Dangers Ahead In Microsoft Dismissal Of Windows XP

Microsoft will no longer support its much ballyhooed Windows XP platform beginning next April. The software giant is warning businesses and consumers that using the operating system beyond the support date could result in serious problems.

Once shelved by Microsoft, the operating system will no longer receive critical security updates, leaving gaping holes for attackers to gain access to sensitive files. Businesses slow to migrate to Windows 7 or Windows 8 could be strapped with implementing costly security measures, and consumers could be exposing themselves to data thieves and other activity, said Holly Stewart, a senior program manager of the Microsoft Malware Protection Center.

"The security features that were built at the time were as robust as we can make them, but today they are not adequate defenses," Stewart told CRN. "This is outdated technology that's been around for 12 years and over this time frame we have seen rapid growth in online criminal activity."

The Microsoft Security Intelligence Report, Volume 15, issued today, highlighted the risks of running unsupported software. Stewart said data execution prevention, one of a string of newer threat mitigation technologies implemented by Microsoft, is frequently bypassed in Windows XP.

Sponsored post

The infection rate of Windows XP systems is also significantly higher, Stewart said. Windows XP users are six times more likely to be infected than Windows 8 users, the company's most modern operating system version.

Web traffic analysis firm StatCounter estimates that XP still makes up 21 percent of the worldwide OS market. A recent study conducted by Dimensional Research found that nearly half of the 500 IT professionals it surveyed haven't completed their migration off of Windows XP. About 16 percent haven't started. The process can be difficult because critical business applications can break.

Channel providers told CRN organizations are more likely to replace endpoint systems than upgrade existing systems to the latest operating systems. Licensing fees and labor costs don't make upgrades a cost-effective move, said John Oetinger of Missoula, Mont.-based solution provider Corporate Technology Group. Oetinger estimated that about 40 percent of the company's clients are still on Windows XP.

"The conversation about PC replacement or [virtual desktop infrastructure] is appropriate to have," Oetinger said.

NEXT: Extended Support Beyond End-Of-Life Date Available

Stewart said extended third-party Windows XP support is available, giving businesses technical and security assistance. "Custom support should be considered an avenue of last resort to help bridge the gap during a migration process to a modern OS, as the newest technologies provide the optimal chance to be and stay secure," Stewart said.

In addition to buying custom support, businesses also can deploy the Enhanced Mitigation Experience Toolkit (EMET) to bolster security capabilities in Windows XP. Companies also can consider whitelisting technology, locking down endpoint systems to only run trusted software. Simply using up-to-date antivirus is not an effective option, Stewart said.

"Running antimalware is not a great solution because it struggles to address threats targeting exposed vulnerabilities," Stewart said. "Antimalware products are less effective over time, so the system is still vulnerable even though the antimalware is running."

The problem also extends to other systems that use Windows XP at their core. Point-of-sale systems, healthcare devices and some manufacturing systems can be impacted, said Christopher Strand, a senior solutions consultant and compliance specialist for Bit9. Channel providers should be having a conversation with their clients, Strand said.

Strand said organizations should do a thorough assessment to gain visibility into the company's architecture and understand the systems running Windows XP. Organizations that haven't begun to migrate should develop a strategy on how to extend past the deadline, he said. Bolster incident response plans to deal with the fallout of going past the support cycle to deal with additional malware infections, Strand said.