The reminders and warnings have been relentless for the past two-and-a-half years. Microsoft will "end of life" Windows XP, but there are significant numbers of computers and specialty devices still running the 13-year old operating system, exposing them to serious security issues down the road.
Microsoft officially ends support on Tuesday, April 8 by releasing the last security updates for Windows XP and Office 2003 as part of the April Patch Tuesday release. Any issues discovered afterwards in XP or other Microsoft products running on XP, either as a zero-day vulnerability being exploited in an attack or reported to Microsoft by a security researcher, will not be fixed. Security experts believe criminals are hoarding XP vulnerabilities with plans to launch campaigns exploiting them at a later date, since those zero days will become "forever days."
Dubbed "XPocalypse" by some experts, the expected attacks against XP systems will affect more than just end users refusing to buy a new computer. Many enterprises still have XP machines, and specialty computers such as Point-of-Sale (PoS) systems, industrial control systems, and ATMs still run Windows XP. Industry sectors ranging from retail, financial services, energy, manufacturing, and transportation are all potentially at risk because of the old operating system.
Microsoft has painted doomsday scenarios of malware and targeted attacks against XP, but the fact remains that for many of these computers, nothing will happen tomorrow, next week, or even next month. As a result, users are over-estimating their safety level, thinking "I just won't go to 'dangerous' sites." Enterprises underestimate the risks of attackers breaking into a different part of the network and making their way to the vulnerable system, ala what happened with Target and other retailers over the past year.
The Vulnerable Population
Estimates vary, but Windows XP is believed to run on a significant number of desktops, laptops, and other specialty systems. Many specialty systems such as ATMs run Windows Embedded, which will be support until 2016, but a substantial number of them have Windows XP Professional installed.
The latest figures from NetApplications show that Windows XP is installed on almost 30 percent of PCs. Qualys estimated the number of end users running XP worldwide was about 22 percent, and enterprise users at about 14 percent. Interestingly enough, Qualys said XP usage among enterprises had dropped the most in the United States and United Kingdom, to just 8 percent. Gartner estimates that between 20 percent and 25 percent of PCs are on Windows XP in businesses with more than 500 employees. Regardless of the exact figure, that is a huge population of vulnerable systems and organizations and end-users alike have to take the looming security risk seriously.
How realistic is the view that malware writers are waiting for support to end so that they can target Windows XP systems? A recent analysis by Lucas Zaichkowsky, an enterprise defense architect at AccessData, found that 20 of 88 vulnerabilities currently being exploited in the wild by these crimeware kits apply to Windows XP and related components.
It's also important to remember that XP doesn't run on just desktops and laptops. Attackers can also take advantage of vulnerable PoS systems to life credit card data, break into ATMs to steal cash, damage systems supporting critical infrastructure, Zaichkowsky noted.
"What used to be a cash register is now a computer," said Jeff Man, a PCI expert with Tenable Security.
An attacker who manages to break into an industrial control system running XP can control the building's HVAC system, which could result in physical damage to other sensitive systems as well as the building itself.
Timing and Logistics as Barriers
The most common reason among end users for hanging on to the OS appears to be "XP works fine for my needs." For enterprises, the holdouts appear to be simple logistics, Man said. For retailers with 20 to 30 to 40 checkout lanes in a store, and multiple locations around the country, figuring out how many systems need to be upgraded and doing so without disrupting normal operations is a "logistical nightmare," Man said.
Banks are aware of the risks of XP on ATMs, especially in light of recent reports where criminals have successfully used infected USB sticks to break into the machines. Many financial institutions plan to move to Windows 7 Embedded, but have held off in order to first complete the chip and pin rollouts to secure payment cards, said Chris Goettl, a product manager at Shavlik.
Retailers are also caught in the same timing loop, with major infrastructure projects on the roadmap, Man noted. Retailers are exploring tokenization and other encryption technologies to increase the security of PoS systems, and most businesses will likely need to invest in additional hardware to handle the new chip-and-pin credit and debit cards. The retailers are interested in doing "it all at once, rather than two or three of four times," Man said.
As a result, many of them are negotiating with Microsoft for special extended support agreements. Similar agreements were struck back when Microsoft ended support for Windows 2000, with figures ranging in millions of dollars. Reuters recently reported that Lloys Banking Group, Royal Bank of Scotland, HSBC, Barclays, and Santander, five of the biggest financial institutions in the United Kingdom, have arranged, or are in the process of arranging, special extended support agreements to keep their systems up-to-date. Those agreements aren't available to most organizations, however, making it even more important that organizations take steps to secure the systems.
Keeping XP Running
There are some compliance concerns about sticking with XP for the time being, Man suggested, noting that PCI requires all systems to be patched regularly. If Microsoft is releasing patches for Internet Explorer 7 and 8, but organizations can't apply the patches because the patches aren't for XP, there is going to be some issues maintaining compliance. Many retailers will be relying heavily on whitelisting, detailed logs, and extensive monitoring to protect their XP systems, Man said.
Keeping XP running is not going to be cheap, as it will require extensive overhead and support by IT teams. Those organizations who can afford the extended support contracts will have to maintain a private patching cycle for those XP machines. The rest of the organizations will need to segment XP systems from the rest of the network so that infected machines won't be able to crawl through the network to target sensitive systems. Ideally, XP systems should not be connected to the Internet at all, and IT needs to regularly review remote connection logs to monitor activity.
Whitelisting, as Man suggested, would prevent non-authorized software from running on the machine, and would restrict users from performing potentially dangerous tasks.
Limit What XP Can Do
XP holdouts have to take some steps to protect their aging machines. These measures won't protect the machines from attack, but may lessen some of the more obvious risks. First and foremost, all Windows XP system updates and patches need to be installed—that's having Service Pack 3 (SP3), or on Windows XP Professional 64-bit, Service Pack 2, as well as whatever last patch Microsoft releases on Patch Tuesday. Don't limit the updates to just critical patches for the operating system, but include the ones for other Microsoft software, including Microsoft Explorer, Office, and Silverlight, for example.
Considering the number of modern malware which exploit vulnerabilities in Internet Explorer and how it hooks into the operating system, stop using Internet Explorer entirely on the XP box. Internet Explorer 6 is too old to use, and versions 7 and 8 on XP will no longer receive updates, making the browser highly vulnerable. There are a number of other Web browsers—use those instead to minimize the damage a malware infection can cause. It would be a good idea at this point to uninstall Outlook and Outlook Express. Open emails via webmail in a safe Web browser to restrict email-borne malware. Considering Microsoft is also ending support for Office 2003 (Office XP went "end of life" in 2004) and Office 2007 on XP will likely stop receiving updates, it's time to shift to an alternative. LibreOffice is stable (just don't install with Java) or access Google Docs via that non-Microsoft Web browser.
Major antivirus vendors have pledged to keep supporting Windows XP for at least the next year, if not longer, so a paid subscription to a fully-fledged security suite is essential. The software would help detect and remove malware infections. Turn on the firewall on the software to restrict malicious activity entering and leaving the computer.
Many attacks require administrator privileges to succeed, and the sad truth is too many users have administrator rights. Normal activity on an XP machine should be limited to user accounts, which can't install or modify software. That way, even with an infection, the malware is limited in the damage it can cause. Other configuration changes include disabling "Auto-Play" on USB sticks so that XP won't try to open files automatically.
"Connecting removable storage devices to Windows XP systems should be avoided," wrote Tim Rains, a director in Microsoft's Trustworthy Computing group, in a blog post.
Yes XP Will Work, But Why Stay?
"There aren't a lot of options" for businesses who want to stay with XP, Man said. Most of the controls allowed by the PCI Council and other common-sense practices, are supposed to be temporary stopgap measures, not permanent solutions, he said.
Sure it's possible to keep XP running, but it doesn't really make sense. Continuing to use XP is like being in a car and driving down the highway with the check engine light on. Chances are you will be fine and will get wherever you need to go, but when the engine fails, when the crash comes, the damage is going to be far worse.