You’ve probably noticed that the Heartbleed vulnerability in OpenSSL has gotten a ton of attention. You know a computer security issue is a big deal when even local news and late night TV hosts are talking about it. Despite the hype and hoopla, though, there’s another threat out there that makes Heartbleed seem trivial by comparison: Windows XP.
Heartbleed is significant because it could enable an attacker to expose or intercept sensitive information that should be encrypted. It’s a big deal when things like passwords and credit card information can be easily compromised. Andrew Storms, senior director of DevOps for CloudPassage, told me, “This is probably one of the more serious bugs I’ve seen in my 15 years of working in the security industry,” and that sentiment has been echoed by a number of security experts.
So, what makes Windows XP a bigger security concern than Heartbleed? Well, the same reason that the expiration of support for Windows XP was not a “Y2K” event, as some had described it.
When April 8, 2014, passed by and Windows XP machines continued working just like the day before, and the world didn’t come to a crashing halt, there were probably many businesses and individuals stubbornly continuing to use Windows XP who thought — or possibly even said out loud — “See? I told you it wasn’t a big deal.” However, that smug hubris will eventually come back to bite them and will have security implications for the rest of us who share the internet with them as well.
Just as Y2K was a specific event, Heartbleed was just one vulnerability. It was identified, a patch was developed, and the world was put on notice. Now, we can move on. It was an isolated moment in time.
Windows XP, on the other hand, is now a permanent, ongoing “zero day” vulnerability. If attackers are smart and stealthy, we may not even know how many vulnerabilities are discovered in Windows XP from this point on — or how critical they are. There won’t be any more patches or updates, so it’s permanently at risk.
We need to stop looking at security as a thing and more as a process — it is a verb, not a noun. There’s an ongoing circle of life where weaknesses and vulnerabilities are discovered and corrected in a co-evolution of attackers and defenders.
“XP, on the other hand, has stopped evolving and any vulnerability discovered from April 8, 2014, into the future will remain a danger to everyone connected to the Internet,” declares TK Keanini, CTO of Lancope. “The only solution for XP at this point is to make it go away — rid it from existence. Everyone needs to do their part to get rid of it, because if we don’t, in this connected world, it will ultimately be a bad thing for everyone.”
Tim Erlin, director of IT security and risk strategy for Tripwire, shared some thoughts as well. “No one is surprised by the Windows XP risk. Still, the risk presented by XP is going to get worse over time, not better. As a risk, Windows XP is much harder to mitigate than Heartbleed because replacing an entire platform is a more difficult task than updating a library.”
I spoke with Evolve IP CTO Scott Kinka, who explained the root of the problem. He told me, “At this point, our best prospects are actually our worst customers.”
To put it another way, the companies and individuals who most need the wakeup call about Windows XP are also the least likely to hear it or take action. Many cite financial reasons as a justification for not upgrading off of Windows XP, or investing in some sort of managed solution or virtualization platform to continue using Windows XP more securely, but the simple reality is that there will also be a significant cost of continuing to use Windows XP. At this point, spending no money isn’t really an option — it’s just a matter of whether you spend the money to proactively address the situation or spend it cleaning up the mess after it’s too late.
Keanini summed it up the pervasive threat of Windows XP: “Hunt down expired versions of XP and terminate it!”
Do you agree that Windows XP poses a bigger security risk than Heartbleed? Share your opinion in the discussion thread below.