XP’s Penalties for Success
Update: Starting April 6, 2014 Best Buy is offering a $100 credit towards the purchase of a new PC, including Chromebook.
This year’s Y2K is 4-8-14. In the off chance you haven’t heard, Microsoft will be ending support, updates, patches, etcetera for Windows XP on April 8, 2014. Microsoft Security Essentials will continue to function and receive updates, for a limited time.
To stay protected, Microsoft recommends upgrading existing hardware to Windows 8.1 or acquiring new equipment.
I had a lot of fun with Windows XP! Looking at the spectrum of operating systems offered by Microsoft, XP was by far the most successful of the bunch. For several reasons, I regret to see support for it finally go away but then again, unfortunately, that’s the inevitable fate of all good technology. Anybody want to buy a Zip Drive?
So what made Windows XP so successful? Wolfgang Goerlich, Vice President of Consulting Services for VioPoint, makes a very interesting antithetical point, “I see it less as Windows XP’s success and more as the success of cloud and Web services.”
Goerlich explains, “Windows XP was the first enterprise ready OS from Microsoft, and it hit at a time when most software was on the desktop. The desktop fleet aged at the same time enterprises shifted from desktop software back to server-side software. The success in these services extended the life of Windows XP. The cloud’s success meant under-investing in the desktop fleet, thereby extending Windows XP’s lifespan.”
Ubiquity is the problem with successful software. Along with the undesired byproduct of cybercriminals aggressively seeking holes to exploit for their benefit.
From a security standpoint, the information security community is all to intimate with MS08-067 on Windows XP, Vista, Server 2003 and 2008. The global deployment of this successful operating system for end users resulted in focused searching for software defects resulting in a total of 726 CVE entries for 965 vulnerabilities supported with 187 patches, according to CVE Details. Compared to other Microsoft operating systems, Windows XP maintains the record for the most CVE entries and vulnerabilities of all time, trumping Windows 2000 by a difference of 218 CVE entries and 299 reported vulnerabilities.
Success has its penalties.
On one hand, Microsoft has the right to sunset support for their proprietary 12-year old operating system. In IT dog years (3 months in IT = 1 year for everyone else), XP lived to be about 48 years old. Most of us would love to retire that young.
On the other hand, at what point does Microsoft’s right to end-of-life a product’s support border on the threshold of irresponsibility to shackled end users unable to upgrade to a “more secure OS” and/or can’t afford to purchase a new PC?
Post your opinions in the comments below; we want to know your thoughts.
The cost to maintain old code is expensive. But, do the lingering few who are unable to follow Microsoft’s advice to upgrade or purchase feel as if the cost is shifting to them?
Replacing Windows XP will adversely affect IT efficiency as it will “take significant time and resources for our IT staff of three to replace 100s of PCs,” stated Andrew Fligor, Vice President of IT at Ritzman Pharmacy, which is a retail chain in Northeast Ohio. If smaller businesses with a staff of three feel the inconvenience, clearly organizations with thousands of Windows XP upgradable devices will feel a heavier burden.
Fligor continued, “I can see the advantage of Windows 7 in a multitasking office environment. However, in a retail store environment, the operating system literally only exists so that we can run one application, a pharmacy management system. We don’t get any business advantage by upgrading, with the exception being we have to for security.”
The new projects to upgrade Windows XP will come to many as an unplanned project, as in the case with Ritzman Pharmacy. They will need to pushback or eliminate other projects intended to improved customer satisfaction, lower costs, increase efficiency, improve their security posture, or even be compliant.
The effort to be compliant is difficult enough for organizations without a security staff like Ritzman Pharmacy. Security consulting firms, such as VioPoint, are being asked to address the concern “that Windows XP will become even more of a target. We can expect that unpatchable exploits will be released immediately following end-of-life,” continued Goerlich.
How will Microsoft respond after April 8, 2014, when a Windows XP 0-day is released without a security hot-fix to sooth the public cries?
Shoulders are shrugging.
Translating compliance to embedded devices for automated system controls in Supervisory Control and Data Acquisition (SCADA) networks is very, very important for national and public safety. Control system IT management shares the same pain as IT management in the healthcare industry and banking services.
Worldwide, there is an estimated 2.2 million ATMs in production running an embedded version of Windows XP. You decide if banks potentially losing money from a compromised ATM is a higher priority than losing lives. Five of the largest United Kingdom banks are joining together to pay Microsoft for continued support for their ATMs.
The challenge to the healthcare providers is to be able to check the compliance box for embedded medical systems that are not upgradable. When asked about this issue, Fligor responded, “We have specialty medical equipment that has XP embedded into the device. Ritzman literally cannot upgrade it, and the vendor isn’t offering a Windows 7 version yet.”
Update: After article release, it was later uncovered that Windows XP Embedded support for the non-Professional version, which is the same as the desktop, will extend beyond the 4-8-14 dealine.
How helpful would it be if the vendors provided a trade-in discount for new equipment, retrofitted the old hardware for Windows 7 and sold it at a discount as refurbished?
In a former life, I recall working with a hospital to protect an embedded Windows XP device that monitored heart and lung activity. An interruption of that device’s ability to perform its primary function could result severe consequences.
Fortunately, anti-virus manufacturers are not sunsetting embedded Windows XP support. While host-based anti-virus is defeatable with new species of malware, it’s not the panacea. Information Security industry advice is to use layers of protection to help thwart attackers. Fligor believes, “To prevent security vulnerabilities specific to those devices we’ve implemented multiple intrusion prevention and detection systems, malware scanning, [plus] using Barracuda’s NG Firewall.”
Every IT department running Windows has embraced “Patch Tuesday” as a part of their security best practices layered approach. Meanwhile, Goerlich advises, “Windows Updates can lead to a false sense of security.” His recommendation for fixing deep security concerns requires upgrading to a modern desktop OS.
This is excellent advice for individuals who have the option to upgrade their hardware.
Returning to the opinion of security responsibility, Goerlich provides a relative perspective, “A useful comparison is between Microsoft and Apple. Microsoft released Windows XP in 2002. Apple released OS X Snow Leopard in 2009. Microsoft announced the retirement plan in 2009. That is seven years of full support with a five-year advanced notice. Meanwhile, Apple quietly stopped providing patch updates in 2011 and announced end-of-life in 2013. By comparison, that is two years of support with no advanced notice for ending security patches. In this light, Microsoft did the right thing by providing guidance and advanced notice.”
Windows XP success came from the residual output of cloud services gaining momentum and the penalty is a high number of vulnerabilities, business interruption and unexpected costs. Comparatively, Microsoft is being responsible, offering alternatives and we need to move on. Until that completely happens, today the InfoSec community can enjoy our vacation until the next MS08-067 hits Windows XP. We can only wait and see what comes out of Redmond.