On 8 April 2014 Microsoft will stop support for Windows XP – despite the fact that its market share is still high. What will the security impact of this decision be, asks Guillaume Lovet, senior manager of Fortinet’s EMEA FortiGuard Labs.
In practical terms, computers that are still running Windows XP after this date will no longer receive updates including those to address security vulnerabilities of the operating system. Whether you are an individual or a company, is it certain that you will become the favourite target for cybercriminals from 8 April? It’s not so clear.
Whether small, medium or large enterprise, from banking to industrial to service sectors, April 8, 2014 could impact a wide range of organisations as the end of Windows XP support is more than just a matter of migrating to a new operating system. Other considerations such as cost or disruption of services related to that migration are critical factors that also need to be taken into account when deciding to upgrade.
Take the example of the banking sector: 95% of automatic teller machines (ATMs) around the world rely on computers running Windows XP. Besides the disruption of services to perform this migration, these computers are not normally able to support a newer version of Windows. In this case, a migration is not possible without first upgrading the computer, incurring significant cost and downtime for these companies.
The same goes for SCADA (Supervisory Control and Data Acquisition) environments. These industrial systems feature business specific application which have been developed for Windows XP and will require significant development and cost to migrate to another operating system.
In light of the potential difficulties what options are available to these companies? One possible option is to do nothing. Will they be more vulnerable? Not necessarily. Depending upon the company, it could be that they do not make patches available for the OS in order to avoid disruption of their services.
For these organisations, a disruption of services is not limited to just the migration to a new OS but also includes any update of any operating system. These companies will be no more vulnerable than they already are today. Conversely, companies who have systematically updated their operating systems will become more vulnerable after April 8 if they choose not to upgrade their systems.
As for the ATMs themselves, rest assured that these machines are not directly connected to the Internet. The only way for a cybercriminal to target them is to attack the machine itself (such as introducing a Trojan through a USB key connected to the machine), a very unlikely operation and a very risky one for cybercriminals.
Understand that the key to staying on Windows XP is not being connected to the Internet. If that’s not possible, it’s highly recommended that you migrate to another operating system because it is certain that there will be an upsurge of attacks targeting XP vulnerabilities to extract sensitive information (competitive information, credit card numbers and so on) from these systems.
