Microsoft Windows XP - End of Life / End of Support

A Q&A with Cristian Florian, Product Manager For GFI LanGuard On Security Implications & Planning Ahead

With Windows XP End of Life & End of Support just around the corner (8^th of April 2014), companies around the globe are trying to understand what the implications will be for their business continuity and daily operations, while IT Managers and Administrators (not all) are preparing to deal with the impact on users, applications and systems.

At the same time, Microsoft is actively encouraging businesses to migrate to their latest desktop operating system, Windows 8.

One could say it’s a strategy game well played on Microsoft’s behalf, bound to produce millions of dollars in revenue, but where does this leave companies who are requested to make the hard choice and migrate their users to newer operating systems?

Do companies really need to rush and upgrade to Windows 7 or 8/8.1 before the deadline? Or do we need to simply step back for a moment and take things slowly in order to avoid mistakes that could cost our companies thousands or millions of dollars?

 Parallel to the above thoughts, you might find yourself asking if software companies will continue deliver support and security patches for their products; a question that might be of greater significance for many companies.

To help provide some clear answers to the above, but also understand how companies are truly dealing with the Windows XP End of Life, Firewall.cx approached GFI’s LanGuard product manager, Cristian Florian, to ask some very interesting questions that will help us uncover what exactly is happening in the background… We are certain readers will find this interview extremely interesting and revealing….

Interview Questions

Hello Cristian and thank you for accepting Firewall.cx’s invitation to help demystify the implications of Windows XP End of Life and its true impact to companies around the globe.

Response:

Thank you. Windows XP’s End of Life is a huge event and could have a significant security impact this year. So it will be important for companies to know what the risks are and how to mitigate them.

Google said that Chrome support for Windows XP will continue until April 2015. Adobe, however, will release the last version of Adobe Reader and Acrobat that still supports Windows XP in May 2014.

Microsoft will continue to provide antimalware definition updates for Windows XP until July 2015, and all major antivirus vendors will continue to support Windows XP for a period of time. Some of them have stated that they will support it until 2017 or 2018. Antivirus support is important for XP but one note of caution is that antivirus alone does not offer full protection for an operating system. So while supporting Windows XP is commendable, vendors need to be careful that they do not offer a false sense of security that could backfire on them and hurt their reputation.

We will continue to provide patch management support for Windows XP. For as long as customers use XP and vendors release updates compatible with the OS, we will do what we can to keep those systems updated and as secure as possible. What is important to note is that this is simply not enough. The necessary security updates for the operating system will no longer be available and these are crucial for the overall security of the system and the network.

A GFI LanGuard trial offers unlimited network discovery and it can be used to track free of charge all Windows XP systems on the network. IT admins can use these reports to create a migration plan to a different operating system.

In 2013 and the first quarter of 2014, Microsoft released 59 security bulletins for Windows XP; 31 of which are rated as critical. The National Vulnerability Database had reported 88 vulnerabilities for Windows XP in 2013, 47 of them, critical. A similar number of vulnerabilities is expected to be identified after April 8, but this time round, no patches will be available.

Part of the problem is due to the popularity of Windows XP. Because it is used so widely, it is a viable target for malware producers. It is highly probable that a number of exploits and known vulnerabilities have not been disclosed and will only be used after April 8 – when they know there won’t be any patch coming out of Microsoft.

There are only two options: either upgrade or retire the systems altogether. If they cannot be retired, they should be kept offline.

Third, compliance. Companies that are using operating systems not supported by the manufacturer are no longer compliant with security regulations such as PCI DSS, HIPAA, PSN CoCo and others. They can face legal action and worse if the network is breached.