Security Bloggers Network 
SBN

The XPocalypse is nigh!

by CQR on April 3, 2014

Next week, on 8-Apr-2014, the mainline support for Windows XP ends.  If you believe the media, the Internet is headed for a disaster of biblical proportions.  Real wrath-of-God-type stuff.  Fire and brimstone coming from the sky!  Rivers and seas boiling!  Forty years of darkness!  Earthquakes!  Volcanoes!  Human sacrifice, dogs and cats living together, mass hysteria!

Perhaps the late great Harold Ramis had it right in Ghostbusters, but I think that XP will go into the night, not with a bang but with a whimper.

Let’s fire our proton pack at each of the arguments, and see what ends up in the trap.

1.  XP will be vulnerable forever.

Absolutely true.  There will be no more security patches ever.  But most businesses that have managed the transition to Windows 7 still don’t patch effectively, which means that most of those installations are vulnerable right now.  If you upgrade but don’t maintain your patches, you might as well not bother.

2.  XP is everywhere.
No it really isn’t.  The current market-share of XP is just under 30%.  While this is still much higher than we would like a week away from the end of support, it is low enough that herd immunity will probably protect the laggers for some time.

3.  Alright then, XP is everywhere in critical systems.

Yes and no.  It is true that most of the ATMs on the planet run XP, but the vast majority don’t run the same XP Professional image that you might have once had on your desktop.  What they run is either Windows XP Embedded Service Pack 3, which is supported until 12-Jan-2016, or Windows Embedded Standard 2009, which is supported until 9-Apr-2019.  So the banks have plenty of time to address the issue.

4.  Ok then, XP is in medical systems, if they don’t upgrade people will die.

In some of them it definitely is, and it’s the desktop version.  You can probably even find Windows 98 running some systems in hospitals.  However almost all of these systems are not networked, so the attack surface is very small.  They also tend to be locked inside the machine, so accidental access is unlikely.

5.  But my Mum has XP!

And finally we get to the crux of the problem.  There really is a lot of legacy XP out there in systems that we’ve given to our families.  Nothing says “I love you” like buying them a new tablet and sending the old XP machine to recycling.

I really don’t think there is any need to cross the streams right now, but it still might be a good idea to keep an eye out for the Stay-Puft Marshmallow Man.  After all, we get to choose the form of the Destructor!
 
Phil Kernick
@philkernick
www.cqr.com

*** This is a Security Bloggers Network syndicated blog from CQR authored by CQR. Read the original post at: http://cqraustralia.blogspot.com/2014/04/the-xpocalypse-is-nigh.html

CQR , , ,