The Windows XP Zombie Apocalypse

The countdown is finally over for those looking for extended life support for XP (unless they've inked a deal). But are they still secure?

Indeed, many vendors have already committed to continued support for Windows XP as a platform upon which their products will run, which sounds a lot more reassuring than it actually is in real world terms.

The start and finish of such 'protection' is really just your web browser and email client targeted stuff, whereas the start and finish of the XP security argument has to be the not so small matter of the first time someone exploits a low-level OS vulnerability which enables them to circumvent any such AV defence.

At the very least, then, enterprises with XP devices still operating need to limit the use of browsing or email (preferably to zero) while locking those machines down to running specific 'safe' software as far as possible. Filter any traffic going to and from an XP device more aggressively, and up your monitoring of these devices. Isolate XP instances where possible, use whatever network security resources you have to up the inspection of them, and even consider running your instances of XP on Virtual Machines.

All of this is good advice, but it's still akin to placing a sticking plaster on a gangrene infected leg. The only real solution is amputation. It's not too giant a leap of the imagination though. There are plenty of IT security professionals out there supporting this scenario to suggest that the bad guys are already sitting on a XP zero-day or two just waiting for security updates to expire before using it in the wild.

Advertisement - Article continues below

Some people point to nothing much having happened when Windows 2000 reached end of life status, back in 2010, and others point further back in time to the end of life of Windows 95. However, while the scale of both from the user base was large, more so in the case of Windows 95, the IT security threat landscape was entirely different.

Now that threatscape is both much broader by way of the number of devices that are at risk, and bizarrely also much more targeted by way of the end game. Fewer threats fall into the 'nuisance' category and far more have a payload of monetary gain. Only a fool would argue that the security threats today are not a lot more sophisticated than they were four years ago, and certainly in an entirely different league from 13 years ago when XP burst onto the scene.

The truth of the matter is that XP just isn't as prepared. Despite all the updates and patches, it remains unable at its very core to deal with the kind of threats out there today. Windows upgrades are not just about Microsoft hunting for more revenue (although obviously that's a part of it) but are also about improving the user experience and, most importantly from the perspective of the IT security professional, about bringing ever increasingly advanced security to the OS. Sure, the haters will hate, as they say, but that's fact.

Each point upgrade of Windows has been more secure than its predecessor. XP is so old now that it stands to reason that even if it had not reached end of life, the devices running it would be considered more of a risk, in fact a significantly higher risk, from the security perspective than those running Windows 7 or 8.

Yes, the 'XP Apocalypse' scenario sounds familiar to the 'Y2K Bug Disaster' in some ways. And everyone knows that never actually happened. However, one of the reasons the Y2K bug never materialised is that people were prepared, and took those preparations seriously. The same cannot be said of XP end of life. Plenty of people who should know better have buried their heads in the sand rather than commit the time and money required to move to a supported, and therefore better secured, OS platform.

Advice such as 'ensure any XP machines cannot access the internet via email clients or web browsers' is sound enough, given that most attacks are likely to come from this vector, but better advice is to smell the coffee and migrate away from XP as soon as possible. 

Featured Resources

Application security fallacies and realities

Web application attacks are the most common vulnerability, so what is the truth about application security?

Download now

Your first step researching Managed File Transfer

Advice and expertise on researching the right MFT solution for your business

Download now

The KPIs you should be measuring

How MSPs can measure performance and evaluate their relationships with clients

Download now

Life in the digital workspace

A guide to technology and the changing concept of workspace

Download now

Most Popular

digital transformation

Boston Dynamics dog-like robots sniff out bombs for Massachusetts police

26 Nov 2019
mergers and acquisitions

Xerox threatens hostile takeover after HP rebuffs $30bn takeover

22 Nov 2019
data breaches

T-Mobile data breach affects more than a million users

25 Nov 2019
Google Android

Samsung Galaxy A90 5G review: Simply the best value 5G phone

22 Nov 2019