The Dinosaur in the Room
It’s no secret that Microsoft is mothballing Windows XP early next year. Officially dubbed the end of “extended support,” the retirement means that security updates will no longer be available. Naturally, this means that systems running XP will become increasingly insecure, as new vulnerabilities (or those that have been held in reserve by attackers) become available on the black market. It may seem easy to dismiss this concern out of hand if you’ve already migrated your workstations to later versions of Windows. But, in practice, the implications of the retirement extend far beyond the workstation.
Thanks to its stability and relatively light resource use, Windows XP has been the OS of choice for specialized systems for over a decade now. POS systems, medical devices, inventory systems, and a plethora of other turnkey devices have been built around XP. The most security conscious vendors will surely have a plan to address the retirement of the venerable OS. History tells us, though, that many vendors will ignore the problem, leaving their customers with devices — potentially used for critical business or patient care functions — that are completely exposed to new exploits.
While “embedded” versions of Windows XP present a threat from within an organization, the global install base of XP PCs represents a broader threat to the ecosystem. It’s already the case that Windows XP PCs that are not up to date have high infection rates. But there are plenty of XP users who do, in fact, make an effort to keep their systems patched. It’s safe to say that many of these users — who clearly don’t put much stock in upgrading to the latest OS every few years — will keep on using XP well after its retirement. As unpatched XP vulnerabilities become known within the criminal underground, we are likely to see an uptick in infected machines. More bots mean more spam, broader spread of malware, more phishing, and so on. Whether this will represent a significant enough change in the global bot population to make a noticeable difference remains to be seen, but it’s worth acknowledging the potential.
With these potential risks in mind, what can you do as an information security professional? First, perform a careful inventory of any devices throughout your organization that may be using Windows XP, especially those that are outside of the realm of your typical managed workstations. Talk with the vendors of those devices about their plans to secure the environment in the absence of Microsoft patches. Consider upgrading or retiring XP devices that will not be adequately secured. If that’s not an option, consider additional security precautions (isolating devices, installing additional security software, etc.) that you can take to prevent the loss of confidentiality, integrity, or availability that could accompany a successful exploit.
This would also be a great time to educate your users about the retirement of Windows XP (and Office 2003, whose support is also ending in April) and its security implications. Many of your users (and their parents, friends, siblings) likely have old machines at home running one or both pieces of software. A simple email, flyer, or intranet post explaining what’s happening, what it means for security, and what users should do (i.e., get a new computer) is all it takes to help them improve their own security and contribute to the security of the Internet at large.