Monthly Archive November 2013

Withdrawal of Windows XP Support in 2014 – what it means for us…..

I’ve collated some thoughts on what the withdrawal of support for Windows XP actually means and what we should do to protect ourselves come April 2014.

We know that Microsoft has announced that support for Windows XP SP 3 and Office 2003 will be withdrawn on 8th April 2014. Windows XP is now 12 years old and is probably Microsoft’s most successful operating system to date but things move on…

As of 8th April 2014, all of the following levels of support will cease:

Security updates,
Non-security hot fixes,
XP patch Tuesdays,
Free or paid assisted support options,
Online technical content updates.

We have jotted down some thoughts as to why support is being withdrawn, what this means and what to do about it. Afterall, it has some far reaching consequences at work and at home.

Why is support being withdrawn?
The support for Windows XP is being withdrawn in line with Microsoft’s Support Lifecycle Policy that was introduced in 2002. This was created in an attempt to ensure transparency and predictability of support for their products as well as ensuring Windows and Office products would have a minimum of 10 years support.

As we mentioned, Windows XP is now 12 years old, and has been superseded by Windows 7 and 8. In fact since August 2012, Windows 7 is now the most prevalent operating system with XP usage decreasing steadily every month.

What does it mean?
The big point here is that action is required. As of April 2014, there will be no more security updates or system patches issued by Microsoft and this will leave devices running XP exposed to risk of exploits:

Security & Compliance Risks: Unsupported and unpatched environments are more vulnerable to security risks. This may result in the failure of certain controls required for the likes of the PCI DSS or other internal or external audit bodies. It could then lead to the suspending of certificates and potential public notification of an organisation not being able to maintain its systems and customer information, (and no one wants to get into trouble with the Information Commissioners Office).
Vulnerability Exploits: As security updates will no longer be available, Windows XP will become “open season” for vulnerabilities. Criminals will attempt to “reverse engineer” exploits that have been patched in later version of Windows to see if they will affect Windows XP, apparently most of these exploits will be seen in XP. It has even been mentioned that malicious code developers are “saving up” XP exploits ready for release in April 2014….a frightening prospect.
Lack of Software Vendor Support: A recent Gartner report has suggested that software vendors may be less willing to support their products if they continue to run on Windows XP. In addition to this, PC hardware manufacturers will stop supporting Windows XP on new PC models. Windows XP Anti Virus Solutions may fall out of support quickly after April 2014.

What are the Benefits?
Updating to a supported operating system will help to protect against the issues of vulnerabilities being exploited that go hand in hand with running systems that are “out of support”. With many compliance programs such as PCI DSS (which will affect anyone using a computer to process payment cards), running a currently supported operating system is a must. Upgrading to a supported operating system will ensure that you can continue to provide a patched, stable and secure environment in which to work.
As technology moves on, hardware and software become more efficient and these benefits can be passed on to the end users. Faster hardware and more intelligent applications will mean greater efficiency and reduced support costs in the longer term.
Current computer virus trends show that Windows XP is almost 6 times more likely to be affected by malware than Windows 8. Migrating to a newer operating system brings additional security benefits over and above XP.

So, what can be done?
Initially, the question that needs to be asked is “What will best suit my needs?” It would be nice if you could get the new Windows operating system, install it and off you go. Unfortunately, life is never that easy. There are a couple of questions that need to be asked first:

  1. Will the computer hardware run a more modern operating system?
  2. Will my applications run on the new operating system?

If the answer to both these questions is “yes”, then a simple Windows upgrade is the easy answer. If the answer to either of these questions is “no”, then a migration plan should be devised now, as procurement of new hardware and software may be required.

In a worst case scenario, you may need to consider the possibility of using XP beyond April 2014, especially if critical applications or hardware cannot be migrated within the timescales. If this is the case, the answer may be to run them in virtual environments. This allows applications to be encapsulated with the addition of relevant code required to allow them to run in a new Windows operating system environment. It is worth noting however that any prolonged use of XP beyond April 2014 is only a temporary fix and a plan should be devised as soon as possible to migrate to a supported operating system.
In order to try and ease the burden, we should look at our current software and speak to the system vendors as well as Microsoft or a Microsoft Certified Partner. These guys should be able to assist in finding a suitable migration path.

To summarise, a migration plan to upgrade to a supported operating system should be investigated as a matter of urgency. Failure to act may lead to reduced efficiency for staff, loss of compliance with regulatory schemes such as PCI DSS and ultimately, potential for a security breach and the loss of sensitive data.

In reality, it is a question of when to migrate, rather than should we upgrade.

Information Security Consultant, SRM’s Principal PCI DSS QSA and Payment Card Industry expert, Paul B is a regular contributor to the SRM blog.

SRM Blog

SRM Blog