- June 16, 2014
- Posted by: Jonathan Shih
- Category: IT Audit & Security
Microsoft has announced that April 8, 2014 marks the official end of life (EOL) for Windows XP. There are three very good reasons to upgrade today:
Even though XP is over 12 years old, vulnerabilities and stability issues are still being discovered. As a currently maintained product, Microsoft routinely pushes out updates in an effort to fix these vulnerabilities. Come April 9, your installation of Windows XP will probably continue to run normally. The computer will boot, programs will run, and nothing will appear different. Behind the scenes however, you will not receive any new updates or hotfixes, including the famed Service Packs. Running an unpatched clean install of Windows XP with no service packs or updates can be exploited in less than four minutes. Once XP goes EOL, exploits will continue to be discovered, but they will not be fixed by Microsoft. Attackers will post these discovered vulnerabilities in public forums and post them for sale in the underground market. These vulnerabilities can disrupt business operations and threaten confidentiality, integrity, and availability (better known as the CIA Triad).
From Microsoft’s standpoint, XP will no longer be an officially supported operating system. Many hardware and software developers will also stop supporting Windows XP in their future products. Even current software that runs may stop running on Windows XP with product updates.
After April 8, those running Windows XP will not be in compliance with MA 201 CMR 17.00. Under section 6, personal identifiable information (PII) on a workstation connected to the internet “must be reasonably up-to-date… [with] operating system patches.” Companies that are not compliant can expect heavy fines, and other legal and civil recourse. In addition, there may be compliance issues for those who fall under regulatory and industry requirements such as PCI DSS 2.0 and 3.0.
Best practices published under the SANS 20 Critical Controls 3, recommends installing security patches within 24-48 hours of its release (Quick wins 1) and using automated update tools (Quick wins 2). In order to meet these industry best practices, organizations will need to remove all XP systems and migrate users to a newer operating system such as Windows 7 or 8.
Upgrading to a supported OS is not trivial, nor cheap. Your business applications need to be tested to ensure they work on the new operating system. However, the time and cost to upgrade often outweigh the risks of these top three reasons.