analysis Almost 13 years after its release in October 2001 to a world still in shock after the 9/11 terror attacks, the sun is finally setting on Microsoft’s Windows XP. The operating system has been the software in many home and work PCs but for die-hard users who continue to use XP, danger that way lies.
All operating systems have a service life, and Windows XP has had an exceptionally long one. The problem for XP, short for extended user “eXPerience”, is that it is still being used on hundreds of millions of computers globally.
In February 2014, just under 30% of PCs around the world are still running XP, despite there being three later versions of Windows to choose from (Vista, Windows 7, Windows 8 and its tweak edition 8.1).
While some die-hard XP users will be in the process of moving on to Windows 7 or 8, there will certainly be those who soldier on after the expiry date on April 8. After all, XP is a robust operating system that has given them many years of service despite numerous patches and updates.
The problem for people who continue to use (internet-connected) XP after support ends will be a growing number of security vulnerabilities that will not be solved by the periodic updates and hot-fixes from Microsoft. Nor will those users be able to get technical support for any other problems they might have with XP.
Microsoft admits: “If you continue to use Windows XP after support ends, your computer will still work but it might become more vulnerable to security risks and viruses.”
As in any ongoing war, when defenders withdraw from battle, attackers (and hackers) take advantage. They have almost certainly been making plans in anticipation of the day when millions of XP computers become more vulnerable. That day is April 8, 2014. Microsoft’s director of trustworthy computing, Tim Rains, issued a statement last August warning that security patches for later versions of Windows could inadvertently give cyber-criminals the information they need to reverse-engineer a successful attack on unsupported versions of Windows.
This can happen because under the skin, there is a large amount of program code in common between the different versions of the Windows operating system. So patch the code for Windows 7 and 8 and you reveal the a potential flaw in XP that won’t be patched.
It is true that up-to-date XP still has reasonable capability to withstand attack, and anti-virus and malware detection software can do a good job. Nonetheless, the risks of being hacked will rise substantially, particularly when older iinternet browsers are still being used. The Microsoft Security Intelligence Report goes into detail for those who are interested.
Individual users can take the obvious course of updating to a later version of Windows at their convenience (and Microsoft offers some advice here), or they might take the opportunity to switch to an alternative operating system. There’s several to choose from. For those on a budget, the growing number of online retailers selling computers at close to wholesale prices is making the purchase of new or nearly new equipment surprisingly affordable.
For organisations though, particularly larger ones, the task of migration can be a lengthy one that requires months if not years to complete, not the days and weeks left to them before the sun sets on XP support.
For these folks, some timely advice for staying safe is in order. The Information Security Manual, a publication of the Australian Signals Directorate (ASD) gives some useful advice for anyone wanting to protect themselves against the threat of cyber-attack.
- Application white-listing. Where a list of verified, trusted programs is created for the PC based on the job it is required to do. If these are the only programs permitted to be installed on the computer, then potentially dangerous programs (including Dynamic Link Libraries or DLLs), scripts and installers) can not be executed
- Patching applications. As soon as they become available, install updates and fixes to the white-listed applications, including Java, PDF viewer, web browser, Microsoft Office and others. Older versions of internet browsers are particularly vulnerable
- Patching operating systems. Automatically download and install the latest security patches and hot-fixes as soon as they become available. The ASD specifically recommends not using Windows XP due to the inherent risk
- Restrict administrator privileges. Only those people whose job requires them to install and make changes to operating systems and applications should have admin access.
If implemented, these four security measures have proved to be very effective. For XP users, performing the three out of the four that are possible, plus using up-to-date anti-virus and anti-malware software, will go a long way to protecting an XP computer until you are ready to migrate to a supported operating system.
To get really serious about this, see the full list of 35 Strategies to Mitigate Targeted Cyber Intrusions (and be ready for some fine print).
As the sun finally sets on venerable old XP, it is timely to reflect a moment on the end of an era when a single operating system dominated the market. Those days are fast disappearing with new paradigms of computing (Android, iOS, cloud computing, wireless mobile, open source) taking a growing share of the overall market. The folks at Microsoft must be more than a little concerned.
David Tuffley does not work for, consult to, own shares in or receive funding from any company or organisation that would benefit from this article, and has no relevant affiliations. This article was originally published on The Conversation. Read the original article. Image credit: Microsoft