EU

OK, so stick with Windows XP: But how big a risk do you run?

Some organisations intend to keep using Windows XP even in the post-apocalyptic world after Microsoft ends support in 12 months. It's a calculated risk and one they should weigh up carefully.

Even the spectre of security breaches and crashing apps is failing to convince some Windows XP-using organisations to abandon the OS before Microsoft cuts off support in a year's time.

Recent figures from software consultancy Camwood suggest one in five companies using XP plans to stick with it despite the 8 April 2014 deadline, after which no new patches or bug fixes will be issued.

Those organisations may be taking a calculated risk and assume Windows XP's longevity means major vulnerabilities have been identified and dealt with. But that assumption is misplaced, according to Rik Ferguson, global VP security research at Trend Micro.

"It's a racing certainty that significant new vulnerabilities with XP will be uncovered in the future, if anyone wants to devote their time to it. You'd be a fool to say every possible vulnerability has already been discovered and either mitigated or patched," he said.

Ferguson agreed that the amount of scrutiny and field-testing to which XP, first released to manufacturers in August 2001, has been subjected play in its favour.

"It should theoretically get progressively more difficult to uncover bugs in a system as widespread as XP. All that field-testing, all that field QA, are going to be far more extensive than anything you could have hoped to achieve in a QA lab pre-release," Ferguson said.

"But, by the same token, because it represents a large target means it will be of continual interest to attackers and security researchers, whether black or white hat," he said.

"With the sprawling amount of code that is Windows XP and its legacy nature - it's not by any token a next-gen operating system - there is a lot of space for vulnerabilities or defects in the code still to exist."

Application-level vulnerabilities

Ferguson pointed out that the security issues don't end with the operating system itself. Even if XP were secure, there might be application-level vulnerabilities.

"It's not just the operating system that's going to be out of support. Almost every application running on it will also no longer be patched because it won't be economically worthwhile for the application vendor," he said.

"When Microsoft drops support, so will the application vendors - if they haven't already. If XP is no longer supported by Microsoft I'd be surprised - I'm not saying it's not possible - to see many vendors offering updates. Do we see updates for Flash for Windows 95? I don't think so."

Ferguson said in the age of targeted attacks, one of things attackers assess when doing reconnaissance are the operating systems and applications in use within an enterprise.

"If you're using something like [XP], it's absolute gold dust to an attacker because they'll know that any vulnerabilities that have been announced after a certain date will be zero-days for you," he said.

Measures for continued XP use

However, those planning to carry on using XP after the deadline can take certain steps to limit exposure to risk.

"Any security person worth their salt is going to say, 'Bad idea, because it won't get patched'. But I think it's important to say there are things you can do if, as an organisation, you need to continue using XP - whether it's for cost or compatibility reasons with certain applications or even with certain hardware," Ferguson said.

"There are some technologies you could deploy that will allow you to continue using legacy systems, because that is what XP is going to become, like NT has or Windows 2000 even. Probably one the most important of those is host-based intrusion prevention technology because that is effectively going to allow you to apply a virtual patch to those non-supported environments," he said.

"It will be able to recognise that a vulnerability exists and make that vulnerability difficult or impossible to exploit even in the absence of a patch. So if you are going to carry on using XP, you will have to investigate mitigating technologies like host-based intrusion prevention."

XP's enduring popularity

Ferguson said XP's popularity is partly down to the technology itself and party to the circumstance that have followed its launch.

"It's been a rocky period financially for a relatively prolonged amount of time and prior to the rocky financial period was Vista, which certainly didn't meet with universal acceptance - let's put it that way," he said.

"Then along came Windows 7 but also along came the recession. Then there's that whole thing of, 'If it ain't broke, don't fix it'. People have got systems that are working and currently supported, so what's the motivation for spending money on upgrading if you don't need to?"

Familiarity with XP

Ferguson said XP is also an operating system format that people are used to and comfortable with.

"If you go back through Mac OS over the same period, the look and feel of Mac OS really hasn't significantly changed either. Whereas Microsoft's model seems to be to do something about the look and feel with every major iteration," he said.

"Whether it's Windows 7 or Windows 8, there are relatively significant changes to the look and feel and maybe people are resistant to that as well."

The factors that have ensured XP's success are now working against those organisations that have stuck by the operating system, according to Ferguson.

"Those people are now going to be in a pretty uncomfortable position because if they're in an industry that has intellectual property to protect. Due diligence says they should be doing all they can to make sure that it's protected. Running a legacy operating system doesn't do that," he said.

About

Toby Wolpe is a senior reporter at TechRepublic in London. He started in technology journalism when the Apple II was state of the art.

57 comments
schm0e
schm0e

XP was usable by the average human being.  nothing compares to it. the crap that's out there now fails regularly at trying to be all things to all people.


The XP installations I'm familiar with are now bugged out and are nearly useless.  The problems began in April 13.


That was when the servant became the master.

andreaborman
andreaborman

Well I use Windows XP and I have never installed any anti virus software. I just have Windows Defender and I have never had a computer virus,not one.

When Windows XP support stops in April 2014 I may have to stop using it depending on the situation. But I will keep it on my other computer as most of my XP software such as Windows Movie Maker 2.1 and Windows XP sound recorder is on Windows 7.


Most of the software from Windows XP works On windows 7 and 8. Windows 7 is a lot like Windows XP,it even looks like XP on Windows Classic theme. Windows 8 runs all of the Windows XP software but is not as good as Windows 7.

Andrea Borman.

paul
paul

XP looked and behaved like how a computer GUI should. Vista, Windows 7 and 8 just don't, no matter how much MS try to convince Joe Public otherwise.

ironmikez
ironmikez

I wish Microsoft would take into account how many vendors still do not have a compatible version of their software that works on 8, yet they are trying to make it impossible to pick up a machine running 7. Some of my customers have single license software that cost's $13k to upgrade per employee? What company owner want's to hear that? And that's just a single software title, none of the VPN's I have in circulation none work on IE10...They are jumping the gun and royally pissing people off, I am calling the demise of Microsoft starting Now!! Unless they get their heads out of their asses and start delivering a product so many people are against!

radleym
radleym

When will you guys stop getting security information from people who have a vested interest in convincing us that our systems are insecure. If you are worried about XP and security, simply run XP in a virtual machine inside Linux, with a firewall and Microsoft Security Essentials. Don't do anything stupid like opening unidentified URLs. In fact, if you have business apps on XP that don't need internet access, keep them on a VM that has no internet access. Access the 'net, and your email, either on another VM or on a linux host. There's no reason why you can't get years more service out of XP, if you use a little common sense and caution. That said, if you don't have legacy apps that need XP, consider moving up to Windows 7 (or 8 if you can stand the GUI and only use 1 app at a time). Its a little cleaner, a little faster and a little safer than XP.

Twidget0831
Twidget0831

We have a section (very large section) still running several hundred XP's connected to the web. We have specialized software that will not run with anything but.

nick
nick

Yes the old FUD card comes back into play once again. It worked for IBM for many years and even though we THINK we have grown up a bit since then, there is still just this little nagging doubt.

rciadan
rciadan

Virtually every xp pc we have is either offline altogether or on a private subnet with no outside exposure, plus they are so underused it would be a total waste to replace them. I will be spending the next year creating clones of the HDD's so when they fail I can just reload them.

lastchip
lastchip

As Windows XP reduces in quantity, how many black-hats want to bother with it as Windows 7 then becomes the prominent system? Taking it a stage further, how vulnerable would you be with Windows 98 now almost no one uses it? Every system you use is a risk and I can't help thinking much of this propaganda is peddled by parties that will gain financially from migration. Please don't misunderstand this post, I'm not claiming there isn't a risk, just trying to evaluate how high that risk really is. It seems to me, as operating systems become steadily more secure, the attack vectors are changing and therefore, you could be equally at risk with Windows XP, 7 or 8. If you're really that concerned about risk, then use Linux as I do, or a MAC, which while becoming more of a target, is much less than the Windows family.

Tonyandoc
Tonyandoc

If XP use after MS disengages is to be DIY, does the devotion to the OS not represent an opportunity for some lateral thinking third party or parties? Security software vendors will know how many of their customers are using XP and coudl deliver a service users through existing conenctions.

Mr. Jonas
Mr. Jonas

Xp users will not be PCI complying with credit cards!

Slayer_
Slayer_

Since a lot of the virus attacks are done through social engineering. A new virus in XP is like pissing into an ocean of piss. And Microsoft releasing a patch to XP is like taking a travel mug, and filling it with this ocean water and saying, well now there is less water to worry about.

schm0e
schm0e

do you have a network card in that computer?

aidemzo_adanac
aidemzo_adanac

How can you possibly decide what a paradigm for a GUI is? What is one GUI "advantage" provided by XP, that Win7 and 8 don't have.

aidemzo_adanac
aidemzo_adanac

Don't forget when you first heard it, ironmikez on April 10th said MS is facing an inevitable demise. You heard it all here first! Every other person who has said i tover the last 20 years was wrong, but ironmikez knows the industry!

aidemzo_adanac
aidemzo_adanac

You are no pioneer, people have been calling that shot since the mid 80's. One day SOMEBODY MAY be right, but I wouldn't hold your breath, chances are it won't happen in your lifetime. The closest they got to a public lashing was when they released XP, it was a laughing stock, the most bug ridden and insecure OS to date, by ANYONE, but today it's the lifeblood of so many who simply forget what development is or weren't around to remember early XP garbage. Everyone had to undergo expensive upgrades or replace with new machines. It was a horror show, with the hardware compatibility system that basically nothing passed unless a new PC. People just like you were complaining that legacy software wasn't compatible and that MS was a sinking ship for not accommodating THEIR company. Sure Win8 has issues, I don't know why people that MUST buy it (lack of Win7 availability), don't just run it in Windows 7 mode. It looks and feels the same, without the goofy MS Apps store BS.

M Wagner
M Wagner

... but they too have known since 2007 that change was coming and they have had a viable solution since Windows 7 shipped in 2009. Windows 7 offers XP Mode to address this very issue, and, regardless of whether or not you can find Windows 7 at your favorite Big Box store, you can find Windows 7 systems all over the Internet. Microsoft has long-standing policies regarding the retirement of support and Windows XP support was already extended to 2014 when Windows 7 shipped. The bottom line is that, one way or another, five years is plenty of time for a software vendor to address their compatibility issues with Windows 7. Not doing so risks their business. Similarly, the end user has had plenty of time to put together their own mitigation strategy for moving away from their dependence upon Windows XP and any software which is dependent upon XP but will not run under Windows 7 XP Mode.

rcosby
rcosby

I have had no problems buying machines with windows 7 installed. If you avoid the consumer space, almost every vendor will allow you to pick 7 Pro as your OS.

ironmikez
ironmikez

*STOP delivering a product so many people are against!

glenborj
glenborj

Keep auto-updates off, creator will inject trojans and stuffs to push you on buying new OS. Proven...

M Wagner
M Wagner

... but once Microsoft stops looking for vulnerabilities, they will only be discovered by hackers and they will be used - and perhaps discovered way too late. Windows XP users have known for years that this day was coming. There has been plenty of time to plan to move forward. The risk is yours, and no one is gong to provide free solutions to mitigate the risks of a newly discovered vulnerability.

aidemzo_adanac
aidemzo_adanac

You have specialized software that won't run on anything but. I think MS would have had problems creating software that only ran on XP. Well done, but why paint yourself into a corner that way ?

Gisabun
Gisabun

Of course someone with an infected file on a USB key or DVD can transport it to the offline computers. Not fullproof. Fullproof [or near] would be to disable removable drives as well as USB ports [other than what is needed].

jevans4949
jevans4949

A third party would need permission to distribute patch software based on MS Source. Can you see MS allowing this? They depend on new sales. However, there's probably enough motivation for antivirus companies to carry on watching this market. The fact that MS still distribute significant numbers of patches for XP, and recently a flood for Office XP, tends to indicate the problem is not going away.

Twidget0831
Twidget0831

He said he was running them off line-- so the "existing connections" would be a grand total of ZERO...

Webminotaur
Webminotaur

Where in the article did you find any reference to credit cards? Or anything to indicate the nature of the companies still using XP?

jsargent
jsargent

There are various levels of PCI compliance. If you do not store or sent sensitive data such as the PAN then you are PCI compliant regardless of if your OS is supported by its manufacturer. This often happens if you have an ECR that uses an EFT Terminal to handle all the security, communication and compliance protocol for credit card transactions.

neil.postlethwaite
neil.postlethwaite

If you have appropriate compensating controls, you take card data out of scope for PCI, so you can run it on anything, no matter how old and shonky.

Twidget0831
Twidget0831

The article said they ran them off line (credit cards are NEVER ran off line) and use it for acient spreadsheet and word processing applications...

aidemzo_adanac
aidemzo_adanac

While XP VERY SLOOOOOWLY became a SOMEWHAT worthwhile operating system, lets not forget that it was the worst ever released until well after SP2 came out. All of a sudden, it's the bees knees and nobody wants to change now. Considering that Win 7 dances circles around XP, even Vista beat the snot out of XP as far as security, I don't get why people are still touting XP as the answer to the PC OS. Sure, after three years XP started to get cleaned up and became more secure, but when you consider it was the most bug ridden and insecure OS that MS ever released, of COURSE it got better over the years. Just because it finally became somewhat stable, doesn't mean it's a good operating system at all. But sheeple follow the pack and if just one blogger states how great it is, then everyone who can't do their own homework or doesn't feel comfortable changing anything in their life, will take it verbatim and follow like lemmings. Some people refuse to be helped. It's nothing new, I remember the same issue happening with EVERY OS that Microsoft ever released. Well, excluding ME which was a laughing stock attempt to get home users to stop using Win2KPRo. Good luck with that one! Sure low end PC's were cheaper and retailers could be more competitive but at what cost? ME vs W2KP? riiiight. When Vista was released, MANY times more secure than XP but it was "different" so people stayed away and just listened to the handful of upgraders who had issues and parroted the same negative sentiment, which more lemmings bought into and repeated themselves with no personal experience at all, as always. My take is DO YOUR HOMEWORK, if you are comfortable with what you have and see no benefit in change, DON'T CHANGE. If you are finding that the security vulnerabilities etc are too much and a newer OS offers you functionality that increases your productivity, find what works for YOU. Whether Linux, MAC, Windows or two tin cans tied to a string, whatever works for YOU is what works best. Just don't go buying into blogs and BS online, any tool can do that and fail.

dogknees
dogknees

Can we sue ironmikez when we have to upgrade to Win 20 in a few, or a lot of, years. Actually, I'm sure I could find a few other people that have guaranteed MS will close their doors in the past. Indeed, a LOT of people have said it.

bellrm
bellrm

XP Mode support also ends in April 2014... I think the problem isn't so much the end user as 'the business'. IT can do all the planning etc. it wants, but if no one in the business is prepared to sign-off a system's refresh that will typically cost more than £2K per end user then there is no a lot IT can do, other than wait. Given that the financial meltdown started in early 2007 and is still on-going, many businesses have been focused on keeping costs down and getting paid for the work they do; An IT refresh is seen as a cost with little real benefit to the business. Yes now that we are coming up to end dates for support etc. the priorities may change. I suspect that many will explore VDI and hence continue to use existing desktops but only as a platform for a browser... I think also the software vendor issue, needs some clarification especially from those who claim it is a problem. I suspect that some are encountering the problem that their enterprise package vendor isn't supporting Win7/8 clients on the version of the product they are using, but are on the more recent updated version which also runs on more current server platforms...

aidemzo_adanac
aidemzo_adanac

Off the shelf boxes come with either too. In fact Future Shop, Best Buy and Visions here have more systems with a flavour of Win7 than Win8. Sure that shiny new notebook on the shelf may come with Win8 but you can still get one with Win7 too.

dogknees
dogknees

Detailed concrete evidence that is. Not hearsay or supposition.

bellrm
bellrm

I always thought that it was third-parties who brought vulnerabilities to Microsoft's attention...

NickNielsen
NickNielsen

It wasn't Microsoft that did it to them, it was an equipment or software vendor. I run into that problem all the time in my work. Customers have capital equipment that requires purpose-built software to manage it, and that software was written to run in Win XP and only runs in XP. Until the vendor updates the software to run in Win 7, there can be (and usually are) major issues with functionality, even in compatibility mode. Even considering the potential security risks and related costs, the ROI is greater with the status quo.

Gisabun
Gisabun

When you don't have the source code, how do you patch? Oh. MS stopped supporting Office XP a few years ago. You mean Office 2003 - and there hasn't been any significant security updates for Office 2003 in almost 6 months. 1 this year [002], 2 in November [excluding 2 re-releases].

Gisabun
Gisabun

The audit checks the organization as a whole that is trying to be PCI DSS compliant. Whether or not a Win XP computer will ever "touch" a credit card is ireewlevant.

NickNielsen
NickNielsen

In fact, the writer appears to assume that those still using XP will be on-line.

dogknees
dogknees

I've been trying for years to get the point across that we see the same comments from the same people every time there's a new version of anything. They start by bagging it, then slowly come around and by the time the next version hits they've become massive fans who'd rather die than upgrade to the next version. Now we all know about it, perhaps we won't see it next time! But I'm not holding my breath.

dogknees
dogknees

No one said you have to replace PCs to change OS. Just update the OS.

NickNielsen
NickNielsen

CNN, MSNBC, or just about any one of them outside NPR (they actually listen to their researchers!)

NickNielsen
NickNielsen

But that's the way it is. And until the vendor gets around to updating or (in at least one case) the customer gets around to buying the update, that's the way it will probably stay.

dogknees
dogknees

MS wrote it. If it's the vendor, then why did they write it so it's tied to one version of Windows? No one forced them to use un-documented behaviour.

jevans4949
jevans4949

Well, I had a couple of dozen Office XP /.2002 patches last month. I'm mostly using Libre Office these days, but I still have this installedon my home desktop.

aidemzo_adanac
aidemzo_adanac

It's useless to think you can educate people with a little common sense and hindsight. If you put together a sensational web page that was so radical and either left or right wing focused, you'd have an audience. People don't like reason, reality and middle ground, just sensationalised BS.