Tuesday
8th of April 2014, a page of the computer industry has been turned!
Windows XP is dead! Of course, I had to write a blog post about this
event. For months now, Microsoft warned its customers that XP won’t be
supported starting from today. Do you remember: Windows XP was available
on floppies and had – in the beginning – no native USB support! What
does it mean today? From a end-users’ point of view, their computer will
not collapse! No need to repeat some voodoo formulas, it will boot
again and work like yesterday… Except if something bad happens. In this
case, Microsoft won’t help you (instead they will be very happy to
propose you an upgrade to Windows 8.1). Well, this is not 100% true: Microsoft is still ready to “offer” you some support if you subscribe to their Premium Service program! (Business is business)
Things are more nasty from a security point of view! Your computer will still run but will be vulnerable to new attacks. By “new”
I mean the ones that will be discovered (because XP will be a very nice
target seeing its installed base – see the graph below). But I’m also
pretty sure that some vulnerabilities have been discovered for a while
and kept below the radar ready to be used in the wild. And this may
occur very soon tomorrow. People are still migrating to a
newer operating system and the surface attacks will reduce itself with
time. For an attacker perspective, this is the right time!
But, is this old Windows XP still a
problem? People had quite a long time to switch to alternative OS
rights? Have a look at the following statistics. They come from the blog
and are based on the last 30 days:
Based on Google Analytics, 11% of my
visitors are still using Windows XP! Based on my regular audience and
the content of this blog, I could expect people to have a “high-level profile”
like IT professional, infosec people, etc. Those people should have get
rid of XP for a while. Ok, let’s reduce this number by a few percents
due to fake User-Agents used by some of you or bots and crawlers. Let’s
make a final estimation to 7-8%? This remains a huge amount of
vulnerable computers (my blog does not generate a lot of traffic). I’m
curious to see statistics for big players on the web… Somebody can
share?
If you’re still using XP today, have a
look a top of your head, there is sword of Damocles! Windows XP was not
only used on desktop computers. They are plenty of services still
running on top of it:
- Bank ATM’s
- Medical devices
- SCADA systems
- PoS
- Kioks
- …
What can you do against this? First
reaction: upgrade as soon as possible (for laptops & desktops).
Installation like medical devices have the bad reputation to not be
easily upgradable (or not at all). In all other cases, security best
practices apply as usual:
- Locate devices running XP on your network! Could be stupid but many companies don’t know what devices are connected on the LAN!
- Prohibit those devices or isolate them in a separate network zone. NAC (“Network Access Control“) solutions can be useful to put them in a dedicated & hardened VLAN
- Disconnect them from the Internet
- Don’t run “services” on them
- Don’t surf from them
Finally, if you have old applications, test them on a newer OS in the “Windows XP” compatibility mode. Please take actions today!
No comments:
Post a Comment