Millions of PCs running Windows XP face a tsunami of hacker attacks starting tomorrow, when Microsoft ceases support for the aging, still-popular, operating system
After tomorrow, there will be no more security updates, so it's likely that black hats will release a torrent of stockpiled malware to exploit vulnerabilities that Microsoft will no longer patch. "Some hackers are bound to be hanging on to exploits and waiting for support to end, says Chris Sherman, a security analyst at Forrester Research. "If you knew of a vulnerability, why wouldn't you?"
Hackers will also be able to examine Microsoft's future Windows Vista and Windows 7 security updates to gain insights into the underlying vulnerabilities they patch and apply that knowledge to exploit similar vulnerabilities that will exist in Windows XP.
[ Feature: Looking Back At the Windows XP Era ]
The end of Windows XP is a potential problem for companies because of the sheer number of XP machines out there. Forrester estimates that 20 percent of business endpoints run XP, with as many as 23 percent in the public and healthcare sectors; retailers are also at risk. Research by Fiberlink, an IBM-owned mobile device management company, likewise found that up to 20 percent of the endpoints it surveyed run XP — and that excludes a few large financial companies that are very heavy XP users.
If Windows XP Support Is Ending, Why Are Companies Still Using It?
A good question to ask is why these systems haven't been migrated to a more modern operating system. After all, Microsoft announced the date for the end of support for Windows XP back in April 2012.
"Some organizations have underestimated migration times, some thought that the issue was not important, and it's possible that some IT departments didn't get the funding to carry out a migration," says Michael Silver, a research vice president at Gartner. He adds that some organizations didn't take the end of support date seriously or are content to upgrade to a newer version of Windows as they go through their hardware refresh cycles.
In addition, plenty of organizations use legacy applications that can be run only on XP because they are incompatible with later versions of Windows. Others are unwilling to upgrade because drivers are unavailable for expensive pieces of equipment that they use, such as medical devices.
Automation Can Expedite Windows XP Migration
Migration is certainly time-consuming, but the actual time required depends on the amount of resources that a company has available. "You could migrate 20,000 machines over a weekend — if you have 20,000 technicians," Silver points out. The key to quick migration without using huge amounts of human resources is automation.
French academic institution EHESP is one organization that carried out such a migration is, switching 600 PCs running Windows XP to Windows 7 in one month using just three IT staff plus a consultant. It did so by partially automating the procedure using Dell's Migration Fast Forward Service, a master image from a pre-configured PC environment and a Dell KACE deployment appliance.
"After testing our software for compatibility, we migrated from old computers to new ones, and from Windows XP to Windows 7, at the rate of about 30 PCs per day," says Gwendal Rosiaux, EHESP's IT and Telecommunications Department Manager. "I am absolutely sure that this was quicker and cheaper than trying to migrate without automation."
Custom Support for Windows XP Worth Price of Compliance
Microsoft will in fact produce security patches for Windows XP after April 8, but these will only be available to companies willing to pay for custom support. There's no official price list for this service, but it's generally accepted that the cost is about $200 per machine for the first year, doubling every subsequent year.
The high cost of custom support has put many organizations off pursuing this option, but Silver recommends that organizations think again. "We've seen the maximum price shifting," he says. "We're hearing of caps in total support costs which are lower than those in the past, so it is definitely worth talking to Microsoft about this."
Companies in regulated industries that don't take this approach could risk compliance problems, as they will be running an operating system that has not been patched for known vulnerabilities. "Ultimately it's up to the auditors, but there would be a lot of uncertainty in saying that a system is secure if it hasn't been patched," he warns.
[ Analysis: Windows XP Migration Window Closing Fast ]
Chuck Brown, a Fiberlink director, agrees. "On the U.S. Federal side, machines won't be compliant (if they are running XP)," he says. "And I'm surprised on the financial services side with the worldwide regulations that exist that they could think that (machines running XP) wouldn't be out of compliance."
Third-party Windows XP Security Controls Have Potential
There are other ways to try to secure XP machines beyond getting custom support from Microsoft. One option is implementing sufficient security controls to prevent exploits reaching them. That's the approach used by Arkoon+Netasq, a French company that offers a service called ExtendedXP. This combines a security agent running on each XP endpoint with a service that monitors the overall XP threat environment and suggests any measures that need to be taken to mitigate them.
Another option is to use virtualization to isolate individual applications — an approach taken by California-based security software vendor Bromium. The company's vSentry product creates hardware-isolated micro-virtual machines for each end user task. If an attack occurs within a hardware-isolated micro-VM, it automatically remains isolated from CPU, memory, storage, device access and network access. When the user task is terminated, any malware is automatically destroyed, the company claims.
[Slideshow: The Ultimate Windows XP Quiz ]
"Sixty percent of malware uses PDF files as a vector, so these types of isolation products can offer valuable protection," Forrester's Sherman says. "The problem is that only some apps are supported."
He also suggests using application whitelisting technology to try to prevent unknown code being executed, although he points out that whitelisted applications can still be compromised.
Also Consider Privilege Management, the 'Zero Option'
Since most malware requires administrator rights, privilege management solutions — which allow the use of accounts with standard privileges, elevating them to administrator accounts only when necessary to perform certain tasks — can be an effective way to reducing risk.
A Microsoft vulnerabilities study carried out by Avecto, a privilege-management software vendor, found that 92 percent of the critical vulnerabilities highlighted in Microsoft's 2013 security bulletins would be mitigated by removing administrator rights. This included 96 percent of critical vulnerabilities affecting Windows and 91 percent of vulnerabilities affecting Microsoft Office.
Simple steps such as disabling Java and Flash and using a third-party browser such as Chrome, which will continue to be updated, can also improve a Windows XP machine's security posture.
There's also the "zero" option: Disconnecting XP machines them from the Internet to isolate them from Internet-borne threats. But Silver points out that there's still a risk of infection by malicious software (such as ransomware that encrypts data) introduced on a USB stick.
Luckily, Windows XP Risk Falls Over Time
The danger of running Windows XP machines is likely to increase over the next 12 months, as newer vulnerabilities that are patched in Windows Vista and Windows 7 are exploited in XP. The good news is that, ultimately the risk will go down, Silver believes.
That's because the installed base of Windows XP machines will fall to such a low level that it's no longer attractive for malware authors to target — as is the case with Linux and OS X machines.
"For the next year or so, the risk of running XP machines will be high. Beyond two or three years, there will be less risk," Silver says. 'But that is a long time for organizations running XP to have to ride out."