HEAT Security Blog

Time to Ditch WinXP SP2!

I recently helped a friend set up her new Win7 box – it was a breeze, especially when compared to (or perhaps because of) the Vista lappie I set up for her a couple of years back. We had to do it because her old box was still running WinXP SP2 – and we couldn’t get SP3 to even install on it, that’s how old it was.

Of course, starting mid-July we would have been in even hotter water. That’s because Microsoft will end support for WinXP SP2 (and Win2k Server and Client). Microsoft suggests that folks using those operating systems upgrade to Win7, Windows Server 2003 or Windows Server 2008 (R2) – or at least to WinXP SP3. Note that there is no 64-bit version of WinXP SP3, so folks running 64-bit WinXP SP2 are on the latest service pack and will continue to be able to get support and to receive updates until April 2014, when WinXP is retired completely.

Before talking about what this means and what to do about it, let’s talk about who it impacts.

Who’s Impacted?
Surely, you’re thinking, [Hey, don’t call me Shirley!] no one is still using WinXP SP2 – after all, that box my friend replaced was from a different millennium. Well, a recent study by Softchoice found that 100% of the 117 public and private sector organizations surveyed had WinXP to some extent, 77% had it on 10% or more of their PCs, and that on average, 36% of the PCs in every organization still uses SP2. This matches reasonably well with what others like Net Applications and Qualys have said. While it’s probably true that SP2 – and Win2k for that matter – are still widely deployed as an embedded OS, we see a lot of SP2 in our own customer base. So, all told, it seems that there’s a job of work ahead for many an IT admin – either update your SP2 boxes, or enhance your defenses and monitoring against opportunistic attacks.

What’s This Mean?

Basically, there will no more WinXP SP2 updates or patches, including any critical security updates. In fact, Microsoft will not even be testing any new or unresolved vulnerabilities against SP2 to see if it is impacted, nor will they be developing any more patches or updates for it. So, no more Patch Tuesday for WinXP SP2 (well, the 32-bit version at least).

But, perhaps more importantly, there will be no further security updates for Internet Explorer 6 running on WinXP SP2. Beyond not being a supported platform, Microsoft has no way to deliver IE-only patches for it. Oh, and by the way, since they normally only release IE patches every other month, that fairly hefty release in June was it for IE6 on WinXP SP2 – there won’t be any more, so if you read about a new IE vulnerability you’ll need to double up the guard. Or, as I’ve argued before, you should simply scrap IE6.

What Should We Do?

The obvious answer here is to upgrade to Win7. As I’ve discussed before, there are a lot of positives with this. And the latest data from the Microsoft Security Intelligence Report suggests that Win7 is *much* more secure than WinXP SP2, and even SP3 – no great surprise, that, but at least we’re starting to see some data backing up that notion. And of course this will only get better as they work on newly discovered issues.

Of course, I understand that there are a lot of reasons why you might not want to do this – while it makes sense to update the OS as you update the hardware, migrating an existing machine can be painful, especially when you’re doing it on 100s or 1000s of systems, even if Microsoft has tried to make it easy. In this case, updating to WinXP SP3 is of course the next choice – 50% more secure than SP2, but 2x less secure than Win7. But, if you go this route, please be sure to upgrade to a modern browser – be it IE8, Firefox 3.6 or even Google’s Chrome browser.

And if that doesn’t work for you – well, I hope your machines are on an isolated network with no internet access. Barring that, I’m afraid your in for a not very fun-filled time.