Microsoft Offers Security Tips for Windows XP Holdouts
Microsoft offered some security tips today for individuals and organizations that plan to continue to use Windows XP after April 8.
Mostly, company officials have promoted upgrading to Windows 7 or Windows 8.1 before Windows XP loses "extended support" on April 8. After that date, systems running Windows XP are considered "unsupported" and won't get monthly security updates from Microsoft, although organizations willing to pay for Microsoft's "custom support" services can get security fixes on an ad hoc basis.
Windows XP continues to be widely used, despite the potential security implications of losing product support. Data from Net Applications showed global Windows XP use in February at 29.53 percent, although StatCounter's data indicated about half that amount at 17.15 percent. Windows XP use tends to vary by country. For instance, China had 48.02 percent of Windows XP use, while the United States had 10.73 percent per February StatCounter measurements.
Some organizations apparently won't relinquish Windows XP, except from their cold dead hands. Tim Rains, director of the Trustworthy Computing Group at Microsoft, said that he has "talked to some small businesses and individuals that don't plan to replace their Windows XP systems even after support for these systems ends in April." He offered tips for those planning to go ahead with such plans, although he suggested they were temporary measures.
Five Scenarios To Address
Rains said that Windows XP users will face five risk scenarios after April 8. In response, he suggested that such Windows XP users should limit using the OS to access the Internet. They should avoid using the OS for opening attachments to e-mail or instant messaging services. They should avoid attaching removable drives to Windows XP machines. In addition, the firewall should just permit exceptions for essential programs and services. Lastly, Windows XP users after April 8 will face an increased threat of "ransomware," which can encrypt user data, holding it for ransom. He suggested setting up frequent system backups to address that possible threat scenario.
As a temporary solution for continued Web access using Windows XP, Organizations could restrict Internet access to specific Web sites, Rains suggested. However, building such a whitelist could prove tedious. Rains added that "Changing browsers won't mitigate this risk as most of the exploits used in such attacks aren't related to browsers."
Rains also suggested blocking access to USB ports on Windows XP systems as a way to fend off "Autorun attacks."
Of course, Rains' advice might make continued Windows XP use impractical for many organizations and individuals. The impracticality might be the tacit point behind his tips.
Microsoft will continue to issue antimalware signatures for its Microsoft Security Essentials antivirus solution, although that program won't be available for download after April 8, according to a Microsoft announcement. Microsoft will continue to deliver those antimalware signatures through July 14, 2015, although Microsoft describes the protections afforded to an unsupported OS as "limited."
Other antimalware software vendors have pledged to provide antimalware signatures for Windows XP for longer periods of time and AV-Test has list of those vendors compiled at this page. One of those vendors, Avast, has complained about Microsoft's expiring support for Windows XP, suggesting that the unsupported OS could serve as a future infection point for non-Windows XP systems.
F-Secure's Windows XP Checklist
Security solution vendor F-Secure has provided its own checklist for Windows XP users after April 8. In a "Threat Report" for the latter half of 2013, F-Secure offered a more relaxed view on Windows XP's coming loss of product support, at least for home users.
"Folks that continue to use XP at home can do so with some reasonable amount of safety, for a while still, but they absolutely need to review their Internet (particularly web browsing) and computing habits," the report states (p. 13).
F-Secure offered eight tips. First, Windows XP users should avoid using Internet Explorer after April 8, according to F-Secure. That advice is also repeated by AV-Test. Rains had dismissed such suggestions in his tips, saying that using a different browser wouldn't necessarily address the vulnerabilities that are associated more with the risks of continuing to use an unpatched OS. Both Mozilla and Google have promised extended support for Windows XP with their browsers, but Microsoft's Internet Explorer 8 (the last supported Microsoft browser on that OS) will lose product support on April 8.
F-Secure recommended tightening up the security of Microsoft Office if it's used with Windows XP after April 8. Old software should be cleared off a system, including any browser plug-ins. PDF file handling should include dialog boxes for end users as a precaution. Java can be removed from a system if not needed. Home systems should be connected to a network address translation server, "which will act as a hardware firewall," according to F-Secure. Lastly, F-Secure advises upgrading the OS to Windows 7 or Windows 8.
Windows XP users will get a popup notice on April 8, telling them that the OS is no longer supported. Organizations using Microsoft's Windows Server Update Services (WSUS), Configuration Manager or Windows Intune software likely won't see this update, according to a Microsoft blog post. However, if the popups do appear, a registry change can make them go away, Microsoft explained.
Migrations from Windows XP to Windows 7 or Windows 8 require so-called "clean installs" of the OS, which does not permit the transfer of settings and programs to the new OS. However, the old PC's data can be archived and transferred over to the new machine using the free tool for consumers that's offered by Microsoft and Laplink.
Some other Windows XP components will be affected by the end-of-support date. Windows XP Mode for Windows 7, which allows Windows XP to run in a virtual machine atop Windows 7 systems, also loses support on April 8. Similarly, Microsoft Enterprise Desktop Virtualization (MED-V) solution used with Windows XP won't be supported after April 8.
A bunch of other Micrsosoft products lose extended support on the April 8 date, too, including Outlook 2003, Exchange 2003, Exchange 2010 Service Pack 2 and Office 2003. Windows XP Embedded products have an additional two-year shelf life, though.
Microsoft offers more end-of-product-lifecycle details for Windows XP users at this page.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.