Cyber threats to Windows XP and guidance for Small Businesses and Individual Consumers

It’s been well publicized that on April 8th, 2014 Microsoft discontinues product support for Windows XP.  Released in 2001, the support policy for the life of Windows XP soon followed in October 2002.  In September 2007, we announced that support for Windows XP would be extended an additional two years to April 8 2014.  We are very clear about the lifecycle of our products, deliberately communicating this information years in advance, because we know customers need time to plan for changes to their technology investments and manage upgrades to newer systems and services.

We’ve also focused on communicating regularly, such as an article posted in August of last year.  That piece focused on the fact that supported versions get security updates that address any newly discovered vulnerabilities, which Windows XP won’t receive after April 8, 2014.  This means that running Windows XP when the product is obsolete (after support ends), will increase the risk of technology being affected by cybercriminals attempting to do harm.  This blog post continues on from that article, and also provides guidance to consider as people look ahead.

Many of the enterprise customers I’ve talked to recently have finished, or are in the process of finishing, technology projects that move their desktop computing environments from Windows XP to Windows 7 or Windows 8.  However, I’ve also talked to some small businesses and individuals that don’t plan to replace their Windows XP systems even after support for these systems ends in April.  In light of this, I want to share some of the specific threats to Windows XP-based systems that attackers may attempt after support ends, so that these customers can understand the risks and hopefully decide to immediately upgrade to a more secure version of Windows, or accelerate existing plans to do so.

The cyber threats discussed here are based on data and insights from recent volumes of the Microsoft Security Intelligence Report.  This report includes aggregate data on the threats that hundreds of millions of systems around the world encounter – many of which are successfully blocked by Microsoft antivirus software and the security features built into Windows, Internet Explorer, Bing, and other Microsoft products and services. This data gives us a good picture of the tactics that attackers have been using to try to compromise computer systems, including which attacks are used most often on Windows XP systems.  The information then helps Microsoft and antivirus security companies develop ways to combat those attacks.  From the year that Windows XP was built, cyber attacks have increased in sophistication.  Systems receiving regular updates get the protections they need based on the latest cyber threats.  But at some point an older model of any product will lack the capability to keep up and becomes antiquated.  Obsolescence for Windows XP is just around the corner.

What Motivates Cyber Attackers?
Attackers’ motivations have changed over the past decade.  Ten years ago attackers were primarily motivated by making a name for themselves through notoriety for each malicious act they completed.  Today, attackers typically steal personal and business information from the systems they go after and try to keep a lower profile, as the goal is financial profit more regularly than mischievous disruption or ego.  The attackers that steal the information from computer systems sometimes choose to trade or sell that stolen information to other criminals to use for identity theft and bank fraud schemes.  And, access to compromised computer systems is often sold or leased by attackers to other criminals to perpetrate more crimes against additional unsuspecting victims, while providing anonymity to the original criminals.

Microsoft Security Innovations made it Harder for Cyber Attackers to be Successful
Following Windows XP’s release and through 2004, there were several cyber attacks that gained widespread awareness in news outlets and with many customers.  In the wake of those computer virus attacks, Microsoft invested further in several important security protections and turned existing improvements (called “mitigations” by security experts) in order to better protect customers that were running Windows XP.  This protection push resulted in a major update called Windows XP Service Pack 2, which was released in 2004.  One of the security mitigations that was turned on in Service Pack 2 was a feature called Windows Firewall. This helped stop many of the attacks that were common at that time and made it much harder for attackers to violate Windows XP systems.  Our security intelligence report shows that the time between major attacks extended in length after Windows XP Service Pack 2 was released, proving that Service Pack 2 provided more protections than prior versions of Windows XP.

The Usual Suspects – Threats to expect against Windows XP
The types of attacks that we expect to target Windows XP systems after April 8th, 2014 will likely reflect the motivations of modern day attackers.  Cybercriminals will work to take advantage of businesses and people running software that no longer has updates available to repair issues.  Over time, attackers will evolve their malicious software, malicious websites, and phishing attacks to take advantage of any  newly discovered vulnerabilities in Windows XP, which post April 8th, will no longer be fixed.

Here’s a list of risks that Windows XP based systems might encounter over time, along with some guidance to help small businesses and individual consumers temporarily protect themselves against cyber attacks while moving to a modern operating system:

RISK #1: SURFING THE INTERNET:  New exploits for Windows XP will likely be added to cybersecurity exploit kits that are sold/leased to attackers.  Exploit kits make it easy for professional and novice attackers alike to build malicious websites that try to install malware on systems that visit those sites.  Surfing the Internet on Windows XP based systems after April 8th, 2014 will become more risky as new exploits for Windows XP are distributed among attackers via exploit kits.

Guidance: Since browsing the Internet is a risky proposition if running on out-of- support systems like Windows XP after April, small businesses and consumers should limit where they go to on the Internet to help manage the risk.  Limiting the specific websites these systems can get to on the Internet, or simply not using Windows XP systems to connect to the Internet, will reduce the probability of compromise via a malicious website.  Important note: Changing browsers won’t mitigate this risk as most of the exploits used in such attacks aren’t related to browsers.

RISK #2: OPENING EMAIL AND USING INSTANT MESSAGING (IM): Many attacks typically start with a well-constructed phishing attack via email.  The email will likely contain the Internet address (also known as a URL) to a malicious website that has been constructed for unsupported Windows XP based systems.  The email could also have a specially crafted malicious attachment that when opened, exploits an unpatched Windows XP vulnerability, potentially giving attackers control of the system.  Attackers have also used Instant Messaging (IM) to deliver malicious URLs and attachments.  Opening email or using IM on Windows XP based systems after April 8th, 2014 will become more risky as new exploits for Windows XP may be integrated into phishing attacks, malicious emails and IMs.

Guidance: Malicious e-mail messages are a very common tactic attackers use to gain entry to systems.  Given this, it would be prudent to avoid using Windows XP systems to send or receive email.  Avoid clicking on links or opening attachments sent via email or IM.  Important note: Using a different email or IM program likely won’t mitigate this risk as these attacks are typically in the content of the messages themselves, not a vulnerability in a specific email or IM program. 

RISK #3: USING REMOVABLE DRIVES:  Attackers can attempt to use USB drives and other types of removable drives to distribute malware that seeks to leverage new vulnerabilities in Windows XP to compromise systems.

Guidance: This is a common way that Windows XP systems get infected with malware.  Some customers have decided to physically block access to USB ports on systems in their organizations in an attempt to block this type of threat.  Connecting removable storage devices to Windows XP systems should be avoided. More information is available in this article: Defending Against Autorun Attacks.

RISK #4: WORMS WILL USE ANY NEWLY DISCOVERED VULNERABILITIES TO ATTACK WINDOWS XP: Malware purveyors will likely integrate new vulnerabilities targeting Windows XP, into malware that tries to multiply.  The success of the virus named Conficker, to infect systems in enterprise environments, illustrates that security firewalls and strong password policies are still not comprehensively used.  Organizations that continue to run Windows XP after support ends, should be on guard for this type of threat in their environment, which is typically introduced into systems by infected USB drives in an attempt to get past firewalls.

Guidance: Review any exceptions you allow, through firewalls, in your environment. Only keep the exceptions in your firewall rules that you really need.  Follow the earlier guidance to limit removable drive use on Windows XP systems. Use strong passwords on your systems that can’t be easily guessed.

RISK #5: RANSOMWARE:  We have seen a large uptick in ransomware in recent years.  Attackers use this type of malware to extort users into paying them to unencrypt files that the malware has encrypted on their system, or to unlock the system’s desktop.  After April 2014, attackers will likely attempt to use unpatched vulnerabilities on Windows XP based systems to distribute ransomware.  This type of attack can have a crippling impact on small businesses and consumers that lose access to important data or systems.

Guidance: Restoring data from backup is a good way to recover from a ransomware infection.  More frequent backups of data stored on Windows XP systems or that Windows XP systems have access to, would be prudent after April.

 

So What Should You Do?
The guidance above provides suggestions towards managing some of the risks of running Windows XP post April 8.  However, the primary thrust of our advice is clear: the best option is to migrate to a modern operating system like Windows 7 or Windows 8 that have a decade of evolved security mitigations built in and will be supported after April 8, 2014.

Upgrade Advice
For customers considering upgrading a device designed to run Windows XP, we recommend purchasing modern hardware – from touch laptops to tablets to all-in-ones – to take full advantage of the features and touch-based user interface available in Windows 8 or later systems.  Modern devices are not only faster and have greater performance than devices running older operating systems, but come with greater security features, new and improved networking tools for when you’re on the go, modern apps and more.

If a customer wants to upgrade an existing machine to Windows 8.1, upgrade activities depend on what current operating system is on the machine, and the capabilities of that hardware.  System requirements to install a new operating system can be found here.

  • Computers running Windows 8 can be updated to Windows 8.1 via the Windows Store (for consumers) or using media (for larger organizations with volume licensing).
  • Computers running Windows 7 can be upgraded to Windows 8 using media, then updated to Windows 8.1 (using the process above).
  • Computers running Windows XP cannot be upgraded in-place to Windows 7, Windows 8, or Windows 8.1. A clean install is necessary, although user data can be migrated. 

For customers who are unsure of what version of Windows they are using, visit AmIRunningXP.com, a website designed to automatically tell if a computer is running on Windows XP or a newer version of Windows like Windows 7, Windows 8 or Windows 8.1.  If it detects Windows XP, the website provides guidance on how to upgrade ahead of the April 8th end of support deadline.

Additional information on the end of support for Windows XP and how to upgrade can be found here.

Tim Rains
Director
Trustworthy Computing Group

About the Author
Tim Rains

Director, Cybersecurity & Cloud Strategy

Tim Rains has over 20 years of experience in the technology industry across several disciplines including engineering, consulting, and marketing communications roles. He currently manages security marketing and corporate communications in the Trustworthy Computing division at Microsoft. His expertise ranges Read more »