Windows XP hackers prep for April 8 end of security patching

A shopper browses Windows goods. (courtesy Microsoft)

A shopper browses Windows goods. (courtesy Microsoft)

By Byron Acohido, Last Watchdog

KINGSTON, Wash. — A huge opportunity for hackers to infiltrate thousands of SMBs and enterprises is about to open up.

More specifically, the juicy targets include any company or organization still using Windows XP servers, desktops and laptops — anywhere inside a corporate network — after April 8.

That’s the date when Microsoft will no longer issue security patches, nor provide any technical support, for XP. Microsoft has been clanging the warning bell for more than a year, including posting this countdown clock.

“Unsupported systems provide a target-rich environment that will allow for cyber criminals to create an exploit and leverage it without the threat of it being shut down by security patching,” says Vinny Sakore, Cloud Security Program Manager at ICSA Labs.



Experts say approximately 30% of the small retailer market still uses point of sale systems running Windows XP. “We believe that many cyber criminals are currently scanning retailers and other point of sale vendors to locate easy targets,” Sakore says.

The software giant wants XP-using SMBs and enterprises to bite the bullet and upgrade to Windows 8. In most cases that will require upgrading PC hardware and signing a refreshed software license with the Redmond tech giant. That should translate into hundreds of millions of dollars in fresh revenue for Microsoft and its hardware partners.

Yet despite the alerts, many companies won’t get around to dumping XP until later this year, and some might very well push it out to 2015 and beyond. Qualys CTO Wolfgang Kandek has been monitoring enterprise usage of Windows XP since January 2013.

Profound global exposure

Kandek tells Last Watchdog that the installed base of Windows XP users is currently at about 14%. That’s down from 16% in January 2014 and 35% in January 2013. He projects that the install base of Windows XP will be at 10% in April.



Keep in mind this metric only counts corporate computers directly monitored by Qualys, which is a leading supplier of cloud-delivered vulnerability management services. World wide the percentage will likely be higher. “Our customers are more security-aware than average, so 10% is probably an optimistic number,” Kandek says.

This exposure is profound. The estimate of how many XP computers remain in active use vary. It’s probably in the neighborhood of 300 million to 500 million.  Kandek points out that 70% of the security updates Microsoft releases on the second Tuesday of each month typically apply to XP. And that pattern is expected to continue.

These patches lock down freshly-discovered security holes, referred to as zero-day vulnerabilities. Each fresh batch of patches, from May onward,  will be a roadmap for the bad guys showing the way to Interent-connected XP machines that are,  in effect, unpatchable.

“I’m predicting that exploit kit authors and opportunistic attackers will be quick to take advantage of newly discovered vulnerabilities after support expires,” says Lucas Zaichkowsky, Enterprise Defense Architect at AccessData. “I’d expect there to be a significant, high profile attack involving vulnerable Windows XP systems to happen as early as this year. Only then with all the media coverage will organizations make it a priority to upgrade equipment.”

Something that should drive companies to make the dumping of XP machines a priority is that after April 8, XP machines won’t meet the Payment Card Industry Data Security Standard.  One PCI-DSS rule calls for machines used to collect and store personal data to be current on all available security updates. PCI-DSS is the industry standard set by Visa, Mastercard, Discover and American Express to impose data-handling security responsibilities on merchants.

EMET bandaid

But after April 8, Windows XP computers will be, for all intents and purposes, unpatchable. Having even one Windows XP computer tied into a network will be dangerous after April 8. “If I can infect that machine, I’ll have a beachhead inside your network,” says Kandek.

It’s probably a safe bet to assume that elite cyber crime gangs and nation-state sponsored cyber spies are gearing up to take full advantage. “This is really a good opportunity to get a foothold inside a network through Windows XP and I don’t see how the bad guys could pass this up,” says Kandek.

Microsoft has supplied something of a life preserver, a free service awkwardly named the Enhanced Mitigation Experience Toolkit. The service keeps track of Windows processes and will block installation of known malicious programs.

“EMET is not hard to use. You have to install it, it runs in task bar, and you have to decide if you want only alerts, or if you want to automatically abort bad processes,” says Kandek. “I’ve run it for a year or so and not had any negative experiences with it.”

EMET is not 100% foolproof, however.  At the RSA Conference last month, researcher Jared DeMott from security startup Bromium  demonstrated a way to successfully bypass several key EMET protections.

So in addition to using EMET, Girish Bhat, Director Product Marketing for Wave Systems, recommends removing unnecessary software and drivers from XP units, limiting administrator rights on XP machines and isolating XP machines and applications that need XP resources.

“Try to ensure that critical applications do not run on XP machines,” Bhat says. “If they must continue to run, try ensuring that they are not connected to the external network and ensure proper access control.”

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone