Microsoft: Unplugging Windows XP PCs From Internet Won't Keep Them Safe
Microsoft really, really wants people to stop using Windows XP, the 13-year-old operating system for which all security patches and support will be cut off on April 8.
But as the deadline approaches, Microsoft is getting carried away in its campaign to get Windows XP users to upgrade, according to partners and security experts.
In a document sent to partners last month with advice on how to convince customers to upgrade, Microsoft said not even permanently disconnecting Windows XP PCs from the Internet will protect them from security breaches and downtime after the deadline passes.
"Being disconnected to an internal network [sic], or using a USB or CD to transfer information, may reduce the attack surface but will still leave you vulnerable to several types of attacks once support ends. Aside from a few special situations, keeping your Windows XP machine in a sealed room on its own is not the right choice for your business," Microsoft said in the document, which was viewed by CRN.
Microsoft could not be reached for comment as of press time.
[Related: Microsoft Partners In Uproar Over Cloud Sales Commission Cuts ]
The rest of the document contains the sort of language Microsoft has been using for the past couple of years to convince customers that moving off XP, and onto Windows 7 or Windows 8/8.1, is in their best interests.
"We won't sugarcoat it: If you are running Windows XP after April 8, 2014, you are putting your business at risk -- and please don't believe anyone who claims that quick fixes can replace a critical OS update," Microsoft said in the document.
While most enterprises have upgraded from XP, Microsoft is still dealing with a surprising number of stragglers. In December, Net Applications reported that Windows XP was running on 29 percent of PCs globally.
Microsoft partners are eager to see their customers upgrade, too. But two told CRN they won't be using fears about non-Internet-connected PCs to make it happen.
"I would absolutely never allow anyone in my employ to communicate to a customer in such a condescending manner," Andy Kretzer, director of marketing and sales at Bold Data Technology, a Fremont, Calif.-based system builder and Microsoft partner, said in an email.
Security experts said customers that continue using XP on systems still connected to the Internet after the deadline could be hit with a flood of zero-day vulnerabilities. But for disconnected PCs, it's hard to see how they might be vulnerable, experts said.
"I think it's total FUD [fear, uncertainty and doubt] and it borders on hysteria," said Peter Bybee, president and CEO of San Diego-based Security On-Demand, a managed security services provider that is not a Microsoft partner.
Kent Tibbils, vice president of marketing at ASI, a Fremont, Calif.-based Microsoft system builder partner, said he'd phrase the risks a bit differently than Microsoft did in the document.
"The important thing would be to stress that there could still be security risks associated with sharing files from storage devices like USB drives or CDs, and that there would be compatibility issues moving forward with devices and driver updates as examples," Tibbils said.
NEXT: Security Experts Say Microsoft Has A Point
However, Andrew Plato, president of Anitian Enterprise Security, a Beaverton, Ore.-based security consultancy, thinks Microsoft is making an important point here about unintended consequences.
Plato said even if an XP PC was connected to an internal corporate network, but not to the Internet, hackers could use it as a command-and-control machine to hit other parts of the network, much like what happened with Target's massive credit-card breach last month.
"The reality is, XP machines will be vulnerable, and all it takes is a few minutes of connectivity for the vulnerability to create a serious breach," Plato said.
"Having a totally offline XP machine is technically quite secure, but it is not realistic. Those PCs inevitably get plugged into something, or somebody puts a USB into them, then they become infected or start calling home."
Though Microsoft is ending XP support and patches, the software giant will be providing antimalware signature updates for XP users through July 14, 2015, to help businesses complete migrations.
PUBLISHED JAN. 21, 2014