Beruflich Dokumente
Kultur Dokumente
Summary: Even though the world won't end because of Microsoft's withdrawal of support for Windows XP, those left clinging to the OS after April's deadline still face a number of issues.
By Toby Wolpe | February 3, 2014 -- 19:43 GMT (11:43 PST)
Some twelve-and-a-half years after Windows XP first went on sale, Microsoft is turning off support for the operating system. From 8 April there'll be no further free updates or security patches. There's nothing new about software reaching the end of its commercial life. But the trouble with Windows XP is that it's still reckoned to run between a quarter and a third of the world's desktops. The sheer scale of XP's legacy means many organisations and individuals now find themselves in the same boat, perhaps because of the difficulty of migrating certain apps, the cost, or simple inertia. Given that XP users have already shrugged off the arrival of Vista, Windows 7 and Windows 8 without shifting operating system, they may think their first option is just to stay put. After all, Microsoft has had more than 12 years to patch the OS, so surely most vulnerabilities will have been found by now? "I'm not a believer that you're not going to see anything else," said James Lyne, global head of security research at Sophos. "There's been a healthy supply of [vulnerabilities] for many years now. It would be a turn-up for the books if all of a sudden that ceased to be a problem and the operating system magically became secure," added Lyne. In fact, criminals may have been stashing away exploits to use once Microsoft has departed the scene, leaving the OS open to unpublished lines of attack, according to Gartner Research vice-president and research director Michael Silver. "There's certainly a possibility of some vulnerabilities that were already known that haven't been exploited yet. From 8 April or 9 April you could see a number of attacks that people have been holding back," he said. This pattern of behaviour has certainly been seen before, Sophos' James Lyne points out. "For example, I remember with Mozilla Firefox back in the days before Firefox would just update to the latest versions we would see cybercriminals specifically targeting the versions that were no longer updated," Lyne said. "They knew a significant number of people would still be running them. So in microcosm it's a small example by comparison that behaviour has been seen, but this is going to be somewhat of a first in terms of such widespread use of a platform."
Criminals can reverse-engineer patches for supported operating systems issued by Microsoft and apply the vulnerabilities they uncover to no-longer-updated Windows XP devices.
As Microsoft Trustworthy Computing director Tim Rains pointed out last August, the company's own security updates for supported operating systems such as Windows 7 and Windows 8 involuntarily provide attackers with intelligence about flaws in older operating systems. Criminals can reverse-engineer patches for supported operating systems issued by Microsoft and apply the vulnerabilities they uncover to no-longer-updated Windows XP devices. Reverse-engineering a patch can be an incredibly helpful indicator of how to go about writing an exploit for an unannounced vulnerability, according to Sophos' James Lyne. "While security researchers are going to move to the new platforms and Microsoft will be focusing on patching the new stuff, their work in those spaces is likely to reveal flaws in the no longer patched and maintained Windows XP," Lyne said. Lyne also stresses that although Windows XP and, say, Windows 7 are very different operating systems in terms of security, they still share a massive code base. "Looking at, for example, lots of the common libraries and DLLs that you call when writing applications, just from my experience producing some of this stuff, there is a lot of commonality between the platforms and indeed there must be to maintain backwards-compatibility. So it's somewhat by design."
Even last April, when there was still one year of support to go, Ovum principal analyst Roy Illsley argued that insufficient time remained for substantial migrations using traditional methods, which depending on size he reckoned can take anything from two to three years. Certainly, the experience of budget airline easyJet supports that estimate. It started migrating an estate of 2,500 laptops and desktops from XP to Windows 7 in 2010 and completed the project last year.
Sophos' James Lyne believes one of the key measures that companies running Windows XP in some form should still undertake is to work out the extent of the problem by surveying the IT estate. "A lot of organisations will have these devices here there and everywhere, hidden in corners, connected to projectors in meeting rooms you name it, these desktops have got around. Discovering them is the key to being able to manage and assess that risk," he said. At this late stage it is important for businesses to focus on measures that are not only effective, but also relatively cheap and easily accomplished, such as limiting XP use to approved applications, according to Gartner's Michael Silver. "Whitelisting software in a lot of cases is actually included in a lot of organisations' anti-malware suites but most probably aren't using it," Silver said. "In a typical environment it's hard to understand what everyone needs to run, and you don't want to affect their jobs. But when security starts becoming an issue, the organisation may have a bit more clout to be able to implement that sort of thing," he said. Measures that Silver classes as simple but effective include ensuring anti-malware software will continue to be supported under Windows XP, switching the browser to a supported one, locking down the workstation and taking away admin rights if users have them.
"The exploits that are already in these older browsers are fairly hideous. You're talking about connecting a system that you could effectively sneeze on and get backdoor access," he said. "So I would definitely be particularly cautious of the likes of internet-connected XP systems where it's going to be very difficult to control the risks."
"It's all about building enclaves. You want to put these systems of higher risk into isolated network zones and use network security and firewall technology to do heightened inspection on those devices" James Lyne, Sophos
"Windows Server 2003 is supported until July 2015. So if you're looking at a server version that's similar to XP, that would be the release. "Looking to try to run applications on Terminal Services for an application that requires Windows XP, Server 2003 may be the way to go and it does buy you 15 months. Of course, it only buys you 15 months but it certainly could be a decent short-term fallback." Last year, Ovum principal analyst Roy Illsley said many of those organisations that have still to make the move from XP would look to desktop virtualisation for a solution. "If they do a desktop virtualisation-type approach, whether they go fully desktop-virtualised or whatever, they can still get some useful tools to help get over 80 to 90 percent of the problem," he said. Gartner's Michael Silver is wary of the idea that cloud-based productivity suites, such as Office 365, could provide a short-term answer to XP problems. "Switching to a cloud-based Office product is not a trivial sort of thing. There are a lot of things that won't work. Certain users may be able to use it, others users may not. That project really requires a year, a year and a half, of investigation and testing before you would implement it," he said.
"For an organisation that's trying to scramble and do things quickly, probably if they're trying to do Windows XP and Office at the same time and they are so far behind, I would probably try and get them not to do the Office product and save that for a little bit later because you can do that remotely and the risk is a bit lower. "But if people were to make a decision in haste and try to move to something really quickly, that just has disaster, loss of compatibility, loss of productivity written all over it."
Arkoon is one of the few third-party companies offering extended support for Windows XP. "Certainly Microsoft uses that as a bit of a stick to try to get organisations to move rather than sign up." Silver thinks third-party support, such as that offered by Arkoon, is in surprisingly short supply, especially given the scale of the XP user base. "I'm surprised that there aren't any other folks out there that are targeting that because it's going to be a fairly big market although the window of opportunity is probably pretty small," he said. "We may be in the 20 percent range on 8 April in terms of PCs running Windows XP but probably down to the mid-single digits by the end of the year." Other companies have set out Windows XP support plans for their products. For example, Google has announced its Chrome browser will support Windows XP until at least April 2015.
"Unfortunately, when you have a platform like Windows XP, if a new zero day although technically it's going to be an infinite zero day enables exploitation at the system level of the device, that exploit would get in underneath the antivirus before the AV gets the chance to scan it." Staff working from home on their own Windows XP devices may also constitute a further security issue, according to Lyne. "Any good security manager these days needs to recognise that people's home devices are an extension of their infrastructure," he said. "People will use corporate services, data and social media on their home systems and potentially they will be a backdoor into that corporate environment." Lyne says in many cases those machines may be granted a level of access, for example, via a VPN. "They probably browse around the internet on that system with a nice, no-longer patched and updated browser, get infected, connect to the VPN and provide the attackers with back-door access to the corporate network. That's a very realistic attack vector," he said. "Even if those systems aren't connected to the company network via a VPN, they still pose a risk given that a lot of people tend to take work home to work on those systems. "So even if there's no direct connection between them, they may potentially put company data, credentials or intellectual property at risk on their employee systems. Lyne said people tend to think about the core part of a network and the desktops that they may have deployed themselves. "But people's systems that they brought in on a bring-your-own-computer or bring-your-own-device basis, people's home-use systems the broader environment I've seen very few considering that stuff yet," he said.
"If I were a security manager for an organisation, I'd be running around frantically looking at my printers, my faxes, my scanners, my building-management system all those black-box devices that normally no one thinks about." James Lyne, Sophos
"This stuff has casually wound itself into so many different parts of our infrastructure. The problem is everybody forgets about things like the building management system or XYZ black box. They see it as black box that performs a function rather than something running Windows XP."
Even many modern printers and scanners run versions of Windows XP in enterprises. "They'll be sitting plugged into the network, running a no-longer-maintained, vulnerable operating system with the hope that the printer manufacturer locked it down enough that it's never going to be a problem," Lyne said. Many of these devices run a base XP that has never been patched because it has relied on being locked down and inaccessible. "For some of the systems in that configuration certainly not all of them this April date doesn't make it any worse, other than it may flare the interest of attackers and get them to focus on trying to attack this platform a little more than they previously would have done," Lyne said. "If I were a security manager for an organisation, I'd be running around frantically looking at my printers, my faxes, my scanners, my building-management system all those black-box devices that normally no one thinks about. I wouldn't assume anything and I'd be validating each and every one of them."
"There are a lot of organisations that really haven't taken this all that seriously and hopefully they won't get hurt too badly by it."