Security Watch

End of XP As We Know It

Plus: Microsoft cozies up to Russia, China on security; virtualization's security shortcomings.

• By Jabulani Leffall
• 07/12/2010

Patch Tuesday, July 13, 2010 is the day of reckoning for Windows XP Service Pack 2. That's right -- no more security patches for that version of the Windows OS. What's included among the four security patches is a fix for what will be the last XP SP2 patch ever. This is significant because all the relevant applications -- Internet Explorer, Office, Windows Media Player etc. -- on this OS will cease to be patched as well.

IT administrators running in an XP environment and XP users must either find stopgaps or update to XP SP3 completely. Or even Windows 7, as most security experts advocate bunny-hopping Vista, due to its less than stellar security application.

Redmond's XP SP3 Migration Guide
Microsoft is providing details here on how to upgrade to XP and Windows 7. There's one exception in the upgrade: Because there is no XP SP3 iteration for the 64-bit version of the OS, users can continue to receive security updates if they're running XP SP2 of that particular edition.

The key question going forward will likely surround Internet Explorer, which during the first half of 2010, saw exploits spike. Mozilla, Google, Apple and Opera will continue shipping fixes for XP with Firefox, Chrome, Safari and Opera browsers sitting on them.

Microsoft in Bed with Russians
I've mentioned in this column that Microsoft has gotten cozy with the U.S. government, sharing information and collaborating on IT security. Microsoft is now furthering its collaboration aims globally with its Government Security Program.

Under that program Redmond is vibing with the Russian Federal Security Service, even giving that agency a look-see into its source code of Windows Server 2008 R2, Office 2010 and SQL Server. The software giant had already opened up source code secrets with the Russians in 2002 for XP, Windows 2000 and Windows Server 2000. This comes after Microsoft cut similar pacts with China in 2003, updating its source code sharing agreement this year as well.

Microsoft obviously is looking for some cooperation on investigating breaches, piracy and exploits that are frequent in these countries, so it will be interesting to see if such aims backfire, given the proliferation of knowledgeable hackers in those locales who are getting increased access to the software giant's architecture.

Access Controls Needed for Virtualization
Virtualization is said to offer a more nimble system. But with that also comes a more malleable and vulnerable operating environment, one security pro tells me.

The key here is going to be whether it's easier to hack a virtual system and commandeer administrative credentials, says Brian Anderson, CMO of IT security group BeyondTrust.

"The majority of virtualized servers are substantially less secure than their physical counterparts, but the cost benefits are so powerful, IT is forced to turn a blind eye to security shortcomings," Anderson said. "The results are that security processes, technologies and policies either don't apply, aren't effective, or just don't have visibility into the hypervisor layer."

Anderson point to the ease with which crooked IT administrators can easily circumvent monitoring tools, flout regulations, and access or copy sensitive data freely using the hypervisor to cloak their actions.

If data images are undetected in the hypervisor, they have unlimited, unmonitored access to millions of dollars worth of data.

That's not virtual bad news; that's actual bad news and definitely something that admins considering virtual environments or hybrid PC and virtual server environments should look into.