The threat from unpatched systems is vast and if Microsoft goes ahead with ending support for Windows XP on April 8, thousands of machines are about to be open to attack.
Many firms have proven to be oblivious to the planned changes and are still to upgrade. And this is a huge number. According to figures from Statcounter.com, as of December 2013, the number of XP users was 18 percent of the global operating systems market.
In the UK, this is just over eight percent. But many in the industry believe this figure could reach across organisations, with isolated legacy machines running XP forming a weak entry point for attack.
This is supported further by recent VMware research, which shows 94 percent of UK organisations had not completed a full migration, with only a third confident they would upgrade in time.
Windows XP end of life has been a long time coming: Microsoft announced it would drop support for the much-used operating system in April 2012, giving users two years to upgrade.
But even with January's announcement of an extension – until at least July 2015 – to anti-virus signatures and security scanning from Security Essentials, upgrading is not going to be an easy task: The cost of new hardware, as well as software applications, is huge. Worse still, the expense will get even bigger for companies which continue to use the operating system this year, with Microsoft hiking support prices to around £120 per PC after April 8.
On top of this, the malware written for XP is now rising as attackers realise the potential rewards. Initially the amount of new malware for XP decreased towards the end of life, says Gary Owens, EMEA senior product marketing manager at VMware. “However, now organisations that make malware have noticed people aren't upgrading and there has been a significant increase.”
The figures on XP users could also be much higher than estimated. Andrew Mason, co-founder and technical director of RandomStorm, told SC Magazine UK that more than 50 percent of his firm's customers are still using XP.
And judging from its January announcement of support for Security Essentials on XP until 2015, Microsoft also deems this risk to be significant. The move will see the software giant supply anti-malware signatures for Windows XP, but it does not mitigate the risks.
When Windows XP's end of life passes in April 2014, there will be no more security updates, no fixes and no new patches, Tim Rains, director at Microsoft's Trustworthy Computing, tells SC Magazine UK.
Additionally, users will not be able to download and install Security Essentials after April this year.
“The return on investment of running XP has been really good, but it's time to move on,” Rains says. “Attackers are now having more success on XP.”
Between July 2012 and 2013, Microsoft released 45 security updates for Windows 7 and Windows 8, with 30 of those patches also affecting XP. “Attackers will wait for us to release security updates and then they will test to see if those vulnerabilities exist on XP, and then they write exploit codes for it,” says Rains. “Over time, XP will become less and less secure.”
XP users can also install anti-virus products from third-party vendors, but these will not form a long-term solution. Rains warns: “To run anti-virus on XP is like building a house on top of quicksand. It will become less effective as the platform isn't being updated.”
The move by Microsoft to extend basic security support is not lacking in value, says David Emm, senior security researcher at Kaspersky. “But you can only patch a pair of trousers for so long before you need a new pair.”
And after April, every loophole is going to be a zero-day exploit, warns Emm.
Laurie Mercer, a senior consultant at technical consultancy company Context Information Security, agrees. “There will be zero-day bugs. Last week, there was one and it was fixed, but once support for XP runs out it won't be. It's like leaving the door of your house open.”
Microsoft's Rains says the most common attack is the drive-by download, which also uses unpatched vulnerabilities. “This is why after the end of support for XP, people can get compromised just by visiting a web page,” he warns.
Additionally, many firms are compromising themselves further by running obsolete software on top of XP. Mercer says he has seen big companies using Internet Explorer 6. “They're using apps that only support Explorer 6. These can be things like HR, but I have seen standard builds with IE6.”
Other experts have seen similar situations, even in large firms. “I have seen a Windows XP machine that was unpatched and it was compromised in 15 minutes,” says Andrew Lambert, senior consultant, infrastructure technology at Waterstons.
So what can be done to mitigate the risks? Lambert advises firms with some machines still running XP to make sure they have them patched until April 8. “Ideally you want to upgrade, but there are things you can do,” he says. “You must make sure systems are patched as far as they can be and that they cannot infect anywhere else. XP machines should be isolated from the rest of the network. You can create a firewall or a separate network. If the PC is really old, you could disconnect it all together.”
But protection does not just stop at XP. Microsoft recently announced that it will only be a year until Windows 7 goes into extended support mode, with end of life coming up in 2020. Microsoft has two agendas, says James Lyne, global head of security research at Sophos. Security patching and trying to encourage regular transition to new operating systems.
“Microsoft is trying to get regular transition like Apple and like the mobile market,” he says. “It is both a business strategy and a security strategy.”
A risky business
As a multitude of new operating systems enter the workplace, patching is the most basic yet integral form of mitigating attack, experts agree. In 2013, there were huge increases in malware and this is set to get worse, Lyne says. “This leveraged old, known vulnerabilities for which a patch exists. The malware distribution market is empowered by people that don't patch. New features and code changes introduced quickly means it's harder for enterprises to test.”
The risk of a compromised XP machine is made worse by the fact that an infection on the operating system is “really difficult” to deal with, says Sean Sullivan, security advisor at F-Secure. “So it's about preventing attack.”
But it is not just down to Microsoft to protect XP. Other software providers need to prepare as well. While some are already doing this, Oracle's latest version of Java will no longer run by default in XP.
“I think you have to worry about the commoditised stuff,” says Sullivan. “A hospital in Finland recently got compromised by a bot. People were concerned about data, but it was just an opportunity attack. In the short term, we will see a lot of attacks with things that clog up the networks.”
Adding to the challenge is the fact that Windows XP does not just appear in PCs – much furore has emerged over its use in cash machines. However, these use an embedded version and security in this instance is done in a different way. These units are not connected to a network. To compromise one, attackers must use physical means, such as a CD or USB.
Instead, the risk might be bigger in the Windows XP version that often turns up on point-of-sale (PoS) terminals, which can then be used to compromise a network. This is because many point-of-sale machines running XP are linked into accounting systems and to a data centre, says Mercer. “If you are an attacker, you will go in via the XP machine and reach the other machines,” he says. “You are able to take complete control. It's a way of leveraging. You go for the weakest link in the chain and that's XP.”
Also, any device that handles credit card information will no longer be compliant with the Payment Card Industry (PCI) standards after April, as it will fail the “obsolete software” requirements, says Ross Barrett, senior manager of security engineering at Rapid7. “The biggest challenge will be for businesses with a heavy investment in point-of-sale devices running XP Embedded,” he says. “The recent Target breach in the US shows just what a highly desirable target these devices are.”
Linux: The hidden threat
Windows XP systems are not the only risk on enterprise networks. Another hidden security threat comes in the form of the Linux operating system, which can appear on servers and ‘Internet of Things' devices and be left unpatched for years.
Linux is more complex to set up than Windows and is therefore easier to misconfigure. Despite a reputation for being unbreakable, Linux can still run vulnerable software, says Mercer. “It tends to appear on things like databases and servers. With Linux you find an exploit that allows you to control the computer, and they usually aren't running anti-virus.”
This is partly because the same attention is not paid to Linux. “When you go to most SMEs – a lot of big firms too – most of their security investment in terms of patching and security controls is focused on Windows and Windows servers,” Lyne says. “I can't tell you how many times I have found a collection of Linux servers running a company website or customer database.”
However, there are ways of automating patching with Linux, says Emm, though there is a caveat. “When you get to the point of doing that, you need to look at issues like, What about the software we are installing? Is it secure? Did we change the password? And, once you know, how do you sort out the ongoing maintenance?”
Coping with change
According to Mercer, the key to keeping secure is a combination of patch management and intrusion detection. “The idea is, you want to slow attackers down enough so you can catch them in that time.”
Firms should also have policies in place to make sure devices are patched as regularly as possible. And on top of this, monitor their networks, says Andy Aplin, CTO, Accumuli.
As more users take their own smartphones and tablets into the workplace, adding on network access control means devices are validated before one even goes on the network, Aplin says.
“It comes down to risk management,” says Rains. “Some customers are trying to isolate XP systems. Do they really need internet access? Isolating the network segment not connected to the internet begins to manage the risk of attack.”
But, businesses might have a line of apps on XP so that when they look at migrating it will not be as easy as they thought, says Rains. He advises firms in such a position “to look at things like virtualisation”.
XP computers should be identified and not given full access to the domain, agrees Sullivan. “Smart businesses should think about segregated networks.”
Patching – whether Microsoft-supported or Linux – forms an integral part of any security strategy. Without it, attackers can get easy access to the network, through the weakest link in the chain. And from April 8, that is XP.