Die xp die. Seriousy though will it ever die?
Only 227 days to go! Click the link to read the full article.
Source: Microsoft Security Blog
Back in April I published a post about the end of support for Windows XP called The Countdown Begins: Support for Windows XP Ends on April 8, 2014. Since then, many of the customers I have talked to have moved, or are in the process of moving, their organizations from Windows XP to modern operating systems like Windows 7 or Windows 8.
There is a sense of urgency because after April 8, Windows XP Service Pack 3 (SP3) customers will no longer receive new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates. This means that any new vulnerabilities discovered in Windows XP after its “end of life” will not be addressed by new security updates from Microsoft. Still, I have talked to some customers who, for one reason or another, will not have completely migrated from Windows XP before April 8. I have even talked to some customers that say they won’t migrate from Windows XP until the hardware it’s running on fails.
What is the risk of continuing to run Windows XP after its end of support date? One risk is that attackers will have the advantage over defenders who choose to run Windows XP because attackers will likely have more information about vulnerabilities in Windows XP than defenders. Let me explain why this will be the case.
When Microsoft releases a security update, security researchers and criminals will often times reverse engineer the security update in short order in an effort to identify the specific section of code that contains the vulnerability addressed by the update. Once they identify this vulnerability, they attempt to develop code that will allow them to exploit it on systems that do not have the security update installed on them. They also try to identify whether the vulnerability exists in other products with the same or similar functionality. For example, if a vulnerability is addressed in one version of Windows, researchers investigate whether other versions of Windows have the same vulnerability. To ensure that our customers are not at a disadvantage to attackers who employ such practices, one long standing principle that the Microsoft Security Response Center (MSRC) uses when managing security update releases is to release security updates for all affected products simultaneously. This practice ensures customers have the advantage over such attackers, as they get security updates for all affected products before attackers have a chance to reverse engineer them.
But after April 8, 2014, organizations that continue to run Windows XP won’t have this advantage over attackers any longer. The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities. If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP. Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a “zero day” vulnerability forever. How often could this scenario occur? Between July 2012 and July 2013 Windows XP was an affected product in 45 Microsoft security bulletins, of which 30 also affected Windows 7 and Windows 8.
Figure 1: Infection rate (CCM) by operating system and service pack in the fourth quarter of 2012 as reported in the Microsoft Security Intelligence Report volume 14
Figure 4: The table below compares the mitigation features supported by Internet Explorer 8 on Windows XP Service Pack 3 with the features supported by Internet Explorer 10 on Windows 8. As this table shows, Internet Explorer 10 on Windows 8 benefits from an extensive number of platform security improvements that simply are not available to Internet Explorer 8 on Windows XP.
Die xp die. Seriousy though will it ever die?
I read about this on el reg... though they sort of made it sound like Microsoft were going to deliberately release exploits to hackers.
They [Microsoft] don't seem to realise that when we [us techy types] still use XP, there's a reason for it. Either it's to do with software compatibility or we simply don't have the budget to upgrade.
Esp in education there is some very rubbish software that doesn't follow good design. E.g clash with uac.
Moving to IT News forum.
We're in the middle of our migration at the moment, and have hit those issues - compatibility, budget, things that 'work'.
My answer to all has been "tough".
We have a legal responsibility to ensure the security and integrity of our data. Having gaping holes in our network is just not going to happen.
So, those bits of incompatible software? We'll have to do without until they can be replaced. Those machines that are just too darn old to run Windows 7? Retired. Not enough money to replace right away? We'll have to wait until we can.
With the amount of sensitive data that schools store and handle, it is simply irresponsible to leave such holes in place.
XP still has 30%+ marketshare. It seems a bit odd that MS will 'infect' or lead to these products to be infected by withdrawing support. I can't see that it will do Microsofts credibility any good if there is another mass windows virus/exploit and their only solution is 'give us more money or buy another PC'. Cue for a car analogy.
There is still a lot of software that runs XP only and not so well in W7. It's still possible to keep using it without sacrificing any 'legal responsibility for needing to but PC's' - however that works. Most will run well in WINE and there are plenty of products (deepfreeze), VDI etc that will allow XP machines to return to base image when rebooted. I can also confirm that XP runs MUCH faster than W7 or W8 in a virtual environment.
The fact that XP still has 30% marketshare is neither here nor there. Microsoft had a large share of Windows 2000 users after it ended support for it too.
Microsoft's credibility isn't at stake here, your data is.
You don't have a legal responsibility to buy PCs but you do have one to protect your data properly.
Microsoft warns it'll hand out zero days for Windows XP « The Register
I wouldn't take any notice of The Register's sensationalist headlines. They often bear little resemblance to the article."The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities," said Tim Rains, Microsoft's director of trustworthy computing, in a blog post.
"If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP. Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a 'zero day' vulnerability forever."
Last edited by Arthur; 17th August 2013 at 01:09 PM.
When the library move to the new building in September 2014 I will think about getting on to windows 7.
Its just finding the time to play with all the settings to get just right.
There are currently 1 users browsing this thread. (0 members and 1 guests)