The Windows XP Zombie Apocalypse

The countdown is finally over for those looking for extended life support for XP (unless they've inked a deal). But are they still secure?

Indeed, many vendors have already committed to continued support for Windows XP as a platform upon which their products will run, which sounds a lot more reassuring than it actually is in real world terms.

The start and finish of such 'protection' is really just your web browser and email client targeted stuff, whereas the start and finish of the XP security argument has to be the not so small matter of the first time someone exploits a low-level OS vulnerability which enables them to circumvent any such AV defence.

At the very least, then, enterprises with XP devices still operating need to limit the use of browsing or email (preferably to zero) while locking those machines down to running specific 'safe' software as far as possible. Filter any traffic going to and from an XP device more aggressively, and up your monitoring of these devices. Isolate XP instances where possible, use whatever network security resources you have to up the inspection of them, and even consider running your instances of XP on Virtual Machines.

All of this is good advice, but it's still akin to placing a sticking plaster on a gangrene infected leg. The only real solution is amputation. It's not too giant a leap of the imagination though. There are plenty of IT security professionals out there supporting this scenario to suggest that the bad guys are already sitting on a XP zero-day or two just waiting for security updates to expire before using it in the wild.

Some people point to nothing much having happened when Windows 2000 reached end of life status, back in 2010, and others point further back in time to the end of life of Windows 95. However, while the scale of both from the user base was large, more so in the case of Windows 95, the IT security threat landscape was entirely different.

Now that threatscape is both much broader by way of the number of devices that are at risk, and bizarrely also much more targeted by way of the end game. Fewer threats fall into the 'nuisance' category and far more have a payload of monetary gain. Only a fool would argue that the security threats today are not a lot more sophisticated than they were four years ago, and certainly in an entirely different league from 13 years ago when XP burst onto the scene.

The truth of the matter is that XP just isn't as prepared. Despite all the updates and patches, it remains unable at its very core to deal with the kind of threats out there today. Windows upgrades are not just about Microsoft hunting for more revenue (although obviously that's a part of it) but are also about improving the user experience and, most importantly from the perspective of the IT security professional, about bringing ever increasingly advanced security to the OS. Sure, the haters will hate, as they say, but that's fact.

Each point upgrade of Windows has been more secure than its predecessor. XP is so old now that it stands to reason that even if it had not reached end of life, the devices running it would be considered more of a risk, in fact a significantly higher risk, from the security perspective than those running Windows 7 or 8.

Yes, the 'XP Apocalypse' scenario sounds familiar to the 'Y2K Bug Disaster' in some ways. And everyone knows that never actually happened. However, one of the reasons the Y2K bug never materialised is that people were prepared, and took those preparations seriously. The same cannot be said of XP end of life. Plenty of people who should know better have buried their heads in the sand rather than commit the time and money required to move to a supported, and therefore better secured, OS platform.

Advice such as 'ensure any XP machines cannot access the internet via email clients or web browsers' is sound enough, given that most attacks are likely to come from this vector, but better advice is to smell the coffee and migrate away from XP as soon as possible. 

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Recommended

Microsoft hit with formal complaint over "monopolistic" software bundling
collaboration

Microsoft hit with formal complaint over "monopolistic" software bundling

29 Nov 2021
Gmail vs Outlook.com: Which one is better?
email providers

Gmail vs Outlook.com: Which one is better?

26 Nov 2021
Business customers can get 30% off the Surface Laptop Go for Black Friday 2021
Laptops

Business customers can get 30% off the Surface Laptop Go for Black Friday 2021

26 Nov 2021
Hackers use SquirrelWaffle malware to hack Exchange servers in new campaign
malware

Hackers use SquirrelWaffle malware to hack Exchange servers in new campaign

22 Nov 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
How to speed up Microsoft's Windows 11
Microsoft Windows

How to speed up Microsoft's Windows 11

9 Nov 2021
Nike to take customers into the metaverse with 'NIKELAND'
virtualisation

Nike to take customers into the metaverse with 'NIKELAND'

19 Nov 2021