The unlocked door: End-of-support for Windows XP
The unlocked door: End-of-support for Windows XP
The threat from unpatched systems is vast and when Microsoft went ahead and ended support for Windows XP on April 8, thousands of machines became more vulnerable to attack.

Many firms have proven to be oblivious to the changes and are still due to upgrade. And this is a huge number. According to figures from, a Dublin-based web traffic analysis service, as of December 2013, the number of XP users was 18 percent of the global operating systems market.

But many in the industry believe this figure could reach across organizations, with isolated legacy machines running XP – forming an entry point for attack.

This is supported further by recent VMware research, which shows 94 percent of UK organizations had not completed a full migration, with only a third confident they would upgrade in time.

Windows XP end of life has been a long time coming: Microsoft announced it would drop support for the much-used operating system in April 2012, giving users two years to upgrade.

But even with January's announcement of an extension – until at least July 2015 – to anti-virus signatures and security scanning from Security Essentials, upgrading is not going to be an easy task: The cost of new hardware, as well as software applications, is huge. Worse still, the expense will get even bigger for companies which continue to use the operating system this year, with Microsoft hiking support prices after April 8.

On top of this, the malware written for XP is now rising as attackers realize the potential rewards. Initially the amount of new malware for XP decreased toward the end of life, says Gary Owens (left), EMEA senior product marketing manager at VMware. “However, now organizations that make malware have noticed people aren't upgrading and there has been a significant increase.”

Security Essentials

The figures on XP users could also be much higher than estimated. Andrew Mason, co-founder and technical director of RandomStorm, a UK-based network security, vulnerability management and compliance company, says more than 50 percent of his firm's customers are still using XP.

And judging from its January announcement of support for Security Essentials on XP until 2015, Microsoft also deems this risk to be significant. The move will see the software giant supply anti-malware signatures for Windows XP, but it does not mitigate the risks.

With Windows XP's end of life passed last month, there will be no more security updates, no fixes and no new patches, says Tim Rains, director at Microsoft's Trustworthy Computing.

Additionally, users will not be able to download and install Security Essentials after April this year.

“The return on investment of running XP has been really good, but it's time to move on,” Rains says. “Attackers are now having more success on XP.”

Between July 2012 and July 2013, Microsoft released 45 security updates for Windows 7 and Windows 8, with 30 of those patches also affecting XP. “Attackers will wait for us to release security updates and then they will test to see if those vulnerabilities exist on XP, and then they write exploit codes for it,” says Rains. “Over time, XP will become less and less secure.”

XP users can also install anti-virus products from third-party vendors, but these will not serve as a long-term solution. Rains warns: “To run anti-virus on XP is like building a house on top of quicksand. It will become less effective as the platform isn't being updated.”

The move by Microsoft to extend basic security support is not lacking in value, says David Emm, senior security researcher at Kaspersky. “But you can only patch a pair of trousers for so long before you need a new pair.”

From the - May 2014 Issue of SCMagazine »

Page 1 of 3