Some organizations intend to keep using Windows XP even in the post-apocalyptic world after Microsoft ends support in 12 months. It’s a calculated risk and one they should weigh up carefully.
Even the spectre of security breaches and crashing apps is failing to convince some Windows XP-using organisations to abandon the OS before Microsoft cuts off support in a year’s time.
Recent figures, suggest one in five companies using XP plans to stick with it despite the April 8,2014 deadline, after which no new patches or bug fixes will be issued.
Those organizations may be taking a calculated risk and assume Windows XP’s longevity means major vulnerabilities have been identified and dealt with, but that assumption is misplaced. It’s certainty that significant new vulnerabilities with XP will be uncovered in the future, if anyone wants to devote their time to it.
You’d be a fool to say every possible vulnerability has already been discovered and either mitigated or patched. I agree that the amount of scrutiny and field-testing to which XP, first released to manufacturers in August 2001, has been subjected play in its favor. It should theoretically get progressively more difficult to uncover bugs in a system as widespread as XP. All that field-testing, all that field QA, are going to be far more extensive than anything you could have hoped to achieve in a QA lab pre-release. By the same token, because it represents a large target means it will be of continual interest to attackers and security researchers. With the sprawling amount of code that is Windows XP and its legacy nature – it’s not by any token a next-gen operating system – there is a lot of space for vulnerabilities or defects in the code still to exist.
Even if XP were secure, there might be application-level vulnerabilities. It’s not just the operating system that’s going to be out of support. Almost every application running on it will also no longer be patched because it won’t be economically worthwhile for the application vendor. When Microsoft drops support, so will the application vendors – if they haven’t already. If XP is no longer supported by Microsoft I’d be surprised – I’m not saying it’s not possible – to see many vendors offering updates. Do we see updates for Flash, or even most Anti-Virus software for Windows 95?, Nope !
In the age of targeted attacks, one of things attackers assess when doing reconnaissance are the operating systems and applications in use. If you’re using something like Windows XP, it’s absolute gold to an attacker because they’ll know that any vulnerabilities that have been announced after a certain date.
What can be done with continued XP use
However, those planning to carry on using XP after the deadline can take certain steps to limit exposure to risk. I think it’s important to say there are things you can do if, as an organization, you need to continue using XP – whether it’s for cost or compatibility reasons with certain applications or even with certain hardware, there are some technologies you could deploy that will allow you to continue using legacy systems, because that is what XP is going to become, like NT has or Windows 2000 even. Probably one the most important of those is host-based intrusion prevention technology because that is effectively going to allow you to apply a virtual patch to those non-supported environments, It will be able to recognize that a vulnerability exists and make that vulnerability difficult or impossible to exploit even in the absence of a patch. So if you are going to carry on using XP, you will have to investigate mitigating technologies like host-based intrusion prevention.