Even the spectre of security breaches and crashing apps is failing to convince some Windows XP-using organisations to abandon the OS before Microsoft cuts off support in a year’s time.
Recent figures from software consultancy Camwood suggest one in five companies using XP plans to stick with it despite the 8 April 2014 deadline, after which no new patches or bug fixes will be issued.
Those organisations may be taking a calculated risk and assume Windows XP’s longevity means major vulnerabilities have been identified and dealt with. But that assumption is misplaced, according to Rik Ferguson, global VP security research at Trend Micro.
“It’s a racing certainty that significant new vulnerabilities with XP will be uncovered in the future, if anyone wants to devote their time to it. You’d be a fool to say every possible vulnerability has already been discovered and either mitigated or patched,” he said.
Ferguson agreed that the amount of scrutiny and field-testing to which XP, first released to manufacturers in August 2001, has been subjected play in its favour.
“It should theoretically get progressively more difficult to uncover bugs in a system as widespread as XP. All that field-testing, all that field QA, are going to be far more extensive than anything you could have hoped to achieve in a QA lab pre-release,” Ferguson said.
“But, by the same token, because it represents a large target means it will be of continual interest to attackers and security researchers, whether black or white hat,” he said.
“With the sprawling amount of code that is Windows XP and its legacy nature – it’s not by any token a next-gen operating system – there is a lot of space for vulnerabilities or defects in the code still to exist.”
Ferguson pointed out that the security issues don’t end with the operating system itself. Even if XP were secure, there might be application-level vulnerabilities.
“It’s not just the operating system that’s going to be out of support. Almost every application running on it will also no longer be patched because it won’t be economically worthwhile for the application vendor,” he said.
“When Microsoft drops support, so will the application vendors – if they haven’t already. If XP is no longer supported by Microsoft I’d be surprised – I’m not saying it’s not possible – to see many vendors offering updates. Do we see updates for Flash for Windows 95? I don’t think so.”
Ferguson said in the age of targeted attacks, one of things attackers assess when doing reconnaissance are the operating systems and applications in use within an enterprise.
“If you’re using something like [XP], it’s absolute gold dust to an attacker because they’ll know that any vulnerabilities that have been announced after a certain date will be zero-days for you,” he said.
Measures for continued XP use
However, those planning to carry on using XP after the deadline can take certain steps to limit exposure to risk.
“Any security person worth their salt is going to say, ‘Bad idea, because it won’t get patched’. But I think it’s important to say there are things you can do if, as an organisation, you need to continue using XP – whether it’s for cost or compatibility reasons with certain applications or even with certain hardware,” Ferguson said.
“There are some technologies you could deploy that will allow you to continue using legacy systems, because that is what XP is going to become, like NT has or Windows 2000 even. Probably one the most important of those is host-based intrusion prevention technology because that is effectively going to allow you to apply a virtual patch to those non-supported environments,” he said.
“It will be able to recognise that a vulnerability exists and make that vulnerability difficult or impossible to exploit even in the absence of a patch. So if you are going to carry on using XP, you will have to investigate mitigating technologies like host-based intrusion prevention.”
XP’s enduring popularity
Ferguson said XP’s popularity is partly down to the technology itself and party to the circumstance that have followed its launch.
“It’s been a rocky period financially for a relatively prolonged amount of time and prior to the rocky financial period was Vista, which certainly didn’t meet with universal acceptance – let’s put it that way,” he said.
“Then along came Windows 7 but also along came the recession. Then there’s that whole thing of, ‘If it ain’t broke, don’t fix it’. People have got systems that are working and currently supported, so what’s the motivation for spending money on upgrading if you don’t need to?”
Familiarity with XP
Ferguson said XP is also an operating system format that people are used to and comfortable with.
“If you go back through Mac OS over the same period, the look and feel of Mac OS really hasn’t significantly changed either. Whereas Microsoft’s model seems to be to do something about the look and feel with every major iteration,” he said.
“Whether it’s Windows 7 or Windows 8, there are relatively significant changes to the look and feel and maybe people are resistant to that as well.”
The factors that have ensured XP’s success are now working against those organisations that have stuck by the operating system, according to Ferguson.
“Those people are now going to be in a pretty uncomfortable position because if they’re in an industry that has intellectual property to protect. Due diligence says they should be doing all they can to make sure that it’s protected. Running a legacy operating system doesn’t do that,” he said.