‘Windows XPocalypse’ and Security
By
Tim (TK) Keanini

Technical support and automatic updates for Windows XP will ended on Tuesday, April 8th, 2014. This has brought up some concerns around security, as patches for known issues were previously delivered via the now defunct automatic updates. What does this mean for Windows XP users?

The Basics

First it is important to note that on April 8th, only a few variants of the XP operating system were End-of-Support. End-of-Support means that there will be no new security updates, non-security hotfixes, free or paid assisted support options, or online technical content updates. Further details can be found on Microsoft’s web site, but I will summarize the changes here.

The systems that people must worry about are:

  • Windows XP Home Edition
  • Windows XP Media Center
  • Windows XP Professional
  • Windows XP Tablet PC Edition

When it comes to embedded systems (non-desktop versions of XP), the only one that people need to take urgent action on is Windows XP Professional for Embedded Systems. This product is identical to Windows XP, and Extended Support ended on April 8, 2014. If you have an XP variant for which support ended on 4/8/14, you need to treat it as if it were already dead and move quickly into getting it replaced. Pretend that it caught fire, and you will be moving with the right amount of urgency.

Here are some other variants of Windows XP that are going to receive updates after 4/8/2014. Organizations should still be planning now for cutovers on these systems.

  • Windows XP Embedded Service Pack 3 (SP3). This is the original toolkit and componentized version of Windows XP. It was originally released in 2002, and Extended Support will end on Jan. 12, 2016.
  • Windows Embedded Standard 2009. This product is an updated release of the toolkit and componentized version of Windows XP. It was originally released in 2008, and Extended Support will end on Jan. 8, 2019.

Point of Sale Systems

It turns out that Point of Sale (POS) systems run two types of Windows Embedded platforms, but those End-of-Support dates are not until 4/12/2016 and 4/9/2019. Businesses should, however, take immediate action to identify which version they have and put in motion a plan to migrate well before these deadlines.

These systems include:

  • Windows Embedded for Point of Service SP3. This product is for use in Point of Sale devices. It is built from Windows XP Embedded. It was originally released in 2005, and Extended Support will end on April 12, 2016.
  • Windows Embedded POSReady 2009. This product for Point of Sale devices reflects the updates available in Windows Embedded Standard 2009. It was originally released in 2009, and Extended Support will end on April 9, 2019.

Since POS systems deal with such sensitive information and have become such big targets for attackers, retailers should definitely already be working with vendors to plan for these upgrades to ensure that there are no lapses in security. Some have asked if retailers should switch from traditional POS systems to wireless tablets and smart devices to increase security. However, this is not an effective defensive strategy as the adversary is able to find weaknesses in all information technology. The best strategy is to maintain diligent and vigilant security measures for whatever systems a retailer is using to take payments.

Security Vigilance

As businesses leverage information technology to remain competitive and grow, there is an equal responsibility to manage the security of this infrastructure. An accurate inventory and maintenance schedule is fundamental, and if a business or technology partner does not know the End-of-Support schedules for critical devices, bad things are certain to happen.

Businesses need to know the End-of-Life/End-of-Support schedule not only for all of the items on their own asset list, but also for the systems used by partners. If you have partners with technology, or you are using a Value Added Reseller, ask them to produce a monthly report of their applications or appliances that are coming up for End-of-Life/End-of-Support in the next 24 months. Stay ahead of the game and minimize surprises.

Handling Windows XP End-of-Support – Feed it, kill it, but don’t starve it.

As you all know by now, on April 8th 2014, Microsoft stopped supporting some variants of XP. The software industry for years has operated this way with every system on your network having a predetermined service life, but given the current threat landscape, I would like to propose a change. You see, the problem is that on 4/8/2014, all of these systems that are End-of-Support will continue to work just as they did on days and years prior. This is a big problem because people don’t change their behavior when things are business as usual.

What I’d like to see happen when any information technology reaches End-of-Support – meaning no fixes will be issued for newly found security vulnerabilities – is that it stops working. That’s right, kill it!  Having an End-of-Support/End-of-Life technology alive and connected to the Internet makes it a liability for everyone online. It is called End-of-Life for a reason, and what I want to see happen is for the vendor to literally end the technology’s life. One of the rules in my personal playbook is: Feed it or kill it, but never starve it. Complex and dynamic systems do not deal with this lingering state very well, and it is time we make a change in how we handle the service life of a product.

Traditionally, the retirement phase of a product’s service lifecycle begins with the announcement of the End-of-Sale (meaning you can no longer purchase the product), followed by a period of time known as the End-of-Life that ultimately ends with the End-of-Support date when no more updates will be released. This is a critical stage for close-sourced products, because no one other than the vendor can issue fixes, and that vendor just told you they will never issue another update no matter what. Right here, kill it please. The implementation of this new policy must happen early in the service life, but if done well both technically and socially, the world will be a safer place because the right expectations and events will drive the right behavior.

No product should be online if there is no opportunity to fix newly found vulnerabilities. We have a problem on the Internet where a patch is available and yet people are still irresponsibly running old versions. At least in these situations, remediation is available via an update, but when there is no update, my position is that the technology should be killed immediately.

These expired versions of Windows XP will continue to work, and trust me, they will be targeted by attackers because what better investment can the adversary make? If they spend a week to develop a new exploit, they get to use it on expired technologies until the end of time, as no patches will ever fix it.

You can ask customers politely and even urgently to upgrade, but until their current version stops working, or worse, is part of a security-related catastrophe, they will typically do nothing. The reason Y2K drove a change in human behavior was because on that date, old code was going to fail – there was a clear and significant event approaching. On April 8th 2014, customers’ Windows XP systems worked just like they did on days prior. I predict that End-of-Support XP systems will still be on the Internet and will be used for botnets and other supply-side resources for adversaries.

Consider this problem five or ten years into the future when millions of devices brought on by the Internet of Things are allowed to remain online after their End-of-Support date. We cannot afford this, people! The change I’m pushing is good for everyone because Internet security is everyone’s problem.

Tim (TK) Keanini is the CTO of Lancope.