Get rid of Windows XP quick, says Gartner

Warwick Ashford

With just days to go before Microsoft ends support for Windows XP (8 April), Gartner is advising businesses to ditch the operating system quickly because of the security risks.

Microsoft has extended security updates for the legacy operating system by 15 months, but many businesses, charities and other organisations will be on their own after that.

xp-support-ends.jpg

At RSA Conference 2014 in February, Microsoft’s Trustworthy Computing (TwC) group warned that running unsupported software is risky.

Microsoft said Windows XP is likely to be targeted by malware that exploits new or existing vulnerabilities that were not patched before end of support.

Attackers may also use security updates issued for later versions of the operating system such as Windows Vista, Windows 7 and Windows 8 to identify weaknesses in XP to exploit.

“Between July 2012 and July 2013, there were 30 vulnerabilities discovered in the later operating systems that were common to XP, so the risk is high,” said Tim Rains, director of TwC, Microsoft.

Extended security support from Microsoft is not an option for most organisations due to cost, as shown by the newly-inked 1-year deal with the UK government for custom end of life support worth nearly £5.6m.

Industry polls indicate that less than a third of organisations plan to go down the route of extended support, according to the Telegraph.

Gartner said most organisations will be at risk because they are running Windows XP somewhere in their IT estate. Research by UK software firm AppSense indicates this is true of 77% of UK organisations.

When support ends, Gartner estimates that up to 25% of enterprise systems will be running Windows XP and a third of large organisations will have more than 10% of their systems still on XP.

These organisations are exposing themselves to risk and should have a plan to get rid of Windows XP as soon as possible, said Gartner analyst Michael Silver.

Other makeshift measures for reducing security risk until XP can be replaced include reducing user rights on the machines, restricting machines to running only “known good” applications, and minimising web browsing and email use.

Silver also advises moving critical applications and users to server-based computing. “Where users or applications cannot be moved for regular use due to licensing cost, or capacity issues, have the applications installed for server access in case of emergency,” he said.

Silver warns that even organisations without Windows XP will be at risk because if anyone puts an unpatched Windows XP machine on the network, it can introduce problems.

Employees who use their personal Windows XP home computers to access work applications can also expose their organisations to threats.

For a company moving off Windows XP, Silver said application testing is essential at the start of the migration to a later version of Windows or another operating system.

“It is possible that an organisation has very old applications or versions that are not supported by newer operating systems,” he said.

Organisations also need to decide whether to deploy Windows 7 or Windows 8. “A migration to Windows 7 will likely be faster, but one to Windows 8 will have more longevity as Windows 7 support ends in January 2020, which less than six years away,” said Silver.

For many organisations, he said the best option would be to deploy Windows 7 for the most critical users and applications now, and work to be able to start deploying Windows 8 early in 2015.

Sergio Galindo, infrastructure business unit general manager at GFI Software said the potential holes for exploitation will continue to multiply over time.

“This means the cost of managing a Windows XP estate will rise very quickly, both from maintenance point of view, but also from potential exploits and lost productivity,” he said.

Although upgrades will be costly, Galindo said the savings from doing so will soon exceed the cost of continued maintenance. “For hackers, Windows XP is like breaking into a car with no alarm,” he said.

 

 

 

COMMENTS powered by Disqus  //  Commenting policy