Migrate to Mitigate: The XP Security Risks

The XP Security Risks

As a security professional, one of the hottest topics I’m asked about is XP end of life and what to expect? What are the security ramifications of running an unsupported OS? What are the XP security risks? I have wanted to write about these challenges for a while and with the recent zero-day vulnerability Microsoft announced, it seems like the perfect opportunity to start a conversation and use the real world example about maintaining Windows XP in a corporate environment.

The fear is that there are many XP exploits available that hackers will start to use now that the XP end of life has passed. The zero-day vulnerability Microsoft announced Sunday April 27, 2014 really highlights some of the nasty problems customers are facing, and will continue to face, while still on Windows XP. *CVE-2014-1776 is a major zero-day vulnerability that affects Microsoft Internet Explorer (IE). The simple explanation is that hackers can use a well-known flash exploitation technique called heap feng shui to exploit the vulnerability in IE. The vulnerability in Flash is documented in CVE-2014-0515. This vulnerability allows a hacker to bypass some key security measures implemented by Microsoft OS’s, namely Address Space Layout Randomization (ASLR) and Date Execution Prevention (DEP).

Before Microsoft released an update for this vulnerability, there were steps users could take to reduce their exposure. Namely, users could protect themselves against it by running IE in “Enhanced Protection Mode”. Here is the kicker for those still on XP; this will not work for you! Many of the exploit mitigation techniques used by Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) do not work on XP. In this case, XP does not support ASLR, which forces applications to run in a random memory space. To further add salt to the wound, assuming Microsoft holds to its current hardline XP patch policy, you will not get the Microsoft patch —unless you have an expensive extended support contract with Microsoft. According to KB that hosts the patches (click here to view KB2961887) there is no XP patch.

Adobe released a patch for the Flash exploit on Monday that prevented users from using this exploit to take advantage of the IE vulnerability. This helps to alleviate some of the fear connected with this particular vulnerability and XP. However, XP users still have the vulnerability in IE that could be exploited. Here is the challenge running an out-of-date OS, or application for that matter, which no longer receives security updates adds considerable risk to your business. CVE-2014-1776 is only the first of these vulnerabilities; many more are expected to come.

So you’re stuck with XP, now what? The first thing I would suggest—upgrade!  I get it, an upgrade may not be something you can do right now; however, you need to figure out how to get off XP, and soon. By the way, LANDESK can help. It’s going to be more costly to support XP going forward. Here are my top five suggestions to help mitigate some of the risks if you choose to maintain XP:

  1. Make sure you’re running AV with up-to-date definitions
  2. Limit the software on the system
  3. Make sure that third-party applications are up-to-date
  4. Run Application Control
  5. Restrict admin rights

For those of you who are fortunate to have an extended support contract with Microsoft, LANDESK offers a solution to help you continue to patch your Windows XP machines. Read more about this program here.

*You can read more details about the CVE-2014-1776 vulnerability here

  • Gerald, great post. Our(RISC Networks) infrastructure analysis of over 4,600 enterprise businesses shows that 88% of these businesses still have workstations running an operating system that is either end-of-support or reaching EOS. With Windows 8 as the only real option right now, I think it opens up the consideration for different options, such as Desktop-as-a-Service from companies like Amazon (Workspaces) or Quest Systems (http://www.questsys.com/). Not something a patch management provider wants to hear I am sure. I don’t think DaaS will be widely adopted anytime soon, but certainly something to consider for the right businesses still running a 12 year old operating system.