4 edits |
[Info] The Risk of Running Windows XP After Support Ends...An interesting read: "The Risk of Running Windows XP After Support Ends April 2014"quote: b l o g s . t e c h n e t . c o m
Tim Rains - Microsoft - 15 Aug 2013 1:00 AM
... There is a sense of urgency because after April 8, Windows XP Service Pack 3 (SP3) customers will no longer receive new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates. This means that any new vulnerabilities discovered in Windows XP after its end of life will not be addressed by new security updates from Microsoft. Still, I have talked to some customers who, for one reason or another, will not have completely migrated from Windows XP before April 8. I have even talked to some customers that say they wont migrate from Windows XP until the hardware its running on fails.
What is the risk of continuing to run Windows XP after its end of support date? One risk is that attackers will have the advantage over defenders who choose to run Windows XP because attackers will likely have more information about vulnerabilities in Windows XP than defenders. Let me explain why this will be the case. ... But after April 8, 2014, organizations that continue to run Windows XP wont have this advantage over attackers any longer. The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities. If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP. Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a zero day vulnerability forever. How often could this scenario occur? Between July 2012 and July 2013 Windows XP was an affected product in 45 Microsoft security bulletins, of which 30 also affected Windows 7 and Windows 8 ... As for the security mitigations that Windows XP Service Pack 3 has, they were state of the art when they were developed many years ago. But we can see from data published in the Microsoft Security Intelligence Report that the security mitigations built into Windows XP are no longer sufficient to blunt many of the modern day attacks we currently see. The data we have on malware infection rates for Windows operating systems indicates that the infection rate for Windows XP is significantly higher than those for modern day operating systems like Windows 7 and Windows 8. ...
Tim Rains Director Trustworthy Computing
More @ »blogs.technet.com/b/secu ··· nds.aspx
Related:"The impact of Security Science in Protecting Customers"» blogs.technet.com/b/secu ··· ers.aspxMicrosoft Security Intelligence Report » www.microsoft.com/securi ··· ult.aspx |
|
OZO Premium Member join:2003-01-17 |
OZO
Premium Member
2013-Aug-15 6:07 pm
Similar discussion in the progress - XP's retirement will be hacker heaven. |
|
psloss Premium Member join:2002-02-24 |
to Gone Fishing
Worth considering in general; however, it seems to be addressed to (large) enterprises and doesn't apply very well to most or all of my usage. |
|
1 recommendation |
to Gone Fishing
At home my wife's computer still runs XP. She gets email, writes letters with Office 2003 and uses the internet.
I don't give a hoot about end of life as my wife will never switch from XP to Win7.
Switching from XP to Win7 on my desktop and my old laptop was a PITA and took 2 days. My desktop also serves as the file server for the household.
At work we have a SBS2003 server and 7 computers that were running XP. 2 have been upgraded to Win8 because the boss and his right hand lady were worried about XP end of life and were hell bent on upgrading to Win8. It only took 4 hours to install Adobe Acrobat on one of the Win8 machines and all they use their computers for is Outlook Exchange Server email, MS Word and Publisher.
Keep your anti virus up to date and don't give $200 to MS for Win7 and a day's worth of your time. |
|
|
eddiebbb
Anon
2013-Aug-16 3:17 am
bgraham.. I agree whole heartedly with your comments. I ran XP for over five years sans updates and never once had a prob. As you say, keep up the Anti Virus and you will be OK! |
|
|
|
to Gone Fishing
How long would you want Microsoft to support windows XP. Phones today get obsolete in a couple of years, spare a thought for Windows XP which has been entertaining you for more than years now. |
|
Boricua Premium Member join:2002-01-26 Sacramuerto
2 recommendations |
to eddiebbb
said by eddiebbb :bgraham.. I agree whole heartedly with your comments. I ran XP for over five years sans updates and never once had a prob. As you say, keep up the Anti Virus and you will be OK! If I had it my way, I would've stayed with Windows 2000. I loved that OS. The most stable I've had at that time. I was only forced to XP because many people were buying it and when asked for help, I had to know how to navigate. |
|
ZZZZZZZ Premium Member join:2001-05-27 PARADISE
2 recommendations |
to Gone Fishing
I have a desktop with a dual boot of W2K and WXP and only do monthly updates [critical] for XP sometimes and besides the annoying updates themselves ...........I haven't had a problem with either. I have a great layered defense in place and have no qualms about using either OS for more years to come,without Microsoft's greedy support. |
|
Ian1 Premium Member join:2002-06-18 ON |
to Gone Fishing
But the Windows 98 ME edition I run is still good, right? |
|
darciliciousCyber Librarian Premium Member join:2001-01-02 Forest Grove, OR |
to bgraham2
I was never so happy as when my workplace gave us all new computers with Windows 7 Pro installed, to replace our XP boxes. Hadn't run XP at home for *years*. |
|
Draper Premium Member join:2010-06-19 Florissant, MO |
to Gone Fishing
We are in the process of upgrading all of our 60k machines from XP to 7 where I work. Should have been done sooner. XP is a dinosaur. It was a good os in it's day, but that day is long past. |
|
|
to Boricua
Windows 2000 was such a great improvement from Win98. It multitasked so much better than 98. With Windows 2000 I could keep working when I had incoming faxes and did not have to reboot every 2 days. When I switched to XP I made it look like 2000 anyway by using the best performance option. |
|
psloss Premium Member join:2002-02-24 |
to Draper
said by Draper:We are in the process of upgrading all of our 60k machines from XP to 7 where I work. Should have been done sooner. XP is a dinosaur. It was a good os in it's day, but that day is long past. Agreed, but that's just the ulterior elephant in the room. It's all "upside" for Microsoft if XP customers are motivated to move to a newer version; but just as they're mostly thinking of themselves, so am I. I'll take Windows 7 for most of my "Windows-y" stuff and I would much rather support Win7 machines today over XP, Vista, or Win8; but I still have uses for a XP machine or two and in those cases mitigating the risk (by no means uniform) is a better choice than "upgrading", which often refers to buying a new PC+license. |
|
JohnInSJ Premium Member join:2003-09-22 Aptos, CA |
to Gone Fishing
We should all have stayed with CP/M - that OS was rock solid.
Seriously, this thread delivers great nostalgia.
My $0.02:
If you're using XP to run a fixed set of apps and are not browsing/reading email/connected directly to the internet, it should be no less safe than it was the day before support ends.
If you're using a PC on the internet to browse, or read email, or run applications you download, and you stay with XP, good luck (shortly) after support ends. |
|
OZO Premium Member join:2003-01-17 |
OZO
Premium Member
2013-Aug-17 1:58 pm
said by JohnInSJ:If you're using a PC on the internet to browse, or read email, or run applications you download, and you stay with XP, good luck (shortly) after support ends. It will make no difference, whatsoever, if you do these things before and after the date. I don't need (or expect any) support for browsing, emailing and / or running downloaded apps. On the other hand, if you imply that the computer's security depends on who is operating it, I agree with you. |
|
JohnInSJ Premium Member join:2003-09-22 Aptos, CA
2 recommendations |
JohnInSJ
Premium Member
2013-Aug-17 2:23 pm
said by OZO:said by JohnInSJ:If you're using a PC on the internet to browse, or read email, or run applications you download, and you stay with XP, good luck (shortly) after support ends. It will make no difference, whatsoever, if you do these things before and after the date. I don't need (or expect any) support for browsing, emailing and / or running downloaded apps. On the other hand, if you imply that the computer's security depends on who is operating it, I agree with you. I am suggesting there are a number of zero day exploits in XP that have gone unused and unreported specifically because the end date is known, and once support ends those exploits will make the script kiddie rounds exposing anyone using XP to numerous attacks via vectors that will never be patched by Microsoft. So, for many people, it won't be a great experience. Given the installed base of several hundred thousand XP users, the resulting botnet will be so large it will probably attain self-awareness and become skynet, raining death from the skies. Or some people will get hacked. Somewhere between these two. |
|
darciliciousCyber Librarian Premium Member join:2001-01-02 Forest Grove, OR ·Ziply Fiber
|
said by JohnInSJ:Given the installed base of several hundred thousand XP users, the resulting botnet will be so large it will probably attain self-awareness and become skynet, raining death from the skies. Or some people will get hacked. Somewhere between these two. Best thing I've read all week! |
|
OZO Premium Member join:2003-01-17 |
OZO
Premium Member
2013-Aug-17 2:58 pm
said by darcilicious:said by JohnInSJ:Given the installed base of several hundred thousand XP users, the resulting botnet will be so large it will probably attain self-awareness and become skynet, raining death from the skies. Or some people will get hacked. Somewhere between these two. Best thing I've read all week! Me too... |
|
Wily_One Premium Member join:2002-11-24 San Jose, CA
3 recommendations |
to Gone Fishing
While I don't dispute what the blogger is saying, it is rather self-serving coming from Microsoft; they want everyone running XP to go buy Windows 8. Desperately.
And while perhaps true initially, while XP gets older and older, the hackers will eventually stop targeting it since their attention will be on the more current platforms. (Not too many viruses written for Windows 95 nowadays, right?)
The bottom line is safe computing can be practiced even on XP, long after the end of support. |
|
dib22 join:2002-01-27 Kansas City, MO |
to JohnInSJ
said by JohnInSJ:Given the installed base of several hundred thousand XP users, the resulting botnet will be so large it will probably attain self-awareness and become skynet, raining death from the skies. Or some people will get hacked. Somewhere between these two. I think your estimate is low... I think there will be > 100 million machines sitting out there running XP (some estimates are closer to 500 million). The good news is the ease in which we can cause BSOD's will allow us to survive the terminator units. |
|
1 recommendation |
to Gone Fishing
It's interesting how many people here think they will be save with an outdated OS because they are behind a firewall, because they know how to handle a computer securely and because they have an AV software. But the truth looks a bit different. A firewall and AV software wont protect a OS from everything. In fact, there can be quite a lot of ways to access a PC despite the fact that there is a firewall and an AV software. Because both can't do anything of the access is legit.
I don't want to say that every Windows XP PC will be hacked as soon as the support runs out. I think it will be less than 5% of all PCs and the most of them are already outdated because the users are too stupid. I also don't have a problem if users want to keep XP for their private use. But I think it's a huge mistake to stay with XP for business use, since it clearly is a high risk doing so.
For the ones that say, hackers wont create hacks for windows XP since it IS outdated and no hacker creates hacks for Windows 98: The hackers didn't stop creating hacks for Windows 98 because it was outdated. But because it wasn't worth it since there weren't many of Windows 98 PCs out there. But there will be a shit load of Windows XP PCs put there. So it is quite lucrative to put work into it.
And at last for the ones that microsoft is just recommending to upgrade to sell more copies of Windows 8: Microsoft fears a bad publicity much more then a couple less sells of Windows 8. I would even they, they would rather like to see the Windows XP users move to linux instead of having this bad publicity.
Think twice before declining the idea of upgrading. |
|
JBear join:2005-02-24 canada
1 recommendation |
to Gone Fishing
I'm going to re-iterate what I mentioned in a previous XP end of life thread...
I'm just going to keep a rig in the basement for legacy games that I enjoy playing i.e. Simcity 4, Civ 4 and be a workhorse for projects such as ripping our CD's and movies though it'll take longer. It will be connected to the network but won't have internet access unless it is needed for trouble shooting or some other task that I choose not to do on a newer rig.
Now on saying that, if I disable internet access but have the XP computer able to access other computers on my home network it should be fine, right? |
|
jester121 Premium Member join:2003-08-09 Lake Zurich, IL
2 recommendations |
to Gone Fishing
Much silliness in this thread, I had some good chuckles.
My reactions --
- End of support means nothing to the zillions of knuckleheads out there who aren't even running Windows Updates on their XP machines.
- End of support means nothing to corporate environments where they're running sophisticated IPS/IDS systems to keep bad stuff off their networks -- layer 7 type stuff.
- Even completely up-to-date anti-virus software doesn't stop all the various browser/plug-in/other vulnerabilities.
- The rants about "greedy Microsoft support" were pretty funny, since I doubt any of the ranters have ever paid a dollar more than their original license cost (or more likely, an OEM license bundle) for all the years of Microsoft patches.
- I'll never understand people who blame Microsoft (or anyone else) for problems that are probably self-inflicted. If it took 2 days to install Win7 and 4 hours to install Adobe, you're clearly doing it wrong -- or your have severely outdated hardware. |
|
Kilroy MVM join:2002-11-21 Saint Paul, MN
1 recommendation |
to Gone Fishing
The only way I would consider using XP after April 2014 is if the machine is not connected to a network. |
|
Boricua Premium Member join:2002-01-26 Sacramuerto |
to JBear
said by JBear:Now on saying that, if I disable internet access but have the XP computer able to access other computers on my home network it should be fine, right? You can't have a machine connect to a home and it not being able to access the Internet. Of course, if you disable the NIC, then yes the machine is protected since there is no Internet access but you won't be to access your home network. Do you see what I'm trying to say? Also, even if you take out Internet Explorer (which you can't as it is tied to the OS), when you open My Computer you can type a website address in the address bar and it WILL connect to the web. |
|
JBear join:2005-02-24 canada |
JBear
Member
2013-Aug-23 11:14 am
Thanks for the reply and yes I see what you're saying. I know as long as it's connected to my home network it will always be vulnerable to the outside world in some way. But if I disconnect internet access through the router would that lower it's risk to minimal levels? |
|
wingspar Premium Member join:2002-11-09 Oregon |
to Gone Fishing
I am still using XP SP3 and have not done any updates for a couple of years. Seems like every time I did one, it messed me up, so I don't do them. I have a good firewall and antivirus program, and it seems to run fine. A little slow with some programs, but I built this thing over 7 years ago.
I do have a brand new build running Win 7 64 bit with all the software I want on it, with maybe one exception and it is running fine. I will move it over to where this XP machine sits anytime now. However, my other half is still running XP on her machine, but we are planning to build a new Win 7 machine to replace it sometime this winter.
I went from DOS, to Win 3.1, to Win 95 to XP. We had Win 2000 at work when I retired. I skipped all the OS's. Win 7 is a different animal, but I'm starting to get used to it. In reading forums while researching components and building my Win 7 machine, I was rather surprised to see that there are still hundreds of thousands still running XP. Dang good OS if you ask me. I don't change OS's lightly. |
|
psloss Premium Member join:2002-02-24 |
to Boricua
said by Boricua:You can't have a machine connect to a home and it not being able to access the Internet. Sure you can, but very few consumers in 2013 have any use for such a configuration. (It's also inconvenient.) |
|
dave Premium Member join:2000-05-04 not in ohio |
to Boricua
said by Boricua:You can't have a machine connect to a home and it not being able to access the Internet. It all depends on what you mean by "the Internet" and where you consider "the Internet" to begin. But assuming the Internet is outside the house, all it takes is filtering at the gateway node. Or suitable configuration on the computer itself (no gateway, maybe - it's been a while since I cared about routing). |
|
Shootist Premium Member join:2003-02-10 Decatur, GA
3 recommendations |
to Boricua
said by Boricua:said by JBear:Now on saying that, if I disable internet access but have the XP computer able to access other computers on my home network it should be fine, right? You can't have a machine connect to a home and it not being able to access the Internet. Of course, if you disable the NIC, then yes the machine is protected since there is no Internet access but you won't be to access your home network. Do you see what I'm trying to say? Also, even if you take out Internet Explorer (which you can't as it is tied to the OS), when you open My Computer you can type a website address in the address bar and it WILL connect to the web. That is completely false. Sure you can have a home network and not have any of the computers connected to the net or have internet access and restrict that access to only select systems. Just where do you get this blatantly false information? |
|