End of support for Windows XP SP3 on April 8th 2014 is fast approaching and according to netmarketshare, still there are around 29% of Windows XP users from all OSs. With a few days left for the D-day, I thought it would be a good idea to discuss the security aspects of this operating system from Microsoft.
There may be various reasons for organisations not moving from XP – migration with no downtime, lack of expertise and recourse, lack of budget and so on. From a security point of view the challenge that XP will face is not as an OS (Operating System), which itself is quite secure (and could continue to be secure).
This is because Microsoft will continue to release updates to Anti-malware signatures for Windows XP till July 14, 2015. This means Microsoft will stop security updates but will continue to provide updates for Microsoft Security Essentials till July 14, 2015. Moreover you will have adequate help from external antivirus and firewall sources.
There are plenty of external sources and almost all of them have informed that they will support Windows XP even after April 8th 2014. These third party sources help detect threats, block attacks and cleanup infections, but for how long?
According to a survey conducted by AV-Test.org, most of them will support XP at least for another year. But some of the big security vendors like Webroot, Bitdefender, Trend Micro and Kaspersky informed that they will support till 2019, 2017, 2017 and 2016 respectively. While, some other market holders like McAfee, AVG and Avast have not announced end of support according to AV-Test.org.
These days attackers target application vulnerabilities (vulnerabilities in the installed application) rather than direct attack on remote services. Some common applications that get targeted are web browsers, WordPress, OpenX, document readers, Lotus Notes, SharePoint and so on.
Windows XP refuses to move on with the version of IE (Internet Explorer), no other version newer than IE version 8 is compatible with Windows XP. IE9 (and up) cannot be installed on XP as it uses Direct2D. This is absent in Windows XP and available on other later OSs (Windows Vista, Windows 7, etc.). Having said this, there are loads of vulnerabilities in IE 8 which are fixed via patches till date.
But moving forward you cannot expect this from Microsoft. The hackers will exploit vulnerabilities which are going to arise in IE8 to harm you. Users sticking with Windows XP can ditch IE for an alternate browser, for instance Google Chrome, Mozilla Firefox etc.. But is it safe enough? Most of these browsers have their source code available for anyone to scrutinize, making it easier enough for the hackers to do their homework.
Any external browsers will stop support for Windows XP, not instantaneously however these external browsers will be faithful for at least another year. Let us take the example of Google Chrome, they announced that the extended support for Windows XP ends on April 2015, but what happens after that?
There is panic that 95% of the ATM uses Windows XP as their OS and they need to switch ASAP to the latest OS to avoid compliance issues and risk factors. Well this is not true. Most ATMs use Windows XP Embedded (XPe). Windows XPe is componentised version of the Professional edition of Windows XP. This version will only have limited components that are chosen by the user, this helps reduce attack.
The support for Windows XPe ends on January 12, 2016, bank clients are safe till then and covered under compliance and protection standards. Banks will have to upgrade OS but they will get some breathing space to migrate the OS on their ATMs. Some banks, including US Bank, have already started the migration from old OS. The situation is no different with POS (point-of-sale) devices, most of these devices run on Windows XPe and should plan their migration before support for Windows XPe ends.
I hope this article will be a wakeup call to upgrade, for those still running systems on XP, as we are at the end of an era with Windows XP. It is advisable that all Windows XP users switch to the latest OS. It is time to get ready to live in a world without Windows XP.