Feeds

Sluggish corporates ill-prepared for death of Win XP SP2 support

Expect attackable vulns to accumulate, warn security watchers

Intelligent flash storage arrays

Analysis It's been months coming but many organisations are ill-prepared for the end of security support for Windows XP SP2, potentially leaving a huge population of vulnerable machines for hackers to exploit.

July's Patch Tuesday marked the closure of patching support for both Win 2000 and Windows XP Service Pack 2. From now on there'll be no security updates, hotfixes and other updates for Windows XP Service Pack 2 - regardless of how serious a threat any newly discovered vulnerability may pose to users stuck on the OS.

And it's not only the base OS that won't get patched. Internet Explorer, Windows Media Player, Outlook Express and other Windows XP SP2 components have also seen their last patches, net security firm Sophos points out.

However, support for Windows Embedded XP SP2, an OS build frequently used in ATMs and point of sale terminals will extend until Jan 2011, so users of embedded systems have a few months to prepare for change. That's just as well since the management of these systems is often handled by third party suppliers, further complicating the process of rolling out changes.

Microsoft advises all XP SP2 users to upgrade to either XP SP3 or (preferably, from Redmond's perspective at least) Windows 7. Win XP SP3 was released in April 2008 and will be supported until April 2014.

Microsoft named the precise date for the end of support for Win XP SP2, which debuted in August 2004, back in April.

Upgrading to Windows 7 may not be an option for sys admins supporting older PCs. Moving to XP SP3 is simpler but still poses application capability problems that means many corporates have been slow to move on, especially in the previous absence of any compelling reason to upgrade.

Win XP SP2 turned on the built-in firewall within Windows and proved a useful Defence against Blaster-style network worms prevalent at the time. No similarly compelling argument existed for an upgrade from XP SP2 to SP3.

"I believe the level of awareness for the upcoming change was not high enough," said Wolfgang Kandek, CTO at security risk and compliance management firm Qualys. "Unlike the SP1 to SP2 switch, there was no significant functionality added to SP3 that made the move enticing. Existing users are still very satisfied with the SP2 iteration of Windows XP."

"In the future, however, Windows XP SP2 users will not receive updates anymore and their systems will start to accumulate attackable vulnerabilities. Although we don’t have any insight into attackers’ preparations, I am expecting attackers to take advantage of the large pool of SP2 machines as soon as a suitable vulnerability appears."

Statistics from Qualys out last month estimate that around 50 per cent of Windows XP machines are still running SP2 level, while another recent survey by IT assessment services firm Softcheck found 77 per cent of organisations were still dependent on on SP2.

Computerworld runs through possible mitigation tactics for users who need to stick with Win XP SP2 for the time been, chief among which are dropping IE and continuing to patch third party apps. It also suggests sys admins should read Redmond's security vulns for clues on how to mitigate against further vulns in the absence of any patches, a process that sounds like a right old pain.

Dave Marcus, research and communications director for McAfee Labs, said enterprises needed to have a strategy in place to manage migration to supported versions of Windows.

"Many enterprises and consumer users still deploy and depend heavily on applications that run on this Windows build," said Marcus. "It is unclear how much risk and expense the end of support will cause users worldwide but we expect cybercriminals to capitalize on this opportunity."

"Users of Windows XP SP2 should consider migration options and robust security solutions to mitigate risk." ®

Intelligent flash storage arrays

More from The Register

next story
Euro Parliament VOTES to BREAK UP GOOGLE. Er, OK then
It CANNA do it, captain.They DON'T have the POWER!
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
NSA SOURCE CODE LEAK: Information slurp tools to appear online
Now you can run your own intelligence agency
Post-Microsoft, post-PC programming: The portable REVOLUTION
Code jockeys: count up and grab your fabulous tablets
Twitter App Graph exposes smartphone spyware feature
You don't want everyone to compile app lists from your fondleware? BAD LUCK
Microsoft adds video offering to Office 365. Oh NOES, you'll need Adobe Flash
Lovely presentations... but not on your Flash-hating mobe
prev story

Whitepapers

Free virtual appliance for wire data analytics
The ExtraHop Discovery Edition is a free virtual appliance will help you to discover the performance of your applications across the network, web, VDI, database, and storage tiers.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
The total economic impact of Druva inSync
Examining the ROI enterprises may realize by implementing inSync, as they look to improve backup and recovery of endpoint data in a cost-effective manner.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.