Microsoft Ends Windows XP Support
Microsoft finally ends support for the venerable Windows XP in early 2014. Essentially this means they will no longer issue updates — both bug and security fixes. The absence of bug fixes is not a big deal; the average user hasn't needed any major bug fixes for years. But security updates are still critically important.
Soon, any security holes discovered in Windows XP will go unpatched and it will become increasingly unsafe to use. After 14 years and hundreds of security updates, security faults are still being discovered and there's no reason to expect they will all be fixed by the time support ends. There is also the likelihood that the hacker community knows about many security vulnerabilities that they are keeping quiet about.
Any Windows XP systems that interact with the Internet will have to be replaced or, where not immediately possible, remediated in some way. Even aside from security issues, managing and operating Windows XP systems is going to become harder from now on, as vendors withdraw their support. Replacing those workstations should be at the top of your list for new IT expenditure.
Mitigating Security Issues
From a security perspective, there are three major ways most users have their Windows XP exposed to the internet.
- Browsing the Web. Internet Explorer (IE) 8 will become extremely unsafe to use. Despite the diversity in the web browser market, IE is still the most attacked, and the prevalence of Windows XP (there are still hundreds of millions of systems running Windows XP) will prove an irresistible target for hackers who will undoubtedly pay increased attention to faults in Internet Explorer on Windows XP which will never be fixed.
Mitigation: Mozilla has announced continued support for Firefox on Windows XP, so those users will have a safe browser to surf around with — for a while.
Additionally, Microsoft will continue to supply anti-malware signature updates for Security Essentials on Windows XP until 2015.
As for plugins, Adobe has continued to support Flash on Firefox for XP. However, Oracle has stopped issuing updates for Java 7, the last edition of the Java runtime that works on Windows XP. Java should now be considered to be unsafe on Windows XP. (Java 8 supports Windows Vista and above.)
Update, June 2014. The June 2014 Security Bulletin contains an update for Internet Explorer which resolves more than 50 security vulnerabilities. These affect the supported versions of Internet Explorer under Windows 2003, which was updated, and the now-unsupported versions of Internet Explorer in Windows XP, thus making IE under Windows XP extremely unsafe.
Update, April 2015. Google has announced they will continue to support and update Chrome for the remainder of 2015.
Update, November 2015. Google confirms support for Chrome on Windows XP/Vista will discontinue in 2016.
Update, April 2017. Firefox for Windows XP/Vista is now frozen at version “52.0 ESR”. No new features will be available for those platforms but there will be some security updates.
- Email. Malware distributed via email is making a huge comeback. While it infrequently attempts to exploit security faults in the host email client, old programs like Outlook Express are going to be increasingly vulnerable so even users who know not to open strange attachments or click links may fall victim to attacks.
Mitigation: Migrate Outlook Express mail stores to something else, such as Thunderbird or Windows Live Mail. Use spam filtering system provided by POP3 providers to block attachments where available.
- Remote Desktop services. Remote Desktop/Terminal Services is almost 20 years old and has been widely used for about 15 years. It's been remarkably secure, with only a relatively small number of security updates issued to close holes. Using Remote Desktop on workstations in the office is a handy way for staff to work from home, or out of hours, but this will now become extremely unsafe.
Mitigation: Some remediations available to reduce the attack surface are to use non-standard ports, limit accessibility to a smaller number of IP ranges or use a VPN, and refresh the passwords used to login.
Other applications that will require attention:
- Hosting Web Sites. Corporate and business users now rarely host websites on Windows XP on their own networks; typically web-applications are hosted from more modern operating systems. But if it's happening, it's enormously dangerous and can't be remediated at all unless you have the luxury of being able to restrict access to the site to a small number of known safe IP ranges.
- Peer-to-peer file networks. Generally, these are very dangerous at the best of times (not to mention questionable for copyright reasons) as they are awash with malware. But because P2P file systems use a lot of sophisticated networking techniques which open your system to connections from potentially millions of other internet systems, there's no telling what havoc may be unleashed if that traffic can exploit security holes in Windows.
- Encryption. Windows' internal enryption library schannel will no longer be updated, so flaws in protocols and ciphers will not be patched. To an extent this type of issue can be mitigated by hardening the encryption stack to disable the lower-end protocols which are most likely to become problematic.
What to upgrade to is less obvious. As of early 2014, if you walk into a retailer and buy a computer it will most likely have Windows 8 installed, and then you can upgrade to Windows 8.1 for free. Later in 2014 there will be more machines preinstalled with Windows 8.1. And yet there are still some corporate applications which aren't supported on Windows 8.x and so a mass-replacement of Windows XP straight to Windows 8.x may not be appropriate, whereas Windows 7 is now very widely supported. Fortunately Windows 7 is still being made available with new machines, generally the “business” ranges most vendors ship.
Nevertheless, Windows 7 presents its own challenges. It's usually shipped as 64-bit, whereas Windows XP was almost always 32-bit. Some older devices may not work, in particular very old printers, and the security model is more restrictive. So while we have found that these do not present significant problems, it is worthwhile checking the applications you rely on and how they will run under a more modern version of Windows (whether it be 7 or 8.x).