US-CERT advises WinXP users to dump Internet Explorer

News by Steve Gold

Users who are unable to stop using embedded versions of Windows XP should at least stop using Internet explorer and even then may have invalidated any cyber insurance that requires patch updates.

The US-CERT agency has added its weight to the rising tide of warnings about Windows XP going EOL (End-of-Life) on April 8, noting that Windows XP and Internet Explorer is a bad mix.

Interestingly, however, the US Computer Emergency Readiness Team has acknowledged the fact that some business - notably those that use embedded versions of XP - may have to remain with the ageing Windows operating system, saying that if you must use WinXP, then you should be using a more secure Web browser client.

US-CERT's warning comes as a raft of organisations are advising PC users to migrate to a more recent version of Windows as a matter or urgency - but many business users may have embedded versions of WinXP on the systems they (and their clients) use on a regular basis.

According to Sarb Sembhi, an analyst and director of consulting with Incoming Thought, users of systems such as ATMs and CCTV platforms are quite likely to be using an embedded version of WinXP - with no real economic alternative open to them.

"It is going to be difficult for them to migrate away from these systems, but the good news here is that most embedded Windows XP users won't be using a browser interface, so they have nothing to fear from this announcement," he said.

Sembhi - who is a leading light in ISACA, the not-for-profit IT security association – also warned, however, that businesses using any type of embedded WinXP system should check their cyber-security insurance cover conditions, as most insurance of this type, he says, has a primary condition of software being fully patched and up to date.

"This could create problems after 8 April when Windows XP will no longer be patched by Microsoft," he explained.

On top of this, the Incoming Thought analyst cautioned that any organisation that is subject to security audit requirements - such as that mandated by PCI DSS - is unlikely to pass muster on its WinXP system when the operating system goes EOL next month.

"Normally I would say that, if a business conducts a regular risk analysis process in connection with its IT systems, then they should be okay to use an embedded WinXP system, but the insurance and audit issues may be a problem. And since Windows XP is so old, I doubt that many businesses are using a desktop version of the operating system at this late stage," he said.

Back at US-CERT, the US government security agency has also warned against combining WinXP and MS-Office 2003 for similar security reasons.

“All software products have a life-cycle. End of support refers to the date when Microsoft no longer provides automatic fixes, updates, or online technical assistance,” says the agency in its advisory.

Bob Tarzey, an Analyst and Director of Quocirca echoed fellow analyst Sarb Sembhi's note of caution, saying that all security IT has an element of `belt and braces' in it.

"US CERT is right to advise against staying with XP, but if there is no short term choice, the advice to consider a non-Microsoft browser makes sense," he said, adding that this is especially pertinent given the fact that most Web browser clients are free to use.

"Using Internet Explorer with unsupported WinXP is like removing both the belt and braces," he concluded.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews