Feeds

Sluggish corporates ill-prepared for death of Win XP SP2 support

Expect attackable vulns to accumulate, warn security watchers

3 Big data security analytics techniques

Analysis It's been months coming but many organisations are ill-prepared for the end of security support for Windows XP SP2, potentially leaving a huge population of vulnerable machines for hackers to exploit.

July's Patch Tuesday marked the closure of patching support for both Win 2000 and Windows XP Service Pack 2. From now on there'll be no security updates, hotfixes and other updates for Windows XP Service Pack 2 - regardless of how serious a threat any newly discovered vulnerability may pose to users stuck on the OS.

And it's not only the base OS that won't get patched. Internet Explorer, Windows Media Player, Outlook Express and other Windows XP SP2 components have also seen their last patches, net security firm Sophos points out.

However, support for Windows Embedded XP SP2, an OS build frequently used in ATMs and point of sale terminals will extend until Jan 2011, so users of embedded systems have a few months to prepare for change. That's just as well since the management of these systems is often handled by third party suppliers, further complicating the process of rolling out changes.

Microsoft advises all XP SP2 users to upgrade to either XP SP3 or (preferably, from Redmond's perspective at least) Windows 7. Win XP SP3 was released in April 2008 and will be supported until April 2014.

Microsoft named the precise date for the end of support for Win XP SP2, which debuted in August 2004, back in April.

Upgrading to Windows 7 may not be an option for sys admins supporting older PCs. Moving to XP SP3 is simpler but still poses application capability problems that means many corporates have been slow to move on, especially in the previous absence of any compelling reason to upgrade.

Win XP SP2 turned on the built-in firewall within Windows and proved a useful Defence against Blaster-style network worms prevalent at the time. No similarly compelling argument existed for an upgrade from XP SP2 to SP3.

"I believe the level of awareness for the upcoming change was not high enough," said Wolfgang Kandek, CTO at security risk and compliance management firm Qualys. "Unlike the SP1 to SP2 switch, there was no significant functionality added to SP3 that made the move enticing. Existing users are still very satisfied with the SP2 iteration of Windows XP."

"In the future, however, Windows XP SP2 users will not receive updates anymore and their systems will start to accumulate attackable vulnerabilities. Although we don’t have any insight into attackers’ preparations, I am expecting attackers to take advantage of the large pool of SP2 machines as soon as a suitable vulnerability appears."

Statistics from Qualys out last month estimate that around 50 per cent of Windows XP machines are still running SP2 level, while another recent survey by IT assessment services firm Softcheck found 77 per cent of organisations were still dependent on on SP2.

Computerworld runs through possible mitigation tactics for users who need to stick with Win XP SP2 for the time been, chief among which are dropping IE and continuing to patch third party apps. It also suggests sys admins should read Redmond's security vulns for clues on how to mitigate against further vulns in the absence of any patches, a process that sounds like a right old pain.

Dave Marcus, research and communications director for McAfee Labs, said enterprises needed to have a strategy in place to manage migration to supported versions of Windows.

"Many enterprises and consumer users still deploy and depend heavily on applications that run on this Windows build," said Marcus. "It is unclear how much risk and expense the end of support will cause users worldwide but we expect cybercriminals to capitalize on this opportunity."

"Users of Windows XP SP2 should consider migration options and robust security solutions to mitigate risk." ®

SANS - Survey on application security programs

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Ditch the sync, paddle in the Streem: Upstart offers syncless sharing
Upload, delete and carry on sharing afterwards?
New Facebook phone app allows you to stalk your mates
Nearby Friends feature goes live in a few weeks
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.