Windows XP Retirement Countdown: 10 Myth-Busting Facts

The Clock Is Ticking

Despite eye-grabbing headlines warning of doomsday on April 8, following Windows XP's final security update, security experts told CRN that additional security measures can mitigate many of the threat risks to the venerable operating system.

Enterprises Still Running Windows XP, Analysis Finds

Microsoft is about to retire the venerable Windows XP operating system in less than a week when it releases the final security updates for the platform April 8. The end of life for Windows XP marks a finality to the OS that many consumers and a wide variety of businesses apparently don't want to see come to an end. Softchoice, a managed service provider, found that 40 percent of enterprises have devices running Windows XP. While some security firms may be sounding an alarm about apocalyptic-like attacks targeting the systems after the final updates, security experts say most systems can be operated safely if additional security measures are applied. CRN pulled together some of the latest information from security firms and service providers about the Windows XP install base, and expert advice on ensuring that systems still running past the deadline are protected.

Critical Industries Slow To Migrate, Firm Says

Health care, finance and public-sector firms in the U.S. and Canada, which often have custom applications and critical systems, move slowly in upgrading, according to Softchoice. The firm said that about 7 percent of the businesses that run Windows XP do so on more than 80 percent of their devices. Companies that depend on Windows XP for custom applications can purchase a premium support package that includes updates, but experts said it is an expensive option, running as high as $100,000.

Enterprise Install Base In Decline

The enterprise install base of Windows XP will continue to decline, but will likely be at about 10 percent when the April deadline arrives, said Wolfgang Kandek, chief technical officer of vulnerability management vendor Qualys. In January, the number of users was at about 35 percent of customers, according to an analysis conducted of Qualys' customer base.

Windows 8 Migrations Moving Forward

Softchoice said it is seeing growing adoption of Windows 8 and that an examination of its client base found a Windows 8 presence up to 64 percent from 41 percent six months ago. Businesses also can upgrade to Windows 7 systems, which may avoid end-user confusion, said solution providers. The Windows 7 interface is comparable to Windows XP, and has a feature called Windows XP mode to run custom applications that require Windows XP.

Run Windows XP In A Virtual Machine

Businesses that have a Windows 7 install base can take advantage of Windows XP Mode, a component that enables users to run custom applications requiring Windows XP. A virtual machine can actually improve security, said Jason Hicks, a senior security consultant at FishNet Security. Hicks said some firms could also consider client-based virtual machine workstations as a migration option. It gives IT more control and bolsters security by spinning up virtual instances for end users that can be quickly terminated if a threat is detected.

ATM Risk Is Minimal

Contrary to the doomsday or Y2K-like predictions of a serious attack targeting Automated Teller Machines, security experts told CRN that the threat is overblown. ATMs run a lightweight, embedded version of Windows XP that lacks many of the features and capabilities commonly exploited by attackers. Many ATMs also are protected with custom whitelisting software, locking down the tiny environment. Any code attempting to execute that would not likely trigger the machine to go offline, said FishNet Security’s Hicks. Up until now, Hicks said most threats against ATMs have been theoretical, and most documented attacks require local access to the system.

Windows XP Final Update

Businesses running the software past the April 8 deadline should ensure that the final update is applied. Security experts recommend that end users use the Google Chrome or Mozilla Firefox browsers rather than Internet Explorer, because cybercriminals are more likely to target the Microsoft browser running on Windows XP past the operating system's retirement date. Google and Mozilla will support Chrome and Firefox on Windows XP through 2015.

Antivirus Software Will Run

The security industry often criticizes the effectiveness of antivirus software, but it remains a valuable layer of protection. It will be critical for businesses to ensure that endpoint systems still running Windows XP past April 8 are running antivirus software, and that it is fully updated with the latest malware signatures. Nearly all the top antivirus vendors will continue to provide antimalware support for Windows XP PCs. The software should be configured to provide the maximum level of protection on end-user systems.

Microsoft Office Needs Updating

If Windows XP systems have Microsoft Office installed, ensure that the software is fully patched, said security vendor F-Secure. Microsoft said it was also ending support for Office 2003. In its latest threat report, the firm advises businesses to lock down the security options tightly in Office. The ubiquitous Flash software will run by default if embedded in documents, and is often a technique used by cybercriminals to exploit vulnerabilities on PCs.

Third-Party Software Support

Third-party applications and browser components are often poorly maintained and contain software vulnerabilities. To lower the risk of a successful attack, F-Secure recommends PC owners uninstall the software. Disable or uninstall browser plugins and set browsers to "always ask" when opening files, such as Adobe PDFs.

Best Defense Is Educated End Users

Attackers often target the human element during the first phase. Many phishing messages are difficult to spot, but educated end users will be more suspicious of unsolicited email messages containing links and file attachments, security experts told CRN. The security culture within an organization cannot be changed overnight, but most successful user awareness programs don’t rely solely on a single web-based computer test. Programs need strong leadership and executive buy-in, said Caroline Wong, author of "Security Metrics: A Beginner's Guide," and security initiatives director at software security firm Cigital. For best results, training needs to be sustained over time, Wong said.