Windows XP Goes Dark
Print Issue: July 2014
On April 8, 2014, Microsoft ended security support for its Windows XP operating system. The platform, highly popular among businesses and consumers alike, represented nearly 30 percent of the global market share for machines as of February, according to consulting firm Net Applications. Cybersecurity experts tell Security Management that the security implications for the Windows XP end-of-life are considerable.
End-of-life. Microsoft releases security updates for its supported operating systems on Tuesdays–a day which has become known as “patch Tuesday.” As of early April, the company stopped releasing those updates for Windows XP. Any newly discovered vulnerabilities in the XP operating system will leave hackers plenty of room to find their way in.
Cybersecurity experts explain that there is a precedent for operating systems being phased out, but never before on the scale that XP has reached. “When you look at Windows XP, it’s arguably one of the most successful operating systems of all time,” says Girish Bhat, director of product marketing for security firm Wave Systems. “The success itself is currently getting to be a potential problem for many industries that have not necessarily moved away from it.”
Vinny Sakore, cloud security program manager at ICSA Labs, notes that the operating system’s high adoption rate is partly due to its 2001 release date. “XP came out during a time when the Internet was really changing, where everything moved to be Internet-based,” he says. “The challenge is that [Windows XP] was designed a long time ago…Because of the technology at the time it was designed, it’s just not able to keep up.”
With the constant updates for Internet browsers and other applications, Windows made the strategic move to ultimately save all users time and resources. “Microsoft already packed on extra time knowing that it was such a beloved operating system by so many IT professionals and home computer users,” explains Chester Wisniewski, senior security advisor at Sophos. “They finally decided to draw the line in the sand.”
Business sectors. Healthcare is one sector disproportionately affected by the XP end-of-life. Bhat says that for proprietary diagnostic imaging applications run on XP, such as CAT scan technology, replacements and upgrades are costly. In addition, “It is possible for a breached diagnostic machine running Windows XP to be used to modify, delete, or replace patient diagnostic images, causing misdiagnosis that can lead to serious consequences—both medical and legal,” he notes.
Compliance is also a major concern for healthcare organizations still running any equipment and desktops on XP. Security requirements in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandate that adequate safeguards be in place to protect electronic personal healthcare information. “If there’s any private information that’s generated from the machine that’s associated with a Windows XP endpoint, the healthcare provider is noncompliant on that, which means it would potentially face fines,” explains Bhat.
The financial sector also faces challenges from the end of Windows XP. Ninety-five percent of the world’s ATMs were running on XP by the time the end-of-life rolled around in April, according to NCR, the globe’s largest supplier of ATMs. But experts point out that the electronic teller machines are much more hardened against attacks than the average machine. “ATMs are supposed to be running on a segregated encrypted network. So because of that, there will be limits in terms of what types of attacks can occur on ATMs,” says Sakore. “ATMs [aren’t] wide open to attack. There are strict rules in terms of how ATMs connect over what type of network…There are protections that are in place.”
Wisniewski explains that the threat profile of ATM machines is different from that of a laptop computer, for example, and that they aren’t on any type of public-facing Internet connection. So, vulnerabilities come from internal threats or ATM card skimming, rather than from hacking in through an insecure operating system. Overall, he says the risk of continuing to run XP may outweigh the cost of replacing or upgrading machines. “Bank of America, which has tens of thousands of ATMs, may say, ‘You know what, we’re willing to take the risk of something bad happening because the cost of replacing 30,000 ATMs is going to cost us tens of millions of dollars. So we’ll take our chances for a little while,’” he says.
Business migration. If an organization still hasn’t migrated from XP to a newer operating system, like Windows 7 or Windows 8, there are steps they can take to ensure their networks are safeguarded against attacks.
“First, they have to do a risk assessment where they identify all the systems in their organization which are running XP,” notes Sakore. He adds that businesses should identify which types of data those XP systems can access, prioritizing which machines to protect first based on which ones access sensitive information. If there are machines still running XP, Wisniewski says to take images of them. That way, “if something does happen to it, they can very easily restore it back to the condition it was in before it was compromised,” he notes.
Finally, Wisniewski says removing the machines still running XP from any Web connection will ensure protection. “The best thing to do is simply take them off the Internet. If you can’t upgrade them easily, or it’s going to be an enormous amount of cost or labor to react to this deadline, then one plan is isolate them, don’t let people use them to surf the Internet.” He says that maintaining standard security software, like firewalls and antivirus protections, is still important even if you’ve removed the machines’ Web connections.
Sakore points out that employees who use a virtual private network (VPN) to connect to the corporate network pose a serious risk. “If you have home users and they’re not upgrading their desktops and they’re using VPN to log into the corporate network, then you have some systems there that could be open to attack,” he says. “So it’s important to create some kind of policy around Windows XP from a corporate standpoint.”
Microsoft will continue to put out security updates for its newer operating systems, Windows 7 and Windows 8, which experts say can raise further problems. “They’ll reveal flaws that are also probably still available or are still in existence with Windows XP,” says Sakore. “So the security updates that are actually going to be a rolled out for the newer operating systems are going to be a roadmap to be able to exploit vulnerabilities in Windows XP.”
Some organizations have negotiated extended support contracts with Microsoft, including major banks whose ATM machines are running on XP. In one particularly large deal, the British government spent more than £5.5 million (roughly $9.2 million) to extend support for 12 months.
While larger companies can afford to buy extended support contracts from Microsoft, Wisniewski says that the majority of organizations should accelerate their plans to migrate. “If that means bringing in some temp staff, if that means temporarily migrating your help desk to a call center somewhere while you get more boots on the ground to update your PCs; whatever it is you need to do, you need to do it quickly,” he says.
To illustrate some of the risks that might lie ahead, less than three weeks after support officially ended for the XP operating system, cybersecurity company FireEye announced that it discovered a vulnerability in versions 6 through 11 of Internet Explorer, Microsoft’s Web browsing application. (Version 6 is the browser for Windows XP.)
The U.S. Department of Homeland Security issued a warning on April 28 through its United States Computer Emergency Readiness Team (US-CERT) that the flaw, which is known as a “use-after-free vulnerability,” could “lead to the complete compromise of an affected system,” as hackers could obtain the same rights to the operating system as the current user. US-CERT advised users to use an alternate browser until the security vulnerability could be patched and mitigated.
On May 1, Microsoft issued a statement that it would be providing a patch for all affected versions of Internet Explorer, including Windows XP. Adrienne Hall, general manager of trustworthy computing for Microsoft, said in the statement, “Even though Windows XP is no longer supported by Microsoft and is past the time we normally provide security updates, we’ve decided to provide an update for all versions of Windows XP…. We made this exception based on the proximity to the end of support for Windows XP.”