Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: SIR v15: Five good reasons to leave Windows XP behind - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
SIR v15: Five good reasons to leave Windows XP behind

No, it's not because I work for MSFT and want you to upgrade for selfish reasons. :-) It's because it really is time.

If you need a strong supporting argument and five good reasons to upgrade, look no further than the Microsoft Security Intelligence Report v15 released today. All you need to do is CTRL+F this doc and search for Windows XP to see what I'm talking about. Here, I'll help, as ripped directy from the SIR v15:

  1. 9.1 computers cleaned per 1000 scanned by the Malicious Software Removal Tool (MSRT) were Windows XP SP3 32-bit, more than any other system cleaned.
  2. Windows XP SP3 holds the top spot for infection rate (9.1 CCM)  even though it actually has a lower encounter rate (percent of reporting computers) than Windows 7 SP1.
  3. The disparity between the two metrics above highlights the importance of moving away from older operating system versions to newer, more secure ones. Computers running Windows XP in the first half of 2013 encountered about 31 percent more malware worldwide than computers running Windows 8, but their infection rate was more than 5 times as high.
  4. #1 threat family affecting Windows XP SP3? INF/Autorun. Yes, that autorun, used by worms when spreading to local, network, or removable drives. Doesn't work on modern versions of Windows in their default configuration.
  5. Windows XP extended support ends April 8, 2014. That means no more patches, people.

As I sat in the dentist chair today for my cleaning and viewed my X-rays on a Windows XP machine I thought about a comment from Tim Rains of Microsoft's Trustworthy Computing organization: "XP has been a beloved operating system for millions and millions of people around the world, but after 12 years of service it simply can't mitigate the threats we're seeing modern-day attackers use." Survival rate for systems running Windows XP after support ends? Non-existent. Don't believe me? Also per Tim: "In the two years after Windows XP Service Pack 2 went out of support, its malware infection rate was 66 percent higher than Windows XP Service Pack 3 - the last supported version of Windows XP."

It's time, folks. It's going to be hard for doctors and dentists to be certain :-), but migration is in order. What would Patton say (thanks TJ)? "A violent executed plan today is better than a perfect plan expected next week." That should be your plan to migrate off Windows XP.



Russ McRee

204 Posts
ISC Handler
Oct 30th 2013
I absolutely agree with Russ.

We have been advising our clients for 12+ months to plan for and implement upgrades to Windows 7 (or Windows 8). We conduct 1,000s of vulnerability scans for our clients, and our data shows that the average Windows XP computer has 18.57 critical and high severity vulnerabilities (based on CVSS scoring). The average number of critical and high severity vulnerabilities per Windows 7 (and 8) hosts is currently .36. We fully expect that the .36 for Windows 7 (and 8) will rise over time, but for now it's a no-brainer from a security perspective.

Upgrading to Windows 7 (or 8) is less expensive than trying to patch and secure the XP machine.
Evan Francen

1 Posts
29 Oct 2013
... Malware Infection and encounter rates for Windows operating systems during 2Q13
But then, there is this:
September, 2013
... Win7 - 46.39%, XP - 31.42%, Win8 - 8.02%, Vista - 3.98%.

I'm sure most would like to dump XP right now, but I think we know it's "easier said than done", especially since it still "works". Instant answers aren't always available.

34 Posts
Better still, check out your Windows machines and get a Mac.
3 Posts
True. Windows has better support for auditors and enterprise controls though. You can tell the auditors, my OS is secure, but they are still going drag you over the coals about all the controls they have listed in their checklists. Stinks, but it's a fact of life. Security by policies and massive binders will take a long time to die, I'm afraid.

88 Posts
" It's going to be hard for doctors and dentists to be certain :-), "

Doctors and Dentists??!! Lets talk about SCADA and the thousands of controllers that just, yes, just upgraded out of 98.. Though I will not put their full name in.. Joh Controls. Hwell and others. Reason for this emulation issue, >80% have not upgraded the software or worse the firmware. I speak for fact, have a nuclear plant just south, still needs 98 on COM, they can't enumerate DB files via a secure tunnel, instead, lets run out there.. pop in the ole null modem cable.. :rolleyes: Those that work in refineries, oil patch, Electronic grid chime in... it is "syntax error" The last company I said, look, free $$$ and upgrade in the process, helping all.. Well... as the metaphor comes into focus, no good deed goes unpunished.. lost my job for pushing the vendor. REALLY? But I digress..

52 Posts
Russ, the concept of upgrading is not under debate, the end user has no choice in the matter at this stage, not if they are running things like on line banking or the like. The big issue I am seeing is the total cost of the upgrade for a small business that's been hard hit by the recession, and who's owner doesn't see any good reason to upgrade, in that their present machine is performing acceptably, as are the applications that are running on it.

For many XP users, to upgrade to W7 or W8 is going to mean a big cost, and a steep learning curve in some areas, and the end result visible to the user will not be significantly different to what they see now, and in some cases, achieving the same result will not be as easy as it is now under XP.

Many XP based machines will not easily upgrade to W7 or W8, because the newer operating systems are memory hogs, and many XP generation machines can't be upgraded to have more than 2 Gb of memory, and 7 or 8 on 2 Gb is not going to be a nice experience.

So, if the motherboard won't run a new OS, if it's an OEM machine, that could mean a new machine, in toto, and a new OS, and a new Office application because in some cases, it won't be legal to move the existing (probably 2003) Office to a new machine. That's going to introduce another whole world of hurt, as there are massive differences between 2003 and later versions of office.

Then there's the not insignificant matter of peripherals like printers and scanners that don't have W7 or W8 drivers, which could mean more spend, only to continue to achieve the same result as is happening now. That's very easy to justify when times are good, but hard when there's no certainty that the payroll can be paid this week!

Of course, the other option is "the cloud", but that is a route that could be fraught with problems, try telling a workforce that it's not possible to pay them this week because the broadband link was down, or similar. Not going to happen, "the cloud" for me is just a faster reincarnation of bureau processing that was around 40 years ago, the only difference being that it's now faster line speeds, back then it was batch, using paper tape or punch card input, over 1200 baud lines. It was surprising what could be done using those methods, as long as the line was working, but look out if it failed! Same is true now, broadband may be a lot faster, but if it's not there, and the alternative has also been wiped out by some other scenario, or the cloud supplier has just declared themselves bankrupt (and yes it WILL happen), resolving some of those issues in order to regain access to the company database and applications will bring a whole new world of pain to the concept of disaster recovery. The other aspect is that even with the cloud, XP has to be replaced in order to remain relatively secure from the increasingly clever hackers and spoofers that abound,

So, next April is going to be a very challenging time for a lot of people.

Me, I'm looking at alternatives that allow me to maybe not use Microsoft any more, simply because the total cost of ownership for a small company is becoming way too high on a year on year basis.

I wonder what some large corporates are doing about this, on a Spiceworks digest last week, a techie mentioned that he has responsibility for a UK government department that is still using over 50,000, yes FIFTY THOUSAND XP based machines. If they have internet access, that's a world of pain just waiting to explode next April, unless there are some serious plans in place to mitigate the risks, and the implication of his comments was there there is no plan at the moment.

Oh the joys of modern computing, it was so much easier when the OS was 3 floppy discs of 1.4 Mb each, and while the modern windows does a lot more than DOS 6.1 did, in certain areas, and for some users, the reality is that they could still do pretty much all they need under DOS, had it been upgraded to support the newer CPU's and things like USB, For commercial users, much of the bells and whistles of Windows is an unwanted bloat on a system that they don't use, and in some cases, if it wasn't there, there would be fewer hassles with hacks and employee abuse of time and facilities during working time, but that's a subject for another day.

Time to go before I get into even deeper and murkier waters

1 Posts
"So, next April is going to be a very challenging time for a lot of people.

Me, I'm looking at alternatives that allow me to maybe not use Microsoft any more, simply because the total cost of ownership for a small company is becoming way too high on a year on year basis."

The smart corporations will know the risk, but then again like the saying the customer is always right once you train them. This was huge where I worked... as long as PC turned in it could be Donkey-Kong (ok dating myself) I too have have move more away from Billy Bob and in OSx, UNIX. If I need to run a security ridden OS, I can use parallels on my machine. Billy could have fixed XP for 30% the cost of these two new OS, well 7 is not new, but 8.. ask Steve.

Will be nice not to be held hostage under an individual that in the 70's did the same thing.. yes.. Billy.. your ticket is getting punched for how you got CodeSuite. Sadly IBM was too myopic to see the real world.. but then again... look at the initials.

52 Posts
Quoting Anonymous:Better still, check out your Windows machines and get a Mac.

Better still, check out your Windows machines and get a Linux box.
1 Posts
Quoting Anonymous:
Quoting Anonymous:Better still, check out your Windows machines and get a Mac.

Better still, check out your Windows machines and get a Linux box.

Neither of those are options if you have a Windows-trained workforce. Two people in my family just bought Mac Pro laptops and it has been the most frustrating thing we've ever experienced. Want a right-click context menu for Copy and Paste functions? Oh, that's there but it's turned off by default. Want to re-size an image to paste it in an email? You better learn to think in pixels because click-n-drag image resizing does not exist on a Mac. And the best one: Want the firewall turned on to protect your Linux-based Mac from the world? Yes, it's there but it's turned off by default. It's like Apple deliberately made common Windows tasks difficult to do on a Mac.

I work for a thousand-person company with a very high average age. We had very little issues in the XP to 7 transition simply because so many people were already using Vista or 7 at home and had been for years.

If you need to run XP after it goes off support, you simply have to beef up your perimeter defenses to whitelist Internet sites, add scanning proxy servers, etc. if you're not already doing it. And while that will improve your posture no matter what desktop operating system you use, it's not going to be a whole lot cheaper than upgrading the endpoints.
Quoting Anonymous:If you need to run XP after it goes off support, you simply have to beef up your perimeter defenses to whitelist Internet sites, add scanning proxy servers, etc. if you're not already doing it. And while that will improve your posture no matter what desktop operating system you use, it's not going to be a whole lot cheaper than upgrading the endpoints.

I'd go a step further, and isolate them in their own VLAN treated like a DMZ with a firewall between them and the internet as well as between them and the rest of the business. This is actually under consideration for *all* of our user subnets at $DAYJOB$ right now after our last security incident - a user's laptop (win7, BTW) getting infected with malware-du-jour that nobody's anti-virus tool detected, which attacked yet-another ancient Win2k system on the "don't patch it or you'll break some ancient app we don't have support for" list, which was then used to compromise several other systems and more desktops/laptops (where I finally detected it with a prototype snort sensor I'd setup on my own time to prove to certain parties we needed better intrusion detection - phooey).

And I agree completely with the comments about the incredible costs and pains associated with windows upgrades leading to hardware upgrades, leading to incompatibilities with other peripherals, leading to further hardware upgrades, leading to incompatibilities with older non-MS software, leading to yet more software upgrades to make them work with the newer peripherals, lather, rinse, repeat. :-(

As for windows being easier to manage globallly.... Yeah, sorta. Except for all the rogues setup by Engineers who don't want all the anti-virus/anti-malware tools getting in their way and want local admin privs and to be allowed to install any <rude-word> junk-ware they want whenever they want. Plus it's very easy to get complacent when you can wave a bunch of GPO policies to make SOX auditors happy and think that means you're secure. :-) Every security incident I've seen here has been a case of yet-another compromised windows end-user system being used to attack anything/everything else from within our own nets. Separate all your user VLANs from everything else with firewalls (yep, managed or not, they're no more trustworthy than the internet at large anymore) and monitor *all* traffic crossing any security or geographic boundary, not just internet ingress/egress points.

133 Posts
@Russ you're not ANOTHER paid stooge of MSFT are you? *grin*

Seriously, though.

The thought of being my Gramps future "Tech Support" on a New OS is horrifying. (last Tech Call "my desktop icons are jumping around like "fleas", I said "Pardon?" He said "Yes, they're jumping around like flea's". I said sounds like an Optometrist appointment is in your future, because that's not in any support document I can pull up *grin*

The two issues are
1. (to an end user)--there's "nothing wrong with my computer, why do I need to change" mentality.
2nd--The HORROR of thinking of training new people not only on a new OS but a new layout

Just like MSFT Office (the Golden Children of MSFT), they simply move around a few Menu Tree's, add in XML or HTML support (*rolling eyes*) call it a new *STACK*---insane.

If you're going to move people over, why not do so for *FREE* with some of the newer Linux Distros? You want safe, about as safe as it gets if you';re allowed to open the hood/change your own oil and air filter. *or as I mention below-50-100 employees on a Virtual Box (the idea of Anti-Virri out the window--new Paradigm "stealing Virtual Images"

I recently purchased condo in a High-rise "Stack" Major Metro (mid-6 fig)--ONLY REASON I say that, is there's a large diversity of people, Some of which (20%-ish) are older/grey haired, this is probably their 2nd home and or temp investment while they wait out retirement with a place close to work before selling out. However, our Business Center has 4-pcs, all of which running Ubuntu. (new place 2009)--so I'm assuming whoever designed the Business Center made a conscious choice to *AVOID* MSFT. I mean, you gotta go OUT OF YOUR WAY, to purchase an out of box, plug/play CPU without MSFT on it.

MSFT Is becoming more and more irrelevant. The "Lost Decade" has essentially crushed them. They fit nowhere now.

Anyone find it even *MILDLY" ironic that the WORLDS most actively used Database (arguably) Facebook uses an Open Source solution *DESPITE* MSFT their largest (early) Minority Stakeholder.

MSFT started with all the *FUD* of MySQL
---Look at WILLIE'S smiling mug!

Facebook trapped in MySQL ‘fate worse than death’
By Derrick Harris Jul. 7, 2011 - 1:00 PM PST

OR anyone remember "Fragmentation"? Yeah, haven't heard that in awhile.

OR, anyone find it *MILDLY* curious. IF you look at the trend line of WinXP abandonment.
it's about ONE HALF OF 1% A MONTH. (Back 2-years)
(apology, the URL parms won't change for "Just windows" so you'll have to change yourself)

MY point? AS of Oct 2013.
From Nov 2011-Oct 2013--XP has ONLY dropped about ONE HALF OF 1-point per month. (48%-31%)
(that's 0.5% per month)
--24-months @ net total 17% drop (largest one month drop at approx 5%) August 2013
Thus, the trend line looks like a natural attrition rate for "Old Model T's"

HOWEVER, look at the Data (Windows 8 is *BACK SLIDING* (as per NOv. 1st 2013)

The FUD Campaign causing the 5% drop...WHERE DID THEY GO? It didn't bump Win7.x or Win8.x
Essentially "Other" (a.k.a. Linux) took back 2-3% lost over the 24-months. OSX 10.8 got a nice bump.

The 1.5% that looked at Win8.x (quickly left). Win7.x is in desperate need of a Cardiothoracic surgeon (7.x going nowhere, 8.x backsliding).

Today is about 6pm Wed Nov.27th 2013-Approximately 36+ hours to "Black Friday".

You'll see double digit growth in the "PAD" market spot. That will be 1/2 Android 1/2 IOS-"Soccer Moms" will *NEVER* leave IOS. APPL, is guaranteed 20%+ Share because of that.

Windows Desktop OS will be Flat to Negative (EX-No kids/Adults are getting CPU's for Christmas/Holiday)

WinPhone (non-existent). MSFT cannot *PAY* (look it up) Developers to Develop for the WinPhone.
SO MYOPIC--you have to Pay to submit/develop on Android--*BUT* you get a 70/30% split (Dev. Favor)

MSFT offers a 50/50% split *AFTER* THE FIRST 25,000 (TWENTY FIVE THOUSAND) downloads.
ARE YOU KIDDING ME??? They even offer a $200 bounty to upload your first program. (EX-"can't pay" developers)

I'm pretty sure the 19-year old solo with the 18,000 downloads at $2.99--taking home his $37,000 THRIRTY SEVEN THOUSAND DOLLAR share of $54K is very happy.

To sum all this up.

*ANY* Corporation (in the 1000-3000ish Heads) would be absolutely INSANE to transition to Win 7-8-9x (yep MSFT already speaking of 9x)--way to *REALLY FRAGMENT* your market!

Just like "The Woolworth", "Sears", "K-Mart", "Circuit City", "Borders Books", "Block Buster"
Even when I jumped on Netflix at the beginning, horrible delivery schedule, but jumped high to fix.
"Best Buy" will soon be gone. (They've become nothing but a force of enablers for online buyers)

MSFT does not have the Corporate Culture or Intestinal Fortitude to compete in the 21st Century. Just like all the retailers listed above. MSFT EASILY could have Zig Zagged. (Open Sourced their Phone OS, overnight could have owned the market. Now, if I'm Joe Consumer or C.E.O. "Fat Dumb Pipe", why would I go to an MSFT that can't/won't support *MY NEEDS* as a TELCO organization?

Did you see Charlie Kindel's post (*IN ALL SINCERITY*--Mad Props to him for not taking this down---even though he deleted/hid the comments *AND* qualified his "we don't need developers stance" (when MSFT in it's ongoing 19th Robber Barron 20th Century Monopolist mindset first said "App Markets won't make it"

Windows Phone is Superior; Why Hasn’t it Taken Off?
Kindel (former President of WinPhone) actually *SAID IN WRITING* we give the middle finger to the
Carrier-"Fat Dumb Pipe" (yes that's a QUOTE)
the Retailer ("they don't want to own the customer"----WHAT?!?!?!?

THEN CALLS--the ability to customize your phone a *DETRIMENT*
I Won a Samsung Galaxy S II – My Review
December 9, 2011
(oh and don't forget, MSFT in it's FURTHER INFINITE WISDOM--in the EU tried to SUE GOOG/ANDROID for anti-competitive practices GIVING AWAY THE OS (um, didn't MSFT forget they were BEHIND the whole "Open Source" community--oh that's right, they STILL speak with a forked tongue...*shaking my head*---they SUE because they can't compete with FREE.

Google Competitors File Ridiculous EU Complaint Arguing That 'Free' Android Is Anti-Competitive
QUOTE: [MSFT]= filed a new attack on Google in the EU, arguing that its Android mobile strategy is anti-competitive because it gives Android away for free.
“Google is using its Android mobile operating system as a ‘Trojan Horse’ to deceive partners, monopolize the mobile marketplace, and control consumer data,” said Thomas Vinje, Brussels-based counsel to the FairSearch coalition.
/end quote
That's the type thinking coming out of Redmond.

Look closely, that's barely 2-years ago (feels like 10 in the Tech World) -MSFT is already 10+ years behind in EVERY SINGLE SPACE on the Desktop---

Thus my point
--the consumer based desktop is all but dead. *WILL BE DEAD* in next 3-5 years.
Everything I need is in the cloud. Soon as I have a "DUMB THIN CLIENT" for my Desktop, the idea of an Desktop OS will be as bizarre as using a Rotary Phone..*grin*

Along with that goes the SMB/HIGH END MB---idea of in house need for "Database Management"-gone.

---What's the "Road Ahead?"---Desktop Visualization.

*Shaking My Head*.==VMWare has made 1000's of "Virtuals" you can try, but I think they forgot the pockets of 50-100 and 1500-3000 corporate blocks that *NEED* a *DUMB THIN CLIENT*

As soon as *SOMEONE* is smart enough to create Virtualized Thin Desktop (HEY GOOG, reading this!)
For the Sub 1500-3000 Corporate Sizes (down to the 3-man shop).

Give a C.I.O. a solution HE/SHE (or said Lackey) can 100% control. (just like those "Fat Dumb Pipes" can with Android Updates).

Any C.I.O. worth their salt will jump all over that. The IDEA of having a Mini Army of Geek heads out supporting the Corporate Desktop GONE, overnight.

A C.I.O. and 5-Annoited one's can sit in the "C-Suite"-Determine each Business Unit Need.
(I mean what's a Sales rep need. Access to the Web, Word Editor and
Create 5-6-7-Images and 5-6-7 images is *ALL* a C.I.O. needs to worry about....putting head on pillow at night.

YEP--that's where we are headed.

There was a time it was "Illegal" to purchase your own home phone (had to *RENT*/*LEASE* from the Phone Company)

There once was a time I paid almost $30--thirty dollars *PER GIGABYTE*--yeah, I'm just old enough to remember my (very first) CPU with a $250/8-GB hard drive. 5-years later paid almost $3000 for a Dell. (with not much more space).

The idea of a "Blue Screen of Death" will be as foreign for kids in Middle School now--just as foreign a "When I was your age, after dinner we actually WENT OUTSIDE--THREW A FOOTBALL and rode a bike WITHOUT A HELMET!

MSFT "Microsoft, Your Grandfather's Software Company"(TM)<--yes, really!
1 Posts

Sign Up for Free or Log In to start participating in the conversation!