Wednesday 9 April 2014

Rest in Peace, Windows XP

RIP Windows XP This is the end.  A number of security experts  discuss just how risky life will be for those who continue to run XP.
Who's Still Using XP?
Opinions on just how many systems are still running XP vary. Qualys CTO Wolfgang Kandek reports that XP's market share has sunk from 35 percent in January 2013 to 14 percent in February 2014. He points out that "computers running XP will be very attackable in the near future." Kandek also notes that over 70 percent of security patches in 2013 affected XP. "XP will be affected by a large percentage of the problems exposed in May, June and July" said Kandek, "but there will be no remedy."
Peter Bright, technology editor at Ars Technica, reports a higher figure. According to Bright's research, 28 percent of Windows computers were still running XP as of last week. "While firewalls and other measures will provide some degree of protection, widespread exploitation of these users by phishing and similar attacks remains highly probable," said Bright. "This writer would not be the least bit surprised if the first wave of exploits for the obsolete operating system materialized on or about April 9."
Debra Littlejohn Shinder, owner and CEO of TACteam, advises businesses to upgrade all XP systems. In a blog post she notes that despite "literally years of advance notice" 29 percent of computers that connect to the Internet are running XP. "It was fun while it lasted," she said, "but businesses need to take a look at their system inventories and bite the bullet and upgrade any XP computers they still have." She also suggests blocking remote workers from connecting to the corporate network from computers running XP.
What Will Happen?
According to Trustwave Director Christopher Pogue, criminals are most likely hoarding XP-based exploits, waiting for the end of security patches. But wait, it gets worse. There's a fair amount of code shared between different Windows versions. Pogue suspects that the bad guys will reverse-engineer patches for vulnerabilities in still-supported Windows versions and use that information to craft exploits that will work on XP. Pogue recommends that businesses switch to a newer Windows version immediately.
Trend Micro's threat communications manager Christopher Budd warns that financial instructions are most at risk when XP support ends. In a recent blog post, he suggests that financial institutions may have to block online access by XP users. "When users go to websites, it's a relatively simple matter to detect the browser and operating system that's accessing the site. Using that information it's easy to create an alert to make people aware of the risks of being on Windows XP," said Budd. However, users tune out warnings, so despite the risk of lost business, "the banking and finance sector should consider taking steps to block customers still on Windows XP from their services entirely."
Sometimes you don't have a choice. "Many organizations have business critical applications that run on Windows XP and have legitimate reasons not to migrate to a newer version of Windows," said Nicolas Rochard of VMware. Not surprisingly, he recommends moving all XP-specific operations into virtual machines. This allows running them alongside modern Windows versions, and of course, if the XP system succumbs to an attack you can roll the virtual machine back to an uncorrupted snapshot.
Rebecca Herold, CEO of Privacy Professor, sees potentially dire consequences in the medical field. In a post titled How Many Patients Will Die Along with Windows XP Herold notes that the percentage of medical devices running XP is probably higher than the overall percentage. These devices have a lifespan of 10 to 20 years, so for many, XP or embedded XP was the most up-to-date Windows version at the time they were created. After today, these devices "will be vulnerable to malware, hacking, and may also be non-compliant with HIPAA," said Herold. "Even of more concern," she added, "medical devices running on no-longer-supported OS's present real health risks to the patients."
Making the Switch
Switching to a new computer can be a pain. LapLink has been around almost as long as the PC, creating options for transferring data to new computers. The company's free PC Mover Express is available from Microsoft's windowsxp.com and includes the company's Free Transfer Assistance. "Research indicates that remaining on Windows XP past the end of support end date of April 8 is extremely risky," explained Thomas Koll, CEO of Laplink Software. "Users might hesitate to move off of Windows XP despite those risks because of fear of losing years' worth of data. With PCmover Express for Windows XP, there is no reason to delay."
Chances are good that your ancient XP computer doesn't have the oomph to run a modern operating system. That's OK; Microsoft's Windows XP site has plenty of advice and offers to help you buy a new PC. The site points out that "today's PCs cost a third less than what Windows XP computers cost in 2002," and lists hand-picked deals starting at $249.
Sticking with XP
If you do stick with XP, you'll need to be extra vigilant. Independent tests have shown that simply keeping the operating system up to date gives you significant protection against malware. You'll no longer have that option. Fortunately, most security vendors will continue to support XP. Right now, make sure any XP systems have a powerful and up-to-date security suite installed.
Internet Explorer under XP is stuck at version 8; the rest of the world is using version 11. Ditch IE completely; switch to Chrome, Firefox, or any non-IE browser of your choice. Other precautions include avoiding use of public WiFi, uninstalling any third-party applications that aren't totally necessary, and using a tool like Secunia Personal Software Inspector 3.0 to ensure all remaining third-party applications are fully patched.
Even if you do everything you can to harden your XP systems against attack, they'll still remain more vulnerable than PCs running modern Windows versions. Sooner or later you'll have to upgrade, or replace the PC. Why not do it now?

No comments:

Post a Comment