Feeds

Sluggish corporates ill-prepared for death of Win XP SP2 support

Expect attackable vulns to accumulate, warn security watchers

The essential guide to IT transformation

Analysis It's been months coming but many organisations are ill-prepared for the end of security support for Windows XP SP2, potentially leaving a huge population of vulnerable machines for hackers to exploit.

July's Patch Tuesday marked the closure of patching support for both Win 2000 and Windows XP Service Pack 2. From now on there'll be no security updates, hotfixes and other updates for Windows XP Service Pack 2 - regardless of how serious a threat any newly discovered vulnerability may pose to users stuck on the OS.

And it's not only the base OS that won't get patched. Internet Explorer, Windows Media Player, Outlook Express and other Windows XP SP2 components have also seen their last patches, net security firm Sophos points out.

However, support for Windows Embedded XP SP2, an OS build frequently used in ATMs and point of sale terminals will extend until Jan 2011, so users of embedded systems have a few months to prepare for change. That's just as well since the management of these systems is often handled by third party suppliers, further complicating the process of rolling out changes.

Microsoft advises all XP SP2 users to upgrade to either XP SP3 or (preferably, from Redmond's perspective at least) Windows 7. Win XP SP3 was released in April 2008 and will be supported until April 2014.

Microsoft named the precise date for the end of support for Win XP SP2, which debuted in August 2004, back in April.

Upgrading to Windows 7 may not be an option for sys admins supporting older PCs. Moving to XP SP3 is simpler but still poses application capability problems that means many corporates have been slow to move on, especially in the previous absence of any compelling reason to upgrade.

Win XP SP2 turned on the built-in firewall within Windows and proved a useful Defence against Blaster-style network worms prevalent at the time. No similarly compelling argument existed for an upgrade from XP SP2 to SP3.

"I believe the level of awareness for the upcoming change was not high enough," said Wolfgang Kandek, CTO at security risk and compliance management firm Qualys. "Unlike the SP1 to SP2 switch, there was no significant functionality added to SP3 that made the move enticing. Existing users are still very satisfied with the SP2 iteration of Windows XP."

"In the future, however, Windows XP SP2 users will not receive updates anymore and their systems will start to accumulate attackable vulnerabilities. Although we don’t have any insight into attackers’ preparations, I am expecting attackers to take advantage of the large pool of SP2 machines as soon as a suitable vulnerability appears."

Statistics from Qualys out last month estimate that around 50 per cent of Windows XP machines are still running SP2 level, while another recent survey by IT assessment services firm Softcheck found 77 per cent of organisations were still dependent on on SP2.

Computerworld runs through possible mitigation tactics for users who need to stick with Win XP SP2 for the time been, chief among which are dropping IE and continuing to patch third party apps. It also suggests sys admins should read Redmond's security vulns for clues on how to mitigate against further vulns in the absence of any patches, a process that sounds like a right old pain.

Dave Marcus, research and communications director for McAfee Labs, said enterprises needed to have a strategy in place to manage migration to supported versions of Windows.

"Many enterprises and consumer users still deploy and depend heavily on applications that run on this Windows build," said Marcus. "It is unclear how much risk and expense the end of support will cause users worldwide but we expect cybercriminals to capitalize on this opportunity."

"Users of Windows XP SP2 should consider migration options and robust security solutions to mitigate risk." ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
The Return of BSOD: Does ANYONE trust Microsoft patches?
Sysadmins, you're either fighting fires or seen as incompetents now
Munich considers dumping Linux for ... GULP ... Windows!
Give a penguinista a hug, the Outlook's not good for open source's poster child
Intel's Raspberry Pi rival Galileo can now run Windows
Behold the Internet of Things. Wintel Things
Linux Foundation says many Linux admins and engineers are certifiable
Floats exam program to help IT employers lock up talent
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Eat up Martha! Microsoft slings handwriting recog into OneNote on Android
Freehand input on non-Windows kit for the first time
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.