Monday, 21 October 2013

Opinion: Windows XP - Not Dead Yet


Windows XP desktop
Updates for Windows XP will end in April 2014. Yet the venerable operating system that first appeared in 2001 still has a user base counted in the millions, thanks to Microsoft's own ineptitude and miscalculation.

After Vista's spectacular failure cost credibility with enterprise customers and retail consumers alike, even Windows 7 couldn't overcome the resistance to upgrade.

With the legacy of all those stable and mission-critical enterprise applications demanding compatibility, stability, and low cost maintenance, corporate customers refused to budge. Meanwhile in economic hard times, home users took one look at Windows 7 (and 8), found no compelling reason to shell out for another expensive software license and said 'meh.'

So what happens next?

Some commentators are predicting the wholesale takeover of every XP machine on the planet by malware, bot-nets, fishers and fraudsters.

Others are predicting how organizations will handle zero-day exploits when Windows XP isn't patched: by using non-Microsoft 3rd party security software and not relying on Windows Firewall to protect their PC's. If you can deny penetration, then the chance of infection is much reduced.

Now, if you use third party anti-malware anti-virus and firewall software, there's a good chance that intruders still won't get in. If you can get a good, supported third-party firewall to replace the Windows firewall, that should give a decent measure of protection. If the third party non-Microsoft firewall denies inbound access to the attacker with a zero day exploit mid next year, then they can't establish a successful connection to the PC and that's the end of the threat.

Microsoft's own Security Essentials package will continue to be updated for virus and malware definitions, so that should remain reasonably secure. To be extra sure, a good third party, non-Microsoft based anti-virus, such as Avast or AVG used as a first or second line of defence will also deny access to XP's core code.

While the advice is always to have only one anti-virus package resident and running real-time-scanning at any one time, there's nothing to stop you having a second or third installed for on-demand scanning whenever you want.

But, social engineering and user-ignorance being what it is, what if an exploit does make it inside the fence thanks to some user action that bypasses the anti-malware and firewall?

My prediction is that Open Source programmers around the world will start coming up with their own patched updates, marking the birth of Windows XP Unofficial Security Patches. This is the start of an era of 'home brew' or community-supported security that will be peer reviewed and tested and quickly a ring of trusted security sites established.

Hackers, crackers and expert programmers will start analysing the executables containing the zero day exploits and will produce their own patches to fix the problem, probably faster and more reliably better than Microsoft ever did. And I suspect they'll be able to to this without reference to the XP source code since Microsoft is not likely to release that.

As somebody said earlier this year, a good hex editor and a determined software developer will patch almost zero day exploit in code as old as XP. Just as long as Microsoft doesn't do anything as stupid as threaten to sue people for copyright infringement or some such nonsense.

If they don't, I suspect companies like Norton and McAfee might step in, hiring some smart programmers to produce their own patches to add to security products they will promote even more heavily to take advantage of worried XP users.

Browser Hell
With some much of users' time spent on the web, they may think that the security risk of using XP is reduced since they don't actually use any Windows applications. Which would be fine except Microsoft has left us in browser hell for some time.

Somehow we need to persuade all XP users to STOP using Internet Explorer 6, 7 or 8 (sadly IE9, 10 or 11 won't run on XP), and download Firefox, Google Chrome or any other supported third-party web-browser. They are all available XP and are sufficiently updated to match current threats.

Alternative technologies such as the free download Sandboxie allow you to surf the web under the sandbox, so that for any browser infection, you just delete the sandbox container and start browsing again like nothing ever happened. Sandboxie works similar to Faronics Deep Freeze but just for the processes (programs) you choose to protect.

User Confusion
Technically, I predict it will still be possible to run XP for the rest of the decade, in relative safety and security. The tech-savvy XP user will continue to do just that. After all, in the web enabled world, why wouldn't you?

The concern is all those millions of user who aren't tech-savvy, who don't frequent technology sites, who don't have the 'knowledgeable friend' or relative to keep them on the safe path and who have no idea that XP has stopped updating or that their PC is no longer secure without some remedial measures.
That is where the threat will come from. That's where the data loss, fraud and identity theft stories will come from, and we'll be reliant of the traditional news media to do their usual half-baked job of scaring everyone into taking action with their usual mix of technical panic and disinformation. Sigh. RC

No comments:

Post a Comment

At least try to be nice, it won't kill you...