If you would like to read the other parts in this article series please go to:
- The Risk of Running Obsolete Software (Part 1)
- The Risk of Running Obsolete Software (Part 2)
- The Risk of Running Obsolete Software (Part 3)
In Part 1 of this series, we looked at the statistics that indicate many individuals and companies are still running old versions of software that is less secure and in some cases so obsolete that it isn’t even getting security updates anymore. We also discussed some of the security consequences of using out-of-date operating systems and applications. In Part 2, we talked about why – despite all these security consequences – people and businesses are still clinging to the past and continuing to use software that’s way past its prime. In Part 3, looked at the software support lifecycle concept and how it plays into the problem, and some details and “gotchas” regarding the Microsoft support lifecycle policy in particular.
Now this time, in Part 4, we will wrap it all up as we get into some specifics about the dangers inherent in particular out-of-date operating systems, applications and devices.
XP: Now it stands for “XPloited”
One of the most-used and most-loved obsolete software programs is the Windows XP operating system. As we noted in Part 3 of this series, NetMarketShare statistics indicate that eleven and a half percent of desktop computers are still using Windows XP, which was released fourteen years ago and has been out of support for nearly two years as of the date of this writing, after users got reprieves that extended support to twelve years from the usual ten year support lifecycle.
The company listened to customers’ pleas for a while, but the time comes when it’s just not feasible to keep trying to patch the holes in an aging OS that can never be made as secure as newer versions, and Microsoft finally pulled the plug on XP in April of 2014. However, the company backtracked a little and provided a security date for a zero day exploit in IE on XP only a few weeks after the “absolute final” support date had come and gone. This was an IE memory corruption vulnerability discovered by FireEye that was being actively exploited in the “Operation Clandestine Fox” attacks.
Despite the warnings from Microsoft and independent IT security experts, many stalwart XP fans downplayed the risks of continuing to run the old OS, insisting that because they were careful about not visiting “dangerous” web sites (such as pirated music and software sites, porn sites, and others that are known to frequently host malicious downloads, not opening email attachments from strangers, and were running a third party anti-virus solution), XP wouldn’t pose a threat.
The problem is that attackers have grown ever more sophisticated over the years. While such precautions might have gone a long way toward protecting someone running an unpatched OS a decade ago, today malware is often delivered through legitimate web sites by attackers who upload the malevolent content through user-provided advertising or can be sent in email messages that are spoofed to look as though they come from a known and trusted party.
Still, some XP users were desperate enough to hang onto the past that they resorted to such measures as implementing a registry hack that purported to allow XP to continue receiving security updates for another five years. Microsoft responded with the news that the updates provided through this method were actually intended for the Windows Embedded and Server 2003 operating systems, not for XP, and would not provide full protection for XP.
The problem is two-fold: some exploits aren’t highly publicized, so users won’t be aware and able to take specific precautions to guard against them, but the unpatched OS will still be vulnerable. And like animal predators, cyber predators target the weakest members of the herd – in this case, that means the operating systems that are known to be vulnerable.
On the other side of that coin, some exploits are highly publicized. If we’re lucky, a patch is quickly issued to protect against attacks that leverage those vulnerabilities. In some cases, when the vulnerabilities are reported privately to the software vendor, it’s the issuance of the patch that brings the security flaw and its severity to the public’s attention. In those cases, the patch is already available by the time everyone – including the bad guys – knows it exists. However, that’s only for software that is within the support lifecycle and is still getting patches. XP users no longer fall into that category.
What about third party solutions? There were some security companies that announced they would provide protection for XP after Microsoft’s official support ended. In 2014, the Chinese government opted to evaluate third party patching services for XP instead of upgrading to Windows 8. The third party offerings, of course, were not free. The bigger problem with going that route is that only Microsoft can make changes to the operating system kernel, so security vulnerabilities in the kernel will still go unpatched. Third party products attempt to get around that by practicing “preventative medicine” – through anti-malware, anti-rootkit, URL blocking and other technologies.
If you absolutely, positively must continue to run an obsolete OS, it goes without saying that you should put in place as many protections as possible to reduce the risk. Best practice is also to isolate any XP machines from the rest of your network – and don’t use it to store sensitive data or to engage in financial transactions. Online banking and credit card transactions on XP has been labeled by security experts as a big “no no.”
Another consideration for many organizations in this regulated era is the use of Windows XP may threaten your compliance status under HIPAA and other governmental and industry regulations. It could also be a factor in subjecting your org to legal liability in the case of a lawsuit resulting from a security breach. Although many entities have resisted upgrading the OS due to cost factors, in the long run continuing to rely on an unpatched and unpatchable system for mission critical business could prove to be much more costly.
But wait – it gets worse
When we talk about people running obsolete Microsoft operating systems, we tend to immediately focus on XP because of the very vocal (and relatively large number of) people who refuse to give it up. But there are many other outdated systems out there, still happily chugging away, and many of them connected to the Internet.
I just recently heard from someone who is still running Windows 2000, and I have no doubt there are a few Windows 9.x machines tucked away in homes and small offices that, with Methuselah-like endurance, refuse to die. In some ways, these elderly computers might be at less risk than the XP holdouts, although it’s simply a case of security through obscurity, which as we all know is not exactly the most highly recommended way to protect against security flaws.
But what’s worse than using workstations running obsolete client operating systems? The answer would be obsolete and unpatchable servers, of course. And that’s the case for those organizations that are still running Windows Server 2003. Support for that server operating system came to an end on July 14 of last year, and surveys showed that there were still significant numbers of both large and small companies that still had at least one server in operation that was running the old OS.
Unpatched workstations can serve as a conduit into the network, but in a business environment, they usually (at least if best practices are in place) don’t have a lot of important information stored locally. In fact, in many cases the PCs are used basically as not-so-dumb terminals to access services on the network servers. Those servers, then, are the more attractive target for a hacker and an attacker.
Willie Sutton may or may not have said the reason he robbed banks was because that’s where the money is, but it makes sense that cybercriminals go after servers because that’s where the really valuable data is. File servers hold the company’s documents, which may include trade secrets, client lists, internal and external correspondence, original creative product, accounting and financial information, and much more. Servers host the critical services that make the network run: DNS, DHCP, remote access services, email, company web sites, databases, and in some cases even users’ desktops, not to mention the authentication services necessary to log onto the network and access any of its resources.
Vulnerable servers open up an organization to the prospect of unauthorized access to its confidential information, tampering with or destruction of irreplaceable data, interruption of important network functions and a complete shutdown of the network through denial of service attacks. The compliance and liability risk of running obsolete workstations pales in comparison to that posed by running obsolete servers.
As with XP, there are third party products that purport to offer protection, but also as with XP, this only reduces the risk – it doesn’t eliminate it. The real solution is to bite the bullet and migrate to a newer and more secure operating system. Many companies are choosing to venture into the Linux waters, but that can bring its own problems, both security and otherwise.
And all the other “things”
Think it’s only your computer software that puts your network at risk? Think again. We have entered the era of the Internet of Things, and many of those IoT devices are running obsolete software right out of the box.
This is because so many manufacturers of newly Internet-connected “things” are not in the software business. They’re good at building washing machines or toasters but when they find themselves needing to add a feature like Internet connectivity, they often don’t have that kind of expertise in house. The easiest and cheapest route is to adapt open source software to fit their purposes – but this too often results in devices running older versions of that software. They may pull in software components from various sources and add to them.
Compounding that problem is the fact that since software isn’t these vendors’ core competency, they too often don’t regularly issue updates as a software company would do. And to make matters worse, they make it much more difficult for consumers to access information about that software and versioning than a typical PC software vendor does. With IoT devices, you may not be able to update manually and the responsibility for keeping the software up to date is often “fuzzy.” Customers are expected to just trust the manufacturer that the software is secure.
This is a problem that is only going to get bigger as the IoT grows and becomes more complex. I addressed this in much more detail in my multi-part article titled IOT: The Threats Keep on Coming.
It might seem obvious that continuing to use technology that’s way past its prime and no longer gets security updates is at least as risky as continuing to drive an ancient motor vehicle that was built prior to the advent of modern safety features without getting annual inspections. However, there are plenty of people out there who are either oblivious to the dangers or who know better but are too busy, too lazy, or too stubborn to make the switch.
If your organization is in that position, I hope this series will help convince you (or help you convince those who make the decisions) that it’s time to reconsider – for security’s sake.
If you would like to read the other parts in this article series please go to: