SIR v15: Five good reasons to leave Windows XP behind

Published: 2013-10-30
Last Updated: 2013-10-30 05:22:54 UTC
by Russ McRee (Version: 1)
11 comment(s)

No, it's not because I work for MSFT and want you to upgrade for selfish reasons. :-) It's because it really is time.

If you need a strong supporting argument and five good reasons to upgrade, look no further than the Microsoft Security Intelligence Report v15 released today. All you need to do is CTRL+F this doc and search for Windows XP to see what I'm talking about. Here, I'll help, as ripped directy from the SIR v15:

  1. 9.1 computers cleaned per 1000 scanned by the Malicious Software Removal Tool (MSRT) were Windows XP SP3 32-bit, more than any other system cleaned.
  2. Windows XP SP3 holds the top spot for infection rate (9.1 CCM)  even though it actually has a lower encounter rate (percent of reporting computers) than Windows 7 SP1.
  3. The disparity between the two metrics above highlights the importance of moving away from older operating system versions to newer, more secure ones. Computers running Windows XP in the first half of 2013 encountered about 31 percent more malware worldwide than computers running Windows 8, but their infection rate was more than 5 times as high.
  4. #1 threat family affecting Windows XP SP3? INF/Autorun. Yes, that autorun, used by worms when spreading to local, network, or removable drives. Doesn't work on modern versions of Windows in their default configuration.
  5. Windows XP extended support ends April 8, 2014. That means no more patches, people.

As I sat in the dentist chair today for my cleaning and viewed my X-rays on a Windows XP machine I thought about a comment from Tim Rains of Microsoft's Trustworthy Computing organization: "XP has been a beloved operating system for millions and millions of people around the world, but after 12 years of service it simply can't mitigate the threats we're seeing modern-day attackers use." Survival rate for systems running Windows XP after support ends? Non-existent. Don't believe me? Also per Tim: "In the two years after Windows XP Service Pack 2 went out of support, its malware infection rate was 66 percent higher than Windows XP Service Pack 3 - the last supported version of Windows XP."

It's time, folks. It's going to be hard for doctors and dentists to be certain :-), but migration is in order. What would Patton say (thanks TJ)? "A violent executed plan today is better than a perfect plan expected next week." That should be your plan to migrate off Windows XP.

 

 

11 comment(s)

Comments

I absolutely agree with Russ.

We have been advising our clients for 12+ months to plan for and implement upgrades to Windows 7 (or Windows 8). We conduct 1,000s of vulnerability scans for our clients, and our data shows that the average Windows XP computer has 18.57 critical and high severity vulnerabilities (based on CVSS scoring). The average number of critical and high severity vulnerabilities per Windows 7 (and 8) hosts is currently .36. We fully expect that the .36 for Windows 7 (and 8) will rise over time, but for now it's a no-brainer from a security perspective.

Upgrading to Windows 7 (or 8) is less expensive than trying to patch and secure the XP machine.
From: https://blogs.technet.com/b/mmpc/archive/2013/10/29/infection-rates-and-end-of-support-for-windows-xp.aspx?Redirected=true
29 Oct 2013
... Malware Infection and encounter rates for Windows operating systems during 2Q13
- http://www.microsoft.com/security/portal/blog-images/a/sir151.png
.
But then, there is this:
- http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0
September, 2013
... Win7 - 46.39%, XP - 31.42%, Win8 - 8.02%, Vista - 3.98%.

I'm sure most would like to dump XP right now, but I think we know it's "easier said than done", especially since it still "works". Instant answers aren't always available.
.
Better still, check out your Windows machines and get a Mac.
True. Windows has better support for auditors and enterprise controls though. You can tell the auditors, my OS is secure, but they are still going drag you over the coals about all the controls they have listed in their checklists. Stinks, but it's a fact of life. Security by policies and massive binders will take a long time to die, I'm afraid.
" It's going to be hard for doctors and dentists to be certain :-), "

Doctors and Dentists??!! Lets talk about SCADA and the thousands of controllers that just, yes, just upgraded out of 98.. Though I will not put their full name in.. Joh Controls. Hwell and others. Reason for this emulation issue, >80% have not upgraded the software or worse the firmware. I speak for fact, have a nuclear plant just south, still needs 98 on COM, they can't enumerate DB files via a secure tunnel, instead, lets run out there.. pop in the ole null modem cable.. :rolleyes: Those that work in refineries, oil patch, Electronic grid chime in... it is "syntax error" The last company I said, look, free $$$ and upgrade in the process, helping all.. Well... as the metaphor comes into focus, no good deed goes unpunished.. lost my job for pushing the vendor. REALLY? But I digress..
Russ, the concept of upgrading is not under debate, the end user has no choice in the matter at this stage, not if they are running things like on line banking or the like. The big issue I am seeing is the total cost of the upgrade for a small business that's been hard hit by the recession, and who's owner doesn't see any good reason to upgrade, in that their present machine is performing acceptably, as are the applications that are running on it.

For many XP users, to upgrade to W7 or W8 is going to mean a big cost, and a steep learning curve in some areas, and the end result visible to the user will not be significantly different to what they see now, and in some cases, achieving the same result will not be as easy as it is now under XP.

Many XP based machines will not easily upgrade to W7 or W8, because the newer operating systems are memory hogs, and many XP generation machines can't be upgraded to have more than 2 Gb of memory, and 7 or 8 on 2 Gb is not going to be a nice experience.

So, if the motherboard won't run a new OS, if it's an OEM machine, that could mean a new machine, in toto, and a new OS, and a new Office application because in some cases, it won't be legal to move the existing (probably 2003) Office to a new machine. That's going to introduce another whole world of hurt, as there are massive differences between 2003 and later versions of office.

Then there's the not insignificant matter of peripherals like printers and scanners that don't have W7 or W8 drivers, which could mean more spend, only to continue to achieve the same result as is happening now. That's very easy to justify when times are good, but hard when there's no certainty that the payroll can be paid this week!

Of course, the other option is "the cloud", but that is a route that could be fraught with problems, try telling a workforce that it's not possible to pay them this week because the broadband link was down, or similar. Not going to happen, "the cloud" for me is just a faster reincarnation of bureau processing that was around 40 years ago, the only difference being that it's now faster line speeds, back then it was batch, using paper tape or punch card input, over 1200 baud lines. It was surprising what could be done using those methods, as long as the line was working, but look out if it failed! Same is true now, broadband may be a lot faster, but if it's not there, and the alternative has also been wiped out by some other scenario, or the cloud supplier has just declared themselves bankrupt (and yes it WILL happen), resolving some of those issues in order to regain access to the company database and applications will bring a whole new world of pain to the concept of disaster recovery. The other aspect is that even with the cloud, XP has to be replaced in order to remain relatively secure from the increasingly clever hackers and spoofers that abound,

So, next April is going to be a very challenging time for a lot of people.

Me, I'm looking at alternatives that allow me to maybe not use Microsoft any more, simply because the total cost of ownership for a small company is becoming way too high on a year on year basis.

I wonder what some large corporates are doing about this, on a Spiceworks digest last week, a techie mentioned that he has responsibility for a UK government department that is still using over 50,000, yes FIFTY THOUSAND XP based machines. If they have internet access, that's a world of pain just waiting to explode next April, unless there are some serious plans in place to mitigate the risks, and the implication of his comments was there there is no plan at the moment.

Oh the joys of modern computing, it was so much easier when the OS was 3 floppy discs of 1.4 Mb each, and while the modern windows does a lot more than DOS 6.1 did, in certain areas, and for some users, the reality is that they could still do pretty much all they need under DOS, had it been upgraded to support the newer CPU's and things like USB, For commercial users, much of the bells and whistles of Windows is an unwanted bloat on a system that they don't use, and in some cases, if it wasn't there, there would be fewer hassles with hacks and employee abuse of time and facilities during working time, but that's a subject for another day.

Time to go before I get into even deeper and murkier waters

Steve
"So, next April is going to be a very challenging time for a lot of people.

Me, I'm looking at alternatives that allow me to maybe not use Microsoft any more, simply because the total cost of ownership for a small company is becoming way too high on a year on year basis."

The smart corporations will know the risk, but then again like the saying the customer is always right once you train them. This was huge where I worked... as long as PC turned in it could be Donkey-Kong (ok dating myself) I too have have move more away from Billy Bob and in OSx, UNIX. If I need to run a security ridden OS, I can use parallels on my machine. Billy could have fixed XP for 30% the cost of these two new OS, well 7 is not new, but 8.. ask Steve.

Will be nice not to be held hostage under an individual that in the 70's did the same thing.. yes.. Billy.. your ticket is getting punched for how you got CodeSuite. Sadly IBM was too myopic to see the real world.. but then again... look at the initials.
[quote=comment#28043]Better still, check out your Windows machines and get a Mac.[/quote]
Better still, check out your Windows machines and get a Linux box.
[quote=comment#28058][quote=comment#28043]Better still, check out your Windows machines and get a Mac.[/quote]
Better still, check out your Windows machines and get a Linux box.[/quote]
Neither of those are options if you have a Windows-trained workforce. Two people in my family just bought Mac Pro laptops and it has been the most frustrating thing we've ever experienced. Want a right-click context menu for Copy and Paste functions? Oh, that's there but it's turned off by default. Want to re-size an image to paste it in an email? You better learn to think in pixels because click-n-drag image resizing does not exist on a Mac. And the best one: Want the firewall turned on to protect your Linux-based Mac from the world? Yes, it's there but it's turned off by default. It's like Apple deliberately made common Windows tasks difficult to do on a Mac.

I work for a thousand-person company with a very high average age. We had very little issues in the XP to 7 transition simply because so many people were already using Vista or 7 at home and had been for years.

If you need to run XP after it goes off support, you simply have to beef up your perimeter defenses to whitelist Internet sites, add scanning proxy servers, etc. if you're not already doing it. And while that will improve your posture no matter what desktop operating system you use, it's not going to be a whole lot cheaper than upgrading the endpoints.
[quote=comment#28061]If you need to run XP after it goes off support, you simply have to beef up your perimeter defenses to whitelist Internet sites, add scanning proxy servers, etc. if you're not already doing it. And while that will improve your posture no matter what desktop operating system you use, it's not going to be a whole lot cheaper than upgrading the endpoints.[/quote]

I'd go a step further, and isolate them in their own VLAN treated like a DMZ with a firewall between them and the internet as well as between them and the rest of the business. This is actually under consideration for *all* of our user subnets at $DAYJOB$ right now after our last security incident - a user's laptop (win7, BTW) getting infected with malware-du-jour that nobody's anti-virus tool detected, which attacked yet-another ancient Win2k system on the "don't patch it or you'll break some ancient app we don't have support for" list, which was then used to compromise several other systems and more desktops/laptops (where I finally detected it with a prototype snort sensor I'd setup on my own time to prove to certain parties we needed better intrusion detection - phooey).

And I agree completely with the comments about the incredible costs and pains associated with windows upgrades leading to hardware upgrades, leading to incompatibilities with other peripherals, leading to further hardware upgrades, leading to incompatibilities with older non-MS software, leading to yet more software upgrades to make them work with the newer peripherals, lather, rinse, repeat. :-(

As for windows being easier to manage globallly.... Yeah, sorta. Except for all the rogues setup by Engineers who don't want all the anti-virus/anti-malware tools getting in their way and want local admin privs and to be allowed to install any <rude-word> junk-ware they want whenever they want. Plus it's very easy to get complacent when you can wave a bunch of GPO policies to make SOX auditors happy and think that means you're secure. :-) Every security incident I've seen here has been a case of yet-another compromised windows end-user system being used to attack anything/everything else from within our own nets. Separate all your user VLANs from everything else with firewalls (yep, managed or not, they're no more trustworthy than the internet at large anymore) and monitor *all* traffic crossing any security or geographic boundary, not just internet ingress/egress points.

Diary Archives