8/12/2019 XP-EOS

1/4

To: All

From: RDM Development Officer

Date: 22ndJanuary, 2014

SUBJECT: SECURITY IMPLICATIONS OF MICROSOFT WINDOWS XP END OF SUPPORT

Introduction

Production use of software in a networked environment is typically surrounded by

security processes to mitigate newly discovered security vulnerabilities. Software patch

management is one of the fundamental security processes that organizations employto mitigate risk and ensure system compliance. Software vendors usually update

software to fix discovered vulnerabilities and release new software versions or patches

to existing software versions. When a software vendor discontinues updates for security-

related issues, newly discovered vulnerabilities become persistent threats in an

organizations attack surface. When a software application is widely deployed, the

attack surface becomes a significant risk.

Microsoft announced that the extended support for the Windows XP operating system(as well as Office 2003 and Exchange 2003) is scheduled to end on April 8, 2014.

According to Microsoft, end of support means an end to the following:

Security updates Non-security hotfixes Free or paid assisted support options Online technical content updates

This is the time to make sure you have the latest available update or service pack

installed. Without Microsoft support, you will no longer receive security updates that can

help protect your PC from harmful viruses, spyware, and other malicious software that

can steal your personal information.

8/12/2019 XP-EOS

2/4

Microsoft Support Lifecycle

Microsoft Support Lifecycle policy provides consistent and predictable guidelines for

product support availability when a product releases and throughout that products

life. By understanding the product support available, users are better able to maximizethe management of their IT investments and strategically plan for a successful IT future.

Client operating systems Latest update or

service pack

End of

mainstream

support

End of extended

support

Windows XP Service Pack 3

April 14, 2009 April 8, 2014

Windows Vista Service Pack 2 April 10, 2012 April 11, 2017

Windows 7 * Service Pack 1 January 13, 2015 January 14, 2020

Windows 8 Windows 8.1 January 9, 2018 January 10, 2023

* Support for Windows 7 RTM without service packs ended on April 9, 2013. Be sure to installWindows 7Service Pack 1today to continue to receive support and updates.

Security Implications

Microsoft Windows XP was designed and developed 13 years ago, before Twitter,

Facebook, instant messaging, social networking or the cloud. Over the past decade,

internet usage, and consequently malicious activity, has grown exponentially; Windows

XP and Office 2003 were never designed to operate in todays environment. The

annual Microsoft Security Intelligence Report consistently indicates that Windows XP SP3

machines receive more than twice the number of malware infections as Windows 7

machines.

http://windows.microsoft.com/en-us/windows/help/learn-how-to-install-windows-xp-service-pack-3-sp3http://windows.microsoft.com/en-us/windows/help/learn-how-to-install-windows-xp-service-pack-3-sp3http://windows.microsoft.com/en-us/windows/end-support-helphttp://windows.microsoft.com/en-us/windows/end-support-helphttp://windows.microsoft.com/en-us/windows-vista/learn-how-to-install-windows-vista-service-pack-2-sp2http://windows.microsoft.com/en-us/windows-vista/learn-how-to-install-windows-vista-service-pack-2-sp2http://windows.microsoft.com/en-us/windows7/install-windows-7-service-pack-1http://windows.microsoft.com/en-us/windows7/install-windows-7-service-pack-1http://windows.microsoft.com/en-us/windows/buyhttp://windows.microsoft.com/en-us/windows/buyhttp://windows.microsoft.com/en-us/windows7/install-windows-7-service-pack-1http://windows.microsoft.com/en-us/windows7/install-windows-7-service-pack-1http://windows.microsoft.com/en-us/windows7/install-windows-7-service-pack-1http://windows.microsoft.com/en-us/windows7/install-windows-7-service-pack-1http://windows.microsoft.com/en-us/windows/buyhttp://windows.microsoft.com/en-us/windows7/install-windows-7-service-pack-1http://windows.microsoft.com/en-us/windows-vista/learn-how-to-install-windows-vista-service-pack-2-sp2http://windows.microsoft.com/en-us/windows/end-support-helphttp://windows.microsoft.com/en-us/windows/help/learn-how-to-install-windows-xp-service-pack-3-sp3

8/12/2019 XP-EOS

3/4

Since its release, cyber-intruders have discovered and exploited a number of

vulnerabilities, some of which are able to compromise the security of an organizations

network holdings without warning. When an exploit becomes known, Microsoft issues

security bulletins or advisories which may also contain patches that must be installed in

order to protect our networks. The delay between the discovery of a vulnerability and

the design and implementation of a mitigation patch facilitates the exploitation

potential of that vulnerability by cyber-intruders. Consequently, an organizations

network could remain vulnerable for an extended period of time. After April 8, 2014,

therefore, any newly discovered vulnerability will no longer be addressed by Microsoft

and new patches to fix them will not be developed, thus increasing the likelihood of a

successful cyber-incident on an organizations network.

External Security Threats

Malwareincreased from 1000 in 1996 to millions in 2012 and has become anonline crime story. It includes computer threats such as viruses, worms, Trojans,

exploits, backdoors, password stealers and spyware. Windows XP is 21times more

likely to be infected by malware than Windows 8.

VulnerabilityWindows XP with SP3 is up to 56.5 times more vulnerable thanWindows 8 RTM.

Hacktivismthreat to business increased nearly 70% in H1 2012 versus H1 2011. Fake Virus Alertsincludes rogue software in the form of pop ups which can

infect computers if clicked and can spoof the Microsoft security update process.

!---

Evolution of attacks

Rather than actively targeting remote services, attackers now primarily focus exploiting

vulnerabilities in client applications such as web browsers and document readers such

as acrobat. Such attacks (infections) can slow your machine to a crawl, and if they start

sending spam or virus emails from your machine, your legitimate emails risk being

8/12/2019 XP-EOS

4/4

refused by recipients email servers because you have been blacklisted as a spammer.

This can hamper or cripple business.

How the evolution of security threats impacts business

The way organizations and their employees use technology has changed dramatically

in the last decadeand unfortunately hackers have evolved too. The security risks you

faced on your desktop more than a decade ago do not come close to todays threat

landscape across a range of devices.