dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
10036

Gone Fishing
Premium Member
join:2001-06-29

4 edits

Gone Fishing

Premium Member

[Info] The Risk of Running Windows XP After Support Ends...




An interesting read:

"The Risk of Running Windows XP After Support Ends April 2014"

quote:
b l o g s . t e c h n e t . c o m

Tim Rains - Microsoft - 15 Aug 2013 1:00 AM


...
There is a sense of urgency because after April 8, Windows XP Service Pack 3 (SP3) customers will no longer receive new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates. This means that any new vulnerabilities discovered in Windows XP after its “end of life” will not be addressed by new security updates from Microsoft. Still, I have talked to some customers who, for one reason or another, will not have completely migrated from Windows XP before April 8. I have even talked to some customers that say they won’t migrate from Windows XP until the hardware it’s running on fails.

What is the risk of continuing to run Windows XP after its end of support date? One risk is that attackers will have the advantage over defenders who choose to run Windows XP because attackers will likely have more information about vulnerabilities in Windows XP than defenders. Let me explain why this will be the case.
...
But after April 8, 2014, organizations that continue to run Windows XP won’t have this advantage over attackers any longer. The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities. If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP. Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a “zero day” vulnerability forever. How often could this scenario occur? Between July 2012 and July 2013 Windows XP was an affected product in 45 Microsoft security bulletins, of which 30 also affected Windows 7 and Windows 8
...
As for the security mitigations that Windows XP Service Pack 3 has, they were state of the art when they were developed many years ago. But we can see from data published in the Microsoft Security Intelligence Report that the security mitigations built into Windows XP are no longer sufficient to blunt many of the modern day attacks we currently see. The data we have on malware infection rates for Windows operating systems indicates that the infection rate for Windows XP is significantly higher than those for modern day operating systems like Windows 7 and Windows 8.
...
[imaging failed]
»blogs.technet.com/cfs-fi ··· tled.png
Snapped 2013-08-29 21:34:25

Tim Rains
Director
Trustworthy Computing


More @ »blogs.technet.com/b/secu ··· nds.aspx




Related:

"The impact of Security Science in Protecting Customers"
»blogs.technet.com/b/secu ··· ers.aspx

Microsoft Security Intelligence Report
»www.microsoft.com/securi ··· ult.aspx
OZO
Premium Member
join:2003-01-17

OZO

Premium Member

Similar discussion in the progress - XP's retirement will be hacker heaven.
psloss
Premium Member
join:2002-02-24

psloss to Gone Fishing

Premium Member

to Gone Fishing
Worth considering in general; however, it seems to be addressed to (large) enterprises and doesn't apply very well to most or all of my usage.
bgraham2
join:2001-03-15
Smithtown, NY

1 recommendation

bgraham2 to Gone Fishing

Member

to Gone Fishing
At home my wife's computer still runs XP. She gets email, writes letters with Office 2003 and uses the internet.

I don't give a hoot about end of life as my wife will never switch from XP to Win7.

Switching from XP to Win7 on my desktop and my old laptop was a PITA and took 2 days. My desktop also serves as the file server for the household.

At work we have a SBS2003 server and 7 computers that were running XP. 2 have been upgraded to Win8 because the boss and his right hand lady were worried about XP end of life and were hell bent on upgrading to Win8. It only took 4 hours to install Adobe Acrobat on one of the Win8 machines and all they use their computers for is Outlook Exchange Server email, MS Word and Publisher.

Keep your anti virus up to date and don't give $200 to MS for Win7 and a day's worth of your time.

eddiebbb
@bethere.co.uk

eddiebbb

Anon

bgraham..
I agree whole heartedly with your comments. I ran XP for over five years sans updates and never once had a prob. As you say, keep up the Anti Virus and you will be OK!

BrettZ
join:2013-08-15

BrettZ to Gone Fishing

Member

to Gone Fishing
How long would you want Microsoft to support windows XP. Phones today get obsolete in a couple of years, spare a thought for Windows XP which has been entertaining you for more than years now.

Boricua
Premium Member
join:2002-01-26
Sacramuerto

2 recommendations

Boricua to eddiebbb

Premium Member

to eddiebbb
said by eddiebbb :

bgraham..
I agree whole heartedly with your comments. I ran XP for over five years sans updates and never once had a prob. As you say, keep up the Anti Virus and you will be OK!

If I had it my way, I would've stayed with Windows 2000. I loved that OS. The most stable I've had at that time. I was only forced to XP because many people were buying it and when asked for help, I had to know how to navigate.

ZZZZZZZ
Premium Member
join:2001-05-27
PARADISE

2 recommendations

ZZZZZZZ to Gone Fishing

Premium Member

to Gone Fishing
I have a desktop with a dual boot of W2K and WXP and only do monthly updates [critical] for XP sometimes and besides the annoying updates themselves ...........I haven't had a problem with either.

I have a great layered defense in place and have no qualms about using either OS for more years to come,without Microsoft's greedy support.

Ian1
Premium Member
join:2002-06-18
ON

Ian1 to Gone Fishing

Premium Member

to Gone Fishing
But the Windows 98 ME edition I run is still good, right?

darcilicious
Cyber Librarian
Premium Member
join:2001-01-02
Forest Grove, OR

darcilicious to bgraham2

Premium Member

to bgraham2
I was never so happy as when my workplace gave us all new computers with Windows 7 Pro installed, to replace our XP boxes. Hadn't run XP at home for *years*.

Draper
Premium Member
join:2010-06-19
Florissant, MO

Draper to Gone Fishing

Premium Member

to Gone Fishing
We are in the process of upgrading all of our 60k machines from XP to 7 where I work. Should have been done sooner. XP is a dinosaur. It was a good os in it's day, but that day is long past.
bgraham2
join:2001-03-15
Smithtown, NY

bgraham2 to Boricua

Member

to Boricua
Windows 2000 was such a great improvement from Win98. It multitasked so much better than 98. With Windows 2000 I could keep working when I had incoming faxes and did not have to reboot every 2 days. When I switched to XP I made it look like 2000 anyway by using the best performance option.
psloss
Premium Member
join:2002-02-24

psloss to Draper

Premium Member

to Draper
said by Draper:

We are in the process of upgrading all of our 60k machines from XP to 7 where I work. Should have been done sooner. XP is a dinosaur. It was a good os in it's day, but that day is long past.

Agreed, but that's just the ulterior elephant in the room. It's all "upside" for Microsoft if XP customers are motivated to move to a newer version; but just as they're mostly thinking of themselves, so am I. I'll take Windows 7 for most of my "Windows-y" stuff and I would much rather support Win7 machines today over XP, Vista, or Win8; but I still have uses for a XP machine or two and in those cases mitigating the risk (by no means uniform) is a better choice than "upgrading", which often refers to buying a new PC+license.

JohnInSJ
Premium Member
join:2003-09-22
Aptos, CA

JohnInSJ to Gone Fishing

Premium Member

to Gone Fishing
We should all have stayed with CP/M - that OS was rock solid.

Seriously, this thread delivers great nostalgia.

My $0.02:

If you're using XP to run a fixed set of apps and are not browsing/reading email/connected directly to the internet, it should be no less safe than it was the day before support ends.

If you're using a PC on the internet to browse, or read email, or run applications you download, and you stay with XP, good luck (shortly) after support ends.
OZO
Premium Member
join:2003-01-17

OZO

Premium Member

said by JohnInSJ:

If you're using a PC on the internet to browse, or read email, or run applications you download, and you stay with XP, good luck (shortly) after support ends.

It will make no difference, whatsoever, if you do these things before and after the date. I don't need (or expect any) support for browsing, emailing and / or running downloaded apps.

On the other hand, if you imply that the computer's security depends on who is operating it, I agree with you.

JohnInSJ
Premium Member
join:2003-09-22
Aptos, CA

2 recommendations

JohnInSJ

Premium Member

said by OZO:

said by JohnInSJ:

If you're using a PC on the internet to browse, or read email, or run applications you download, and you stay with XP, good luck (shortly) after support ends.

It will make no difference, whatsoever, if you do these things before and after the date. I don't need (or expect any) support for browsing, emailing and / or running downloaded apps.

On the other hand, if you imply that the computer's security depends on who is operating it, I agree with you.

I am suggesting there are a number of zero day exploits in XP that have gone unused and unreported specifically because the end date is known, and once support ends those exploits will make the script kiddie rounds exposing anyone using XP to numerous attacks via vectors that will never be patched by Microsoft.

So, for many people, it won't be a great experience.

Given the installed base of several hundred thousand XP users, the resulting botnet will be so large it will probably attain self-awareness and become skynet, raining death from the skies. Or some people will get hacked. Somewhere between these two.

darcilicious
Cyber Librarian
Premium Member
join:2001-01-02
Forest Grove, OR
·Ziply Fiber

darcilicious

Premium Member

said by JohnInSJ:

Given the installed base of several hundred thousand XP users, the resulting botnet will be so large it will probably attain self-awareness and become skynet, raining death from the skies. Or some people will get hacked. Somewhere between these two.

Best thing I've read all week!
OZO
Premium Member
join:2003-01-17

OZO

Premium Member

said by darcilicious:

said by JohnInSJ:

Given the installed base of several hundred thousand XP users, the resulting botnet will be so large it will probably attain self-awareness and become skynet, raining death from the skies. Or some people will get hacked. Somewhere between these two.

Best thing I've read all week!


Me too...

Wily_One
Premium Member
join:2002-11-24
San Jose, CA

3 recommendations

Wily_One to Gone Fishing

Premium Member

to Gone Fishing
While I don't dispute what the blogger is saying, it is rather self-serving coming from Microsoft; they want everyone running XP to go buy Windows 8. Desperately.

And while perhaps true initially, while XP gets older and older, the hackers will eventually stop targeting it since their attention will be on the more current platforms. (Not too many viruses written for Windows 95 nowadays, right?)

The bottom line is safe computing can be practiced even on XP, long after the end of support.

dib22
join:2002-01-27
Kansas City, MO

dib22 to JohnInSJ

Member

to JohnInSJ
said by JohnInSJ:

Given the installed base of several hundred thousand XP users, the resulting botnet will be so large it will probably attain self-awareness and become skynet, raining death from the skies. Or some people will get hacked. Somewhere between these two.

I think your estimate is low... I think there will be > 100 million machines sitting out there running XP (some estimates are closer to 500 million). The good news is the ease in which we can cause BSOD's will allow us to survive the terminator units.
s_becker
join:2013-04-05

1 recommendation

s_becker to Gone Fishing

Member

to Gone Fishing
It's interesting how many people here think they will be save with an outdated OS because they are behind a firewall, because they know how to handle a computer securely and because they have an AV software.
But the truth looks a bit different. A firewall and AV software wont protect a OS from everything. In fact, there can be quite a lot of ways to access a PC despite the fact that there is a firewall and an AV software. Because both can't do anything of the access is legit.

I don't want to say that every Windows XP PC will be hacked as soon as the support runs out. I think it will be less than 5% of all PCs and the most of them are already outdated because the users are too stupid. I also don't have a problem if users want to keep XP for their private use. But I think it's a huge mistake to stay with XP for business use, since it clearly is a high risk doing so.

For the ones that say, hackers wont create hacks for windows XP since it IS outdated and no hacker creates hacks for Windows 98:
The hackers didn't stop creating hacks for Windows 98 because it was outdated. But because it wasn't worth it since there weren't many of Windows 98 PCs out there. But there will be a shit load of Windows XP PCs put there. So it is quite lucrative to put work into it.

And at last for the ones that microsoft is just recommending to upgrade to sell more copies of Windows 8:
Microsoft fears a bad publicity much more then a couple less sells of Windows 8. I would even they, they would rather like to see the Windows XP users move to linux instead of having this bad publicity.

Think twice before declining the idea of upgrading.
JBear
join:2005-02-24
canada

1 recommendation

JBear to Gone Fishing

Member

to Gone Fishing
I'm going to re-iterate what I mentioned in a previous XP end of life thread...

I'm just going to keep a rig in the basement for legacy games that I enjoy playing i.e. Simcity 4, Civ 4 and be a workhorse for projects such as ripping our CD's and movies though it'll take longer. It will be connected to the network but won't have internet access unless it is needed for trouble shooting or some other task that I choose not to do on a newer rig.

Now on saying that, if I disable internet access but have the XP computer able to access other computers on my home network it should be fine, right?

jester121
Premium Member
join:2003-08-09
Lake Zurich, IL

2 recommendations

jester121 to Gone Fishing

Premium Member

to Gone Fishing
Much silliness in this thread, I had some good chuckles.

My reactions --

- End of support means nothing to the zillions of knuckleheads out there who aren't even running Windows Updates on their XP machines.

- End of support means nothing to corporate environments where they're running sophisticated IPS/IDS systems to keep bad stuff off their networks -- layer 7 type stuff.

- Even completely up-to-date anti-virus software doesn't stop all the various browser/plug-in/other vulnerabilities.

- The rants about "greedy Microsoft support" were pretty funny, since I doubt any of the ranters have ever paid a dollar more than their original license cost (or more likely, an OEM license bundle) for all the years of Microsoft patches.

- I'll never understand people who blame Microsoft (or anyone else) for problems that are probably self-inflicted. If it took 2 days to install Win7 and 4 hours to install Adobe, you're clearly doing it wrong -- or your have severely outdated hardware.

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

1 recommendation

Kilroy to Gone Fishing

MVM

to Gone Fishing
The only way I would consider using XP after April 2014 is if the machine is not connected to a network.

Boricua
Premium Member
join:2002-01-26
Sacramuerto

Boricua to JBear

Premium Member

to JBear
said by JBear:

Now on saying that, if I disable internet access but have the XP computer able to access other computers on my home network it should be fine, right?

You can't have a machine connect to a home and it not being able to access the Internet. Of course, if you disable the NIC, then yes the machine is protected since there is no Internet access but you won't be to access your home network. Do you see what I'm trying to say? Also, even if you take out Internet Explorer (which you can't as it is tied to the OS), when you open My Computer you can type a website address in the address bar and it WILL connect to the web.
JBear
join:2005-02-24
canada

JBear

Member

Thanks for the reply and yes I see what you're saying. I know as long as it's connected to my home network it will always be vulnerable to the outside world in some way. But if I disconnect internet access through the router would that lower it's risk to minimal levels?

wingspar
Premium Member
join:2002-11-09
Oregon

wingspar to Gone Fishing

Premium Member

to Gone Fishing
I am still using XP SP3 and have not done any updates for a couple of years. Seems like every time I did one, it messed me up, so I don't do them. I have a good firewall and antivirus program, and it seems to run fine. A little slow with some programs, but I built this thing over 7 years ago.

I do have a brand new build running Win 7 64 bit with all the software I want on it, with maybe one exception and it is running fine. I will move it over to where this XP machine sits anytime now. However, my other half is still running XP on her machine, but we are planning to build a new Win 7 machine to replace it sometime this winter.

I went from DOS, to Win 3.1, to Win 95 to XP. We had Win 2000 at work when I retired. I skipped all the OS's. Win 7 is a different animal, but I'm starting to get used to it. In reading forums while researching components and building my Win 7 machine, I was rather surprised to see that there are still hundreds of thousands still running XP. Dang good OS if you ask me. I don't change OS's lightly.
psloss
Premium Member
join:2002-02-24

psloss to Boricua

Premium Member

to Boricua
said by Boricua:

You can't have a machine connect to a home and it not being able to access the Internet.

Sure you can, but very few consumers in 2013 have any use for such a configuration. (It's also inconvenient.)
dave
Premium Member
join:2000-05-04
not in ohio

dave to Boricua

Premium Member

to Boricua
said by Boricua:

You can't have a machine connect to a home and it not being able to access the Internet.

It all depends on what you mean by "the Internet" and where you consider "the Internet" to begin. But assuming the Internet is outside the house, all it takes is filtering at the gateway node. Or suitable configuration on the computer itself (no gateway, maybe - it's been a while since I cared about routing).
Shootist
Premium Member
join:2003-02-10
Decatur, GA

3 recommendations

Shootist to Boricua

Premium Member

to Boricua
said by Boricua:

said by JBear:

Now on saying that, if I disable internet access but have the XP computer able to access other computers on my home network it should be fine, right?

You can't have a machine connect to a home and it not being able to access the Internet. Of course, if you disable the NIC, then yes the machine is protected since there is no Internet access but you won't be to access your home network. Do you see what I'm trying to say? Also, even if you take out Internet Explorer (which you can't as it is tied to the OS), when you open My Computer you can type a website address in the address bar and it WILL connect to the web.

That is completely false. Sure you can have a home network and not have any of the computers connected to the net or have internet access and restrict that access to only select systems. Just where do you get this blatantly false information?