6 Common Questions Answered About Windows XP End-of-Life

As we've previously discussed on this blog, Microsoft is ending support on April 8 for its 13-year-old Windows XP operating system. Yes, all good things must come to an end.

Considering the publicity surrounding this announcement, the end-of-life news shouldn't come as much of a surprise to most organizations.

Of course, a number of companies currently running XP surely will be taken aback when the deadline arrives. But a much greater majority that hasn't transitioned to a newer platform across their environment likely has done so on purpose. After all, such a migration is costly and complex, and runs the risk of breaking things due to incompatibility issues. Because of those reasons, and because XP is so widespread, expect to see it in use for many years to come.

But entities that fail to update are doing so at their own risk, both from a security and risk perspective, as well as a compliance standpoint - specifically the Payment Card Industry Data Security Standard (PCI DSS) if they are relying on point-of-sale (POS) systems that run on XP.

I asked Gregory Rosenberg, a security engineer at Trustwave, to answer some of the common questions about XP end-of-life that we've been receiving from customers.

1. What exactly is Windows XP end-of-life?

The longtime operating system from Microsoft is no longer going to be supported as of April 8. The biggest thing that means is that Microsoft no longer will issue security updates for vulnerabilities in XP. And that's a huge deal when one considers that an estimated one quarter to one third of the world's desktops run XP.

2. Is this really that big of a deal?

If there's anything we know about the bad guys, it's that they prefer the least resistant path possible when launching attacks. The less effort they have to exert, the better. Anecdotal reports indicate that the market for Windows XP exploits has ramped up considerably over the last year. It's likely that attackers have hoarded a number of exploits that they'll launch once patches stop coming in. But even more likely is that, due to shared coded bases between XP and newer versions of Windows, attackers will reverse engineer patches that Microsoft issues going forward and attempt to create exploits that also work on XP.

3. For organizations slow or unwilling to migrate to a newer platform, what are some best practices?

For starters, they should conduct a risk assessment of their environment to determine where XP is running. That will allow them to drill down on XP devices and apply specific security controls to them. If the deployment of XP is much more widespread than anticipated, organizations should consider bulking up their overall network security, including deploying advanced anti-malware, intrusion detection and prevention and network monitoring. And of course, obvious best practices like limiting privileges and ensuring all workstations are running the latest web browser version are critical.

I should also add that customers with a Microsoft support contract still will receive anti-malware signatures for all XP systems through July 14, 2015.

4. I've been hearing that the support cutoff could have a big impact on XP-based embedded systems, like point-of-sale systems that handle credit card swipes. Is this true?

While Microsoft is maintaining support for Windows XP Embedded through 2016, support expires for the widely deployed Windows XP Professional for Embedded Systems - which is identical to Windows XP - on April 8. Given that news, retailers using POS systems should be aware of the risk following that date, especially given the alarming trend of POS malware incidents affecting retailers.

Most businesses are probably aware that they are running XP on their desktops - and that the end-of-life deadline is quickly approaching. But I'm not sure the same applies to many merchants running XP on their POS systems. Many don't even realize it. It's worrying.

5. Given the support cutoff and this new POS malware trend, how important is third-party help?

There are a number of steps that businesses can take to protect themselves from POS breaches. Our recently published white paper, "Combatting Point-of-Sale Malware," offers some very helpful guidance, from reviewing remote connection logs to segmenting systems from the rest of the network to toughening passwords to pen testing systems to implementing advanced malware defenses.

But the paper concludes with an important caveat: "Operate under the assumption that not only is a compromise possible, it may well be imminent (if it hasn't already occurred)." With this in mind, merchants can request proactive breach detection investigations from a company like Trustwave. They are designed to identify if they've been victimized by a breach or if they suspect an attack already is currently happening. The goal is to flag a breach as quickly as possible to limit the damage and minimize recovery times and costs.

6. Can I be out of compliance if I'm running XP on my POS systems?

As this article states, running XP on POS systems will violate PCI DSS 6.2, which requires retailers to install the latest security patches. We estimate that at least 30 percent of POS systems out there are running XP - and the sad fact is many merchants don't even realize it for any number of reasons, mostly due to simple unawareness.

If organizations have a compelling business case to maintain XP-based POS systems, then compensating controls - such as web application firewalls, whitelisting, IDS/IPS and patch support - can help them maintain compliance. Of course, the best option is to upgrade POS systems to Windows Embedded, but that is a costly and time-consuming process.

We've got a bit of a mess on our hands, but the best thing to hope for is attention. If companies are at least aware of the risk, that can be half of the battle.

If you have any additional questions, please don't hesitate to contact Greg at grosenberg@trustwave.com.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.