Windows XP Goes Dark

By Holly Gilbert Stowell

Microsoft will continue to put out security updates for its newer operating systems, Windows 7 and Windows 8, which experts say can raise further problems. “They’ll reveal flaws that are also probably still available or are still in existence with Windows XP,” says Sakore. “So the security updates that are actually going to be a rolled out for the newer operating systems are going to be a roadmap to be able to exploit vulnerabilities in Windows XP.”

Some organizations have negotiated extended support contracts with Microsoft, including major banks whose ATM machines are running on XP. In one particularly large deal, the British government spent more than £5.5 million (roughly $9.2 million) to extend support for 12 months.

While larger companies can afford to buy extended support contracts from Microsoft, Wisniewski says that the majority of organizations should accelerate their plans to migrate. “If that means bringing in some temp staff, if that means temporarily migrating your help desk to a call center somewhere while you get more boots on the ground to update your PCs; whatever it is you need to do, you need to do it quickly,” he says.

To illustrate some of the risks that might lie ahead, less than three weeks after support officially ended for the XP operating system, cybersecurity company FireEye announced that it discovered a vulnerability in versions 6 through 11 of Internet Explorer, Microsoft’s Web browsing application. (Version 6 is the browser for Windows XP.)

The U.S. Department of Homeland Security issued a warning on April 28 through its United States Computer Emergency Readiness Team (US-CERT) that the flaw, which is known as a “use-after-free vulnerability,” could “lead to the complete compromise of an affected system,” as hackers could obtain the same rights to the operating system as the current user. US-CERT advised users to use an alternate browser until the security vulnerability could be patched and mitigated.

On May 1, Microsoft issued a statement that it would be providing a patch for all affected versions of Internet Explorer, including Windows XP. Adrienne Hall, general manager of trustworthy computing for Microsoft, said in the statement, “Even though Windows XP is no longer supported by Microsoft and is past the time we normally provide security updates, we’ve decided to provide an update for all versions of Windows XP…. We made this exception based on the proximity to the end of support for Windows XP.”



The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.