uncovered in the future, if anyone wants to devote their time to it. You'd be a fool to say every possible vulnerability has already been discovered and either mitigated or patched," he said.

Ferguson agreed that the amount of scrutiny and field-testing to which XP, first released to manufacturers in August 2001, has been subjected play in its favour.

"It should theoretically get progressively more difficult to uncover bugs in a system as widespread as XP. All that field-testing, all that field QA, are going to be far more extensive than anything you could have hoped to achieve in a QA lab pre-release," Ferguson said.

"But, by the same token, because it represents a large target means it will be of continual interest to attackers and security researchers, whether black or white hat," he said.

"With the sprawling amount of code that is Windows XP and its legacy nature - it's not by any token a next-gen operating system - there is a lot of space for vulnerabilities or defects in the code still to exist."

Application-level vulnerabilities

Ferguson pointed out that the security issues don't end with the operating system itself. Even if XP were secure, there might be application-level vulnerabilities.

"It's not just the operating system that's going to be out of support. Almost every application running on it will also no longer be patched because it won't be economically worthwhile for the application vendor," he said.

"When Microsoft drops support, so will the application vendors - if they haven't already. If XP is no longer supported by Microsoft I'd be surprised - I'm not saying it's not possible - to see many vendors offering updates. Do we see updates for Flash for Windows 95? I don't think so."

Ferguson said in the age of targeted attacks, one of things attackers assess when doing reconnaissance are the operating systems and applications in use within an enterprise.

"If you're using something like [XP], it's absolute gold dust to an attacker because they'll know that any vulnerabilities that have been announced after a certain date will be zero-days for you," he said.

Measures for continued XP use

However, those planning to carry on using XP after the deadline can take certain steps to limit exposure to risk.

"Any security person worth their salt is going to say, 'Bad idea, because it won't get patched'. But I think it's important to say there are things you can do if, as an organisation, you need to continue using XP - whether it's for cost or compatibility reasons with certain applications or even with certain hardware," Ferguson said.

"There are some technologies you could deploy that will allow you to continue using legacy systems, because that is what XP is going to become, like NT has or Windows 2000 even. Probably one the most important of those is host-based intrusion prevention technology because that is effectively going to allow you to apply a virtual patch to those non-supported environments," he said.

"It will be able to recognise that a vulnerability exists and make that vulnerability difficult or impossible to exploit even in the absence of a patch. So if you are going to carry on using XP, you will have to investigate mitigating technologies like host-based intrusion prevention."

XP's enduring popularity

Ferguson said XP's popularity is partly down to the technology itself and party to the circumstance that have followed its launch.

"It's been a rocky period financially for a relatively prolonged amount of time and prior to the rocky financial period was Vista, which certainly didn't meet with universal acceptance - let's put it that way," he said.

"Then along came Windows 7 but also along came the recession. Then there's that whole thing of, 'If it ain't broke, don't fix it'. People have got systems that are working and currently supported, so what's the motivation for spending money on upgrading if you don't need to?"

Familiarity with XP

Ferguson said XP is also an operating system format that people are used to and comfortable with.

"If you go back through Mac OS over the same period, the look and feel of Mac OS really hasn't significantly changed either. Whereas Microsoft's model seems to be to do something about the look and feel with every major iteration," he said.

"Whether it's Windows 7 or Windows 8, there are relatively significant changes to the look and feel and maybe people are resistant to that as well."

The factors that have ensured XP's success are now working against those organisations that have stuck by the operating system, according to Ferguson.

"Those people are now going to be in a pretty uncomfortable position because if they're in an industry that has intellectual property to protect. Due diligence says they should be doing all they can to make sure that it's protected. Running a legacy operating system doesn't do that," he said.

About

Toby Wolpe is a senior reporter at TechRepublic in London. He started in technology journalism when the Apple II was state of the art.

60 comments
usman.soomro
usman.soomro

web design colchester

The the greater part are past college or high school graduation players which look moderately good reaching a basketball, but have got little genuine teaching knowledge..

usman.soomro
usman.soomro

You are no pioneer, people have been calling that shot since the mid 80's. One day SOMEBODY MAY be right, but I wouldn't hold your breath, chances are it won't happen in your lifetime..

Signature Logo

asid33
asid33

You no doubt know, many people say, features make or crack the debate.. And that couldn’t be considerably a lot more a fact on this site. With that said, permit me to tell you for your needs exactly what probably did give great results. security safe

schm0e
schm0e

XP was usable by the average human being.  nothing compares to it. the crap that's out there now fails regularly at trying to be all things to all people.


The XP installations I'm familiar with are now bugged out and are nearly useless.  The problems began in April 13.


That was when the servant became the master.

andreaborman
andreaborman

Well I use Windows XP and I have never installed any anti virus software. I just have Windows Defender and I have never had a computer virus,not one.

When Windows XP support stops in April 2014 I may have to stop using it depending on the situation. But I will keep it on my other computer as most of my XP software such as Windows Movie Maker 2.1 and Windows XP sound recorder is on Windows 7.


Most of the software from Windows XP works On windows 7 and 8. Windows 7 is a lot like Windows XP,it even looks like XP on Windows Classic theme. Windows 8 runs all of the Windows XP software but is not as good as Windows 7.

Andrea Borman.

schm0e
schm0e

do you have a network card in that computer?

paul
paul

XP looked and behaved like how a computer GUI should. Vista, Windows 7 and 8 just don't, no matter how much MS try to convince Joe Public otherwise.

ironmikez
ironmikez

I wish Microsoft would take into account how many vendors still do not have a compatible version of their software that works on 8, yet they are trying to make it impossible to pick up a machine running 7. Some of my customers have single license software that cost's $13k to upgrade per employee? What company owner want's to hear that? And that's just a single software title, none of the VPN's I have in circulation none work on IE10...They are jumping the gun and royally pissing people off, I am calling the demise of Microsoft starting Now!! Unless they get their heads out of their asses and start delivering a product so many people are against!

radleym
radleym

When will you guys stop getting security information from people who have a vested interest in convincing us that our systems are insecure. If you are worried about XP and security, simply run XP in a virtual machine inside Linux, with a firewall and Microsoft Security Essentials. Don't do anything stupid like opening unidentified URLs. In fact, if you have business apps on XP that don't need internet access, keep them on a VM that has no internet access. Access the 'net, and your email, either on another VM or on a linux host. There's no reason why you can't get years more service out of XP, if you use a little common sense and caution. That said, if you don't have legacy apps that need XP, consider moving up to Windows 7 (or 8 if you can stand the GUI and only use 1 app at a time). Its a little cleaner, a little faster and a little safer than XP.

Twidget0831
Twidget0831

We have a section (very large section) still running several hundred XP's connected to the web. We have specialized software that will not run with anything but.

nick
nick

Yes the old FUD card comes back into play once again. It worked for IBM for many years and even though we THINK we have grown up a bit since then, there is still just this little nagging doubt.

rciadan
rciadan

Virtually every xp pc we have is either offline altogether or on a private subnet with no outside exposure, plus they are so underused it would be a total waste to replace them. I will be spending the next year creating clones of the HDD's so when they fail I can just reload them.

lastchip
lastchip

As Windows XP reduces in quantity, how many black-hats want to bother with it as Windows 7 then becomes the prominent system? Taking it a stage further, how vulnerable would you be with Windows 98 now almost no one uses it? Every system you use is a risk and I can't help thinking much of this propaganda is peddled by parties that will gain financially from migration. Please don't misunderstand this post, I'm not claiming there isn't a risk, just trying to evaluate how high that risk really is. It seems to me, as operating systems become steadily more secure, the attack vectors are changing and therefore, you could be equally at risk with Windows XP, 7 or 8. If you're really that concerned about risk, then use Linux as I do, or a MAC, which while becoming more of a target, is much less than the Windows family.

Tonyandoc
Tonyandoc

If XP use after MS disengages is to be DIY, does the devotion to the OS not represent an opportunity for some lateral thinking third party or parties? Security software vendors will know how many of their customers are using XP and coudl deliver a service users through existing conenctions.

Mr. Jonas
Mr. Jonas

Xp users will not be PCI complying with credit cards!

Slayer_
Slayer_

Since a lot of the virus attacks are done through social engineering. A new virus in XP is like pissing into an ocean of piss. And Microsoft releasing a patch to XP is like taking a travel mug, and filling it with this ocean water and saying, well now there is less water to worry about.

pIman
pIman

I know. We're dinosaurs. Not only have we recently bought two refurbished computers specifically because they run Windows XP, but we also use WordPerfect and Lotus 123. However, this situation suits us fine. We know how to use XP and these ancient programs, they do everything we currently need to do and moreover they run efficiently. The computers have a minimum of bloatware and crapware on them. We transfer data using flash disks. The computers are rarely restarted (except when there are power failures, which unfortunately happens from time to time in our part of the world), but only hibernated overnight which makes for a super quick start up in the morning. The key to the success of this practice is that these computers (unlike the one used to write this note which runs slooowly under Windows 7), are not connected to the internet. According to my reckoning, this reduces the chances of malware infection to virtually zero, since we also don't allow any penetration by foreign data sticks. Are we in a very small minority - one, perhaps?

Editor's Picks