Tuesday 8th of April 2014, a page of the computer industry has been turned! Windows XP is dead! Of course, I had to write a blog post about this event. For months now, Microsoft warned its customers that XP won’t be supported starting from today. Do you remember: Windows XP was available on floppies and had – in the beginning – no native USB support! What does it mean today? From a end-users’ point of view, their computer will not collapse! No need to repeat some voodoo formulas, it will boot again and work like yesterday… Except if something bad happens. In this case, Microsoft won’t help you (instead they will be very happy to propose you an upgrade to Windows 8.1). Well, this is not 100% true: Microsoft is still ready to “offer” you some support if you subscribe to their Premium Service program! (Business is business)
Things are more nasty from a security point of view! Your computer will still run but will be vulnerable to new attacks. By “new” I mean the ones that will be discovered (because XP will be a very nice target seeing its installed base – see the graph below). But I’m also pretty sure that some vulnerabilities have been discovered for a while and kept below the radar ready to be used in the wild. And this may occur very soon tomorrow. People are still migrating to a newer operating system and the surface attacks will reduce itself with time. For an attacker perspective, this is the right time!
But, is this old Windows XP still a problem? People had quite a long time to switch to alternative OS rights? Have a look at the following statistics. They come from the blog and are based on the last 30 days:
Based on Google Analytics, 11% of my visitors are still using Windows XP! Based on my regular audience and the content of this blog, I could expect people to have a “high-level profile” like IT professional, infosec people, etc. Those people should have get rid of XP for a while. Ok, let’s reduce this number by a few percents due to fake User-Agents used by some of you or bots and crawlers. Let’s make a final estimation to 7-8%? This remains a huge amount of vulnerable computers (my blog does not generate a lot of traffic). I’m curious to see statistics for big players on the web… Somebody can share?
If you’re still using XP today, have a look a top of your head, there is sword of Damocles! Windows XP was not only used on desktop computers. They are plenty of services still running on top of it:
- Bank ATM’s
- Medical devices
- SCADA systems
- PoS
- Kioks
- …
 What can you do against this? First reaction: upgrade as soon as possible (for laptops & desktops). Installation like medical devices have the bad reputation to not be easily upgradable (or not at all). In all other cases, security best practices apply as usual:
- Locate devices running XP on your network! Could be stupid but many companies don’t know what devices are connected on the LAN!
- Prohibit those devices or isolate them in a separate network zone. NAC (“Network Access Control“) solutions can be useful to put them in a dedicated & hardened VLAN
- Disconnect them from the Internet
- Don’t run “services” on them
- Don’t surf from them
Finally, if you have old applications, test them on a newer OS in the “Windows XP” compatibility mode. Please take actions today!
RT @xme: [/dev/random] The Day Windows XP Died! http://t.co/5u32YA2SLB
RT @xme: [/dev/random] The Day Windows XP Died! http://t.co/5u32YA2SLB
RT @xme: [/dev/random] The Day Windows XP Died! http://t.co/5u32YA2SLB