Windows XP – Waiting for the Other Shoe to Drop

As nearly everyone knows, Microsoft ended all support for Windows XP on April 8. To Microsoft’s credit, they chose to include Windows XP in the emergency patch that they pushed out last night for the “zero day” IE/Flash vulnerability, even though they didn’t have to, and had initially indicated that they wouldn’t. (Of course, the bad press that would have ensued had they not done so would have been brutal. Still, kudos to them for doing it. Given that so many of us criticize them when they do something wrong, it’s only fair that we recognize them when they do something right.)

But what about next time?

The fact is that if you are still running Windows XP on any PC that has access to the Internet, your business is at risk – and that risk will increase as time goes on. The IE/Flash issue should be a huge wake-up call to that effect.

Windows XP was a great operating system, and met the needs of most businesses for many, many years. However, Windows 7 and Windows 8 really are inherently more secure than Windows XP. Moreover, the realities of the software business are such that no vendor, including Microsoft, can continue to innovate and create new and better products while simultaneously supporting old products indefinitely. The “End of Life” (EOL) date for WinXP was, in fact, postponed multiple times by Microsoft, but at some point they had to establish a firm date, and April 8 was that date. The patch that was pushed out last night may be the last one we see for WinXP. When the next major vulnerability is discovered – and it’s “when,” not “if” – you may find that you’re on your own.

Moving forward, it’s clear that you need to get Windows XP out of your production environment. The only exception to this would be a system that’s isolated from the Internet and used for a specific purpose such as running a particular manufacturing program or controlling a piece of equipment. Unfortunately, a lot of the Windows XP hardware out there simply will not support Windows 7 or Windows 8 – either because it’s underpowered, or because drivers are not available for some of the hardware components. So some organizations are faced with the prospect of writing a big check that they weren’t prepared to write for new hardware if they want to get off of Windows XP altogether – and telling them that they had plenty of warning and should have seen this coming may be true, but it isn’t very helpful. Gartner estimates that between 20 and 25 percent of enterprise systems are still running XP, so we’re talking about a lot of systems that need to be dealt with.

Toby Wolpe has a pretty good article over on zdnet.com about 10 steps organizations can take to cut security risks while completing the migration to a later operating system. The most sobering one is #9 – “Plan for an XP breach,” because if you keep running XP, you will eventually be compromised…so you may as well plan now for how you’re going to react to contain the damage and bring things back to a known-good state.

One suggestion we would add to Toby’s list of 10 is to consider moving to the cloud. Many of the actions on Toby’s list are intended to lock the system down by restricting apps, removing admin rights, disabling ports and drives, etc., which may make the system safer, but will also impact usability. However, a tightly locked-down XP system might make an acceptable client device for accessing a cloud hosted desktop. Alternately, you could wipe the XP operating system and install specialized software (generally Linux-based) that essentially turns the hardware into a thin client device.

But the one thing you cannot do is nothing. In the words of Gartner fellow Neil MacDonald (quoted in Toby’s article), “we do not believe that most organizations – or their auditors – will find this level of risk acceptable.”