With official support for Windows XP set to end on April 8th, what are the biggest security fears and what should users do about it?
The biggest security issue with any consumer platform that has reached the end of its life (from the vendor’s perspective) is security vulnerabilities that won’t get patched. This isn’t just a Windows XP problem, mind you. There are plenty of us in Linux server land who, because we were complacent or got busy or whatever, forgot to upgrade and patch and hot fix their Linux server. For 6 years. And then found out that the path to upgrade to a newer (and much more secure) version was grown over with weeds. Man-eating-lack of service-you-can’t-even-find-a-mirror-with-the-packages-to-do-it-manually weeds.
But I digress. The point is that this happens to other operating systems, too, though it’s much more problematic when the platform is consumer-oriented and pervasive in business.
The reason end of life systems are problematic is because it implies end of support, too. And support generally means hot fixes and patches that address defects and, more importantly, security vulnerabilities. The other danger is that miscreants know this is happening. They know if they can find a new, unpatched vulnerability that they can deploy without concern that the vendor will address it and stop their fun. Thus it becomes a playground for miscreants bent on malevolence for fun or profit. Sometimes both.
What should users do about it? Upgrade, of course. But in the event that’s not practical or possible at the moment, then users should be extra-super-mega vigilant about their online activities until it is practical and possible to upgrade.
1. Be hyper-aware of phishing attempts. An attacker who wants to exploit a vulnerability may need to do so by getting malware onto the machine. Never click on links in e-mail – always retype them – and pay attention to what you’re typing.
2. Use browser plug-ins for safe browsing. Browser plug-ins that leverage a service to keep it updated with the latest malicious or malware-infected sites can help prevent a potential exploit on an unsupported consumer platform. Because the plug-in cares about the browser and the sites you’re visiting, the fact that you’re on Windows XP isn’t as big of a deal. The service is evaluating sites, not your machine. If you weren’t using Firefox or Chrome or some alternative to IE, you should now. IE on XP isn’t going to be any better supported than the OS after XP end-of-life, so start migrating your bookmarks now.
3. Be very wary of plug-ins or other applications that claim to provide you with protection that specifically mention the end-of-life issue. Preying on your fears is a classic means of getting you to install something you shouldn’t.
4. Migrate to using a smart phone or tablet for sensitive transactions. If you’ve got a phone or tablet, consider using it (and a company-provided app) for access to things like online banking or other financial management. While not immune to threats, using a more up-to-date (and supported) app provided by the institutions will improve your security posture immediately over continuing to use your now potentially very vulnerable and long-out-of-date operating system.
Most importantly, figure out a plan to migrate off the old system. While you can probably mostly-safely get by for a few months, the best route is to plan how to upgrade to something that’s supported
Lori MacVittie | F5, Sr Product Manager | @lmacvittie
To find out more about our panel members visit the biographies page.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.