Ondrej Vlcek, the Chief Operations Officer at AVAST recently released a blog post recently that appears, on the surface, to be a valid discussion on why Microsoft is making a mistake ending Windows XP support. In truth, if you read the post, you’ll find that it’s nothing more than marketing FUD.
With everyone taking such a negative stance regarding the end of Windows XP support, I wanted to provide counter points to the AVAST article.
AVAST claim’s that Windows XP users are 6 times more likely to get attacked than Windows 7 users. Even if we accept that this number as true, you need to remember that this is because of the lack of built-in security features in Windows XP. ASLR and DEP are standard in the modern OS and they do a great job of reducing the attack surface.
Windows XP will never have these modern defenses and it’s already a major target for attackers. It’s better to phase it out now than to support it for even longer because continuing to patch the software won’t dissuade attackers.
If you look at the numbers, 23.6% of AVAST’s 211 million users are still running XP and 21.5% of those users run Internet Explorer. That means we have just over 10M users running IE on Windows XP, probably a worst-case scenario in many people’s eyes. We’re talking about less than 5% of the user base in question; that’s a pretty small number.
Another ‘Windows XP support shouldn’t end’ claim that everyone is making is that 95% of the world’s ATMs still run Windows XP. I can remember seeing frozen ATMs running Windows NT in 2007, yet no one was screaming about that. Why are we screaming about this? It’s not like Microsoft is leaving banks in the lurch.
Microsoft is offering paid support, which we know banks will take pay for, several have already stated they are. It’s actually a very smart way to do this, otherwise, with continued mainstream support; the banks would avoid updating their ATMs forever. Instead, Microsoft is ensuring banks will upgrade quickly, forcing them away from Windows XP, simply to avoid paying the exorbitant fees that Microsoft is charging.
Let’s also look at the other major players. Windows XP is 13 years old… let’s take a look at where Ubuntu and OS X were in 2001. Apple had released OS X 10.0 and Ubuntu didn’t even exist. It looks like this will be a bit more difficult to try and compare to Windows XP, so let’s look at operating systems from 5 years ago.
For OS X that brings us to OS X 10.6 Snow Leopard, which support ended for last month (quietly and without warning). For Ubuntu, we’d be looking to 9.04 or 9.10 (Jaunty Jackalope and Karmic Koala) and support for 9.10 was done by 2011. Even the LTS versions of Ubuntu are limited to a 5-year support window.
When you look at those numbers, you can’t question that Microsoft has gone above and beyond with regards to Windows XP and updates.
So before we say that Microsoft is “forcing a security scramble” (after all, you had years to prepare for this), let’s talk about the real issue… people that are still using Windows XP. Rather than extend support for an old, insecure operating system, let’s talk about how we can force those users off of Windows XP. I’d look to ISPs to solve this problem, to step up and be responsible for keeping outdated devices off the Internet (yes… I can already hear Net Neutrality folks cringing).
I can still remember when ISPs first started filtering port 25 to prevent open mail relays and ports 139 and 445 to prevent worms targeting, oddly enough, Windows XP (and other older versions of Windows). Let’s expand that filtering and block Windows XP devices at the ISP level. There are plenty of ways to perform passive OS identification, why not filter traffic that is known to be associated with Windows XP hosts.
We’re worried about XP+IE, that’s an easy one to solve–simply block its access. Instead of decreasing the overall security posture of the Internet, let’s work together to increase it by simply removing these risky systems from the equation. It’s definitely as viable, if not more so, as asking Microsoft to extend support for a 13-year-old operating system.
- Be Wary: Hackers are Readying Security Updates for XP Users
- Attacking the ROI of Advanced Persistent Threats
- Governance: Understanding Where You Are and What is Important
- 4 Clues to Get Executive Support for Information Security
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock