Microsoft Zero-Day Reveals Windows XP Exposure, Say Experts


A wave of targeted attacks against serious vulnerabilities in Internet Explorer expose the increased risk facing organizations still clinging to Windows XP, the venerable operating system that Microsoft stopped supporting this month, say security experts.

Microsoft issued a security advisory on Sunday, warning that every supported version of Internet Explorer is impacted by the vulnerabilities. The software giant didn't rule out an emergency, out-of-cycle update addressing the risky flaws, but one thing is nearly certain: Most Windows XP users won't likely receive the critical updates.

"Microsoft has said for a while now why you need to move off of XP," said Scott Fuhriman, an information security consultant who works as director of sales and product development for TierPoint, a Spokane, Wash.-based solution provider. These kinds of vulnerabilities are going to continue to exist and if you're running on an unsupported operating system you are going to be increasingly exposed to more threats over time."

[Related: The End Of Microsoft Windows XP Support ]

Organizations continue to cling to Windows XP and despite declining numbers, solution providers told CRN that an estimated 10 percent of businesses have systems running the retired operating system. "Those users will likely remain vulnerable indefinitely," said J.J. Thompson, managing director and CEO of Rook Security, a security solution provider and risk management consultancy, adding that the risk exposure of those firms will also increase significantly over time.

Chris Hertz, CEO of New Signature, a Washington, D.C.-based Microsoft partner with a substantial cloud business, said the Internet Explorer XP security threat may loosen the purse strings of some enterprise customers that have yet to move off Windows XP.

"This gives IT some additional ammunition to show there is some exposure to the business," said Hertz. "Sometimes it's difficult for IT to get the businesses to spend money on an operating system upgrade unless the CEO sees tangible benefits. This is a red flag for the business. It's  an example of what is going to happen continually over the next two to three years if customers don't upgrade."

Hertz said the Internet Explorer threat is by no means a call for corporate customers to "panic" but rather to be "pragmatic" and move to rectify the XP threat. Large organizations that depend on XP to run custom, business-critical applications can purchase expensive dedicated support from Microsoft to receive updates. Other firms have manufacturing systems, point-of-sale kiosks or own and maintain automated teller machines that use a restricted form of Windows XP, according to security experts and sales executives interviewed by CRN.

"These are larger customers that have delayed migration because they have gone through acquisitions with decentralized management and geographically distributed hardware. That has made moving to a new OS challenging," Hertz said.

Security experts advocate a mixture of application whitelisting, network segmentation and other measures to restrict Windows XP systems and isolate them from critical parts of the network. Businesses also need to proactively monitor the networks to ensure that architecture changes don't introduce a way for attackers to move from one network segment to another.

An analysis of the latest Microsoft zero-day threat conducted by FireEye showed that the attacks won't work if Adobe Flash is not installed on systems. The criminals behind the campaign use a malicious Shockwave Flash file to carry out the attack. Removing Adobe Flash is not a silver-bullet approach, according to the U.S. Computer Emergency Readiness Team, which said an attack without the use of Flash may be possible.

The attacks are targeted in nature, but TierPoint's Fuhriman says businesses, especially smaller firms, should not consider their users immune to targeted attacks. Subcontractors and other third-party support firms can be impacted, he said. Once Microsoft engineers develop and push out a patch, other cybercriminals will attempt to create an exploit.

"There is a trickle-down effect, and at some point those other smaller organizations will find themselves at increased risk," Fuhriman said. "This is why it behooves everybody to be aware of the threats and vulnerabilities that exist and monitor how their partners are addressing them."

All users, including those still running Windows XP, need to consider an alternate browser to effectively negate the specific attack, said Jeremy Scott, a senior research analyst at Solutionary, a managed security service provider subsidiary of NTT Group. Scott said organizations should consider implementing Enhanced Protected Mode in Internet Explorer for added restrictions, such as preventing software from installing. Microsoft's Enhanced Mitigation Experience Toolkit is also a good security measure to bolster security.

"If an organization uses a content inspection proxy at the perimeter, they could block flash content at that point to reduce the administrative overhead on the client systems until a fix has been released," Scott told CRN. "Of course, this requires the organization to control all ingress and egress points so that users cannot go around the proxy."

PUBLISHED APRIL 28, 2014